Library Header Image Library Header Image

Human-Augmented SOCs: Rethinking the Security Analyst’s Role


Posted on by Christophe Briguet

Key Takeaways:

  • AI accelerates data processing and correlation, reducing noise and clustering related events into coherent incidents.
  • Human analysts validate, contextualize, and teach the system how to behave, ensuring it aligns with organizational priorities and context.
  • Feedback loops allow continuous learning, gradually improving detection accuracy and reducing false positives. 

As cyberthreats grow in volume and sophistication, Security Operations Centers (SOCs) are moving past traditional models based on manual alert review and rigid, tiered incident response playbooks. The next generation of SOCs harmonizes advanced AI and automation with highly skilled human insight, allowing security teams to reduce overwhelming alert volumes while preserving the nuanced judgment that only analysts can provide. With this shift comes a change in the security analyst’s role in the SOC. 

Beyond Automation: Bringing Human Insight into AI Workflows

The idea of a fully autonomous SOC where machines independently triage, investigate, and respond without human involvement is appealing in theory. Yet, in practice, genuine autonomy is only possible when systems learn from human expertise. In other words, it’s not possible to automate everything unless the AI agents are learning from someone. And that “someone” is still the security analyst. Their role should not be just to babysit the machine, but to train it and influence it in meaningful ways that make the human’s job easier.

This philosophy emerges from rethinking how human feedback influences automated systems. Those of us who’ve been in security long enough will recall the Indicators of Compromise (IOC) Pyramid of Pain, which taught us that not all indicators are equal. The theory goes, the more abstract the IOC, the more it hurts the attacker when detected. It shows that while some IOCs are easy for attackers to bypass, others, like behavioral tactics, are far more disruptive when denied. 

Similarly, not all inputs from analysts are equal. A simple flag indicating a false positive may be visible in dashboards, but it doesn’t meaningfully change future false positive detection. However, detailed feedback—for example, explaining why a specific behavior is benign based on a fuller understanding of its context—will refine detection logic and influence future machine learning models. This distinction underscores a key principle: AI systems become more effective when human feedback teaches them over time, rather than merely tagging outcomes. 

The Analyst Feedback Impact Model

It’s time for a new model based on the IOC Pyramid of Pain. Think of it as the Analyst Impact Feedback Pyramid. To conceptualize this, consider a framework that distinguishes feedback by its impact. Basic labels are helpful for reporting, but deeper, justified feedback that includes reasoning empowers AI to adjust thresholds, suppress recurring false positives, and adapt detection rules. In effect, human analysts act as teachers guiding AI behavior through structured, contextual input.

An analogy from autonomous driving illustrates this dynamic well: gently nudging a self-driving system keeps it on course, whereas assertively taking the wheel overrides and re-trains it. In a human-augmented SOC, similar calibration allows users to guide AI systems, distinguishing between minor corrections and substantive model adjustments.

March 12 2026 Blog

Image: A vision for the Analyst Impact Feedback Pyramid.

Redefining Roles within the SOC

Human-augmented SOCs shift analysts away from repetitive tasks like initial triage toward more strategic activities that require context, judgment, and pattern recognition—areas where AI alone cannot excel. As highlighted in RSAC’s exploration of "The AI-Powered SOC", this reflects broader industry discussions showing that analysts are increasingly involved in refining AI inputs and interpreting complex incidents rather than simply reviewing raw alerts.

Rather than viewing automation as a threat to human roles, a human-augmented SOC positions analysts as strategic partners to AI, leveraging computational power while maintaining ownership of critical decisions.

Feedback Is Fuel

Meaningful feedback from the human expert is how trust in AI is earned. The Analyst Feedback Impact Pyramid can help us prioritize that feedback and build better systems that act with the right level of confidence. In this vision of the SOC, autonomy isn’t about replacing humans; it’s about respecting their expertise enough to let it guide the machine to make better decisions. Because, the truth is, the Automated SOC doesn’t get smarter by itself. It gets smarter by learning from its best teacher: the human analyst who understands when to nudge, when to override, and when to give the system the meaningful feedback it needs not to make the same mistake twice.

Contributors
Christophe Briguet

Sr. Dir. Product Management, Stellar Cyber, Inc.

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs