Lesson 1.1, What AI does and doesn't do for security operations

Opening hook

Vendor pitches in cybersecurity in 2026 sound like every alert is summarized, every investigation is accelerated, every analyst is augmented, and the SOC is transformed. The reality in actual SOCs is more textured. AI has produced real productivity gains in specific workflow steps. AI has not, in production, replaced senior analyst judgment, eliminated alert volume, or solved the hardest detection problems. This lesson separates the real wins from the hype so the rest of the course is grounded.

Core teaching

The first principle: AI is a force multiplier for analyst time, not a replacement for analyst judgment. The honest framing of AI in cybersecurity operations in 2026 is that large language models meaningfully accelerate parts of the analyst workflow that involve reading, summarizing, and writing: reading log lines and producing investigation summaries, drafting customer-facing reports, generating SIEM queries from natural language, summarizing threat intelligence reports, classifying alerts by likely category. Each of these saves analyst time. None of them replace the analyst's pattern recognition, contextual judgment, or accountability for the call. SANS course material on security operations has consistently emphasized that judgment is the analyst's core deliverable; AI augments the inputs to judgment but does not produce judgment itself (SANS SEC511, ongoing).

The second principle: AI is good at language tasks and weak at numerical reasoning. SOC analysts work with both. The language tasks (reading alerts, summarizing logs, drafting reports, querying indices in natural language) are where AI helps. The numerical tasks (calculating accurate statistical baselines, detecting subtle frequency anomalies, computing precise thresholds) are where traditional detection logic and statistical methods still outperform language models. A SOC that routes every problem to a language model gets weak results on the numerical work. A SOC that uses AI for language and dedicated detection engineering for numerical work gets the best of both.

The third principle: detection logic still matters. Despite years of "AI will replace detection rules" claims, the field has not delivered a language-model-driven detection engine that beats well-tuned SIEM and EDR rules grounded in MITRE ATT&CK technique coverage (MITRE ATT&CK, ongoing). The reason is that detection requires precision, low false-positive rates, and explainability that language models do not yet deliver consistently at production scale. AI in the SOC works best as a layer on top of solid detection engineering, not as a replacement for it.

The fourth principle: alert triage is where the productivity wins are real. The single highest-value AI use case in 2026 SOCs is alert triage acceleration. An analyst presented with an alert plus a model-generated summary of the alert, related entities, recent activity for those entities, and matching MITRE ATT&CK techniques can reach a triage decision dramatically faster than an analyst working from raw logs. This is the workflow Microsoft Copilot for Security, Google Sec-PaLM, Splunk AI, and most major vendors target. The wins are well-documented in customer reports. The wins are real. The wins also do not eliminate the analyst from the loop; they shorten the time to a confident decision.

The fifth principle: investigation acceleration is the next-most valuable application. After an alert is triaged as worth investigating, the analyst has to pull together logs, correlate across systems, build a timeline, and write up findings. AI accelerates each step: log analysis at scale, IOC pivoting suggestions, timeline reconstruction drafts, report writing. The pattern that works is not "AI conducts the investigation" but "AI prepares the investigation materials so the analyst's time is spent on judgment." Module 5 covers this in depth.

The sixth principle: hunting benefits from AI in specific ways. Threat hunting is hypothesis-driven. AI helps with hypothesis generation (what if attackers were doing X, what query would surface that), query writing in SIEM-specific languages, and result interpretation. AI does not generate the underlying hypothesis quality that comes from understanding the adversary, the environment, and the threat intelligence landscape. Hunters who delegate hypothesis generation to AI produce weak hunts. Hunters who delegate query syntax and result summarization to AI produce more hunts of the same quality.

The seventh principle: AI-specific detection is a new SOC responsibility. The SOC is not just adopting AI; the SOC is now also defending against AI-enabled attacks and AI system misuse. AI-generated phishing, deepfake-based fraud, prompt injection against the company's AI applications, model exfiltration, training data poisoning attempts, AI agent misuse: these are SOC concerns now. MITRE ATLAS provides a framework for adversarial threat landscape against AI systems (MITRE ATLAS, ongoing). Module 7 covers AI-specific threat detection in depth.

The eighth principle: AI products vary widely in quality. The major SOC AI products (Microsoft Copilot for Security, Google Sec-PaLM and Chronicle integrations, Splunk AI assistant, Sentinel AI features, EDR vendor AI assistants) all do similar things in their marketing. They differ substantially in what they actually deliver: data integration depth, query quality, response accuracy, hallucination rate on security content, cost at scale. Lesson 1.3 covers the current landscape with verifiable specifics. The fast-moving market means specifics need to be re-verified before purchase decisions.

The ninth principle: the SOC analyst's skill mix is shifting. The skill that becomes more valuable: judgment, context, decision quality, threat intelligence depth, business risk literacy. The skill that becomes less differentiating: speed at writing SIEM queries, manual log analysis throughput, rote alert handling. SOCs that do not invest in skill development for the new mix end up with analysts who use AI as a shortcut for things they should still understand. Lesson 1.4 covers the skill shift in detail.

The tenth principle: the maturity model is the way to think about progression. SOCs are not "using AI" or "not using AI." They are at different points on a maturity continuum from no AI use, through tool-assisted triage, through workflow-integrated AI, through AI-augmented hunt, through SOC-wide AI orchestration with governance. The maturity model in Lesson 1.5 lets a SOC leader assess current state and plan progression.

AI-specific application

For the SOC analyst or security operations leader in 2026, the operational rules drawn from this lesson are concrete.

Rule one: do not believe the all-or-nothing pitch. Vendors who claim AI will solve detection are overselling. Vendors who claim AI is only for marketing are underselling. The truth is in specific workflow steps. Evaluate vendors on their performance against specific steps that matter in your environment.

Rule two: keep MITRE ATT&CK as the reference for detection coverage. Adding AI does not remove the need for technique coverage. AI augments your coverage of techniques you already detect; it does not generate coverage of techniques you do not. NIST CSF 2.0 framing applies: identify, protect, detect, respond, recover, govern. AI helps in each function but does not replace any of them (NIST CSF 2.0, 2024).

Rule three: invest in the analyst skill mix early. The SOCs that get the most from AI in 2026 are the ones that invested in analyst training in 2025. The SOCs that did not are the ones complaining that AI tools are producing wrong answers because their analysts cannot tell.

Practice exercises

1. Audit one workflow step. Pick one step in your SOC that AI vendors claim to accelerate (alert triage, hunt query writing, investigation summary, report drafting). Pick three alerts or cases. Time the workflow without AI. Time it with AI. Note quality differences. Write a one-paragraph honest assessment.

2. Map AI to NIST CSF. For each NIST CSF 2.0 function (govern, identify, protect, detect, respond, recover), identify one specific AI use case that helps and one that overstated vendors might claim. The exercise is to internalize that AI is not a function; it is a tool used inside functions.

3. Read MITRE ATLAS. Skim the ATLAS framework. Identify three AI-specific threats your SOC has not yet built detection for. Note which ones are most relevant given your environment (do you have customer-facing AI applications, internal AI usage, AI in production pipelines).

Knowledge check

1. Question 1. What is the honest framing of AI's role in security operations in 2026? a) AI replaces analysts b) AI is a force multiplier for analyst time on language-heavy tasks while analyst judgment remains the core deliverable [correct] c) AI is irrelevant d) AI replaces detection rules

2. Question 2. Why has language-model-driven detection not replaced rule-based detection? a) AI has not been tried b) Detection requires precision, low false-positive rates, and explainability that language models do not yet deliver consistently at production scale [correct] c) Vendors do not allow it d) Compliance prohibits it

3. Question 3. Where are the highest-value AI productivity wins in the SOC currently? a) Detection rule generation b) Alert triage acceleration: alert summary, related entity context, MITRE ATT&CK technique mapping, leading to faster confident decisions [correct] c) Replacing analysts entirely d) Hardware tuning

4. Question 4. What does AI add to threat hunting? a) Replacement of human hunters b) Hypothesis-aware query writing, log result summarization, and pivoting suggestions, while hypothesis quality still depends on human understanding of the adversary and environment [correct] c) Better detection rules d) New threat intelligence

5. Question 5. Why is AI-specific detection a new SOC responsibility? a) It is not new b) Because attackers now use AI for phishing, deepfakes, and reconnaissance, and defenders must detect both AI-enabled attacks and misuse of the company's AI systems, with MITRE ATLAS as a reference [correct] c) Because regulators require it d) Because vendors require it

6. Question 6. Why do SOC AI products differ substantially despite similar marketing? a) They do not differ b) Data integration depth, query quality, accuracy, hallucination rate on security content, and cost at scale vary across vendors [correct] c) Vendors charge different prices only d) Marketing differs but products are identical

7. Question 7. What is the right way for a SOC leader to think about AI adoption? a) Binary: using or not using b) As a maturity continuum from no AI use through tool-assisted triage to SOC-wide AI orchestration with governance, assessed and planned per organization [correct] c) As a single vendor purchase d) As a hardware decision

Slide deck outline

1. Title slide: "Lesson 1.1, What AI does and doesn't do for security operations"
2. Hook: vendor pitches vs SOC reality
3. Force multiplier, not replacement
4. Language tasks vs numerical tasks
5. Detection logic still matters (MITRE ATT&CK reference)
6. Alert triage as the highest-value win
7. Investigation acceleration as the next-most valuable
8. Hunting with AI: hypothesis vs query
9. AI-specific detection (MITRE ATLAS)
10. SOC AI products vary substantially
11. Skill mix shift for analysts
12. The maturity model preview
13. Three operational rules
14. NIST CSF 2.0 mapping
15. Vendor evaluation guidance preview
16. Common SOC AI mistakes
17. The all-or-nothing trap
18. The hallucination problem in security content
19. Citations: SANS, MITRE ATT&CK, MITRE ATLAS, NIST CSF
20. Module roadmap
21. Practice exercises summary
22. Transition to Lesson 1.2

Reference reading

• SANS SEC511 course description: https://www.sans.org/cyber-security-courses/continuous-monitoring-security-operations/
• MITRE ATT&CK: https://attack.mitre.org/
• MITRE ATLAS: https://atlas.mitre.org/
• NIST CSF 2.0: https://www.nist.gov/cyberframework

Transition

You see the realistic role of AI in operations. Next, the vision the field is moving toward. Lesson 1.2 covers the AI-augmented SOC vision: what a mature SOC looks like when AI is integrated across the workflow, with governance and accountability intact.