It’s hard to avoid the noise around AI in cybersecurity. Buzzwords like AI-driven detection, autonomous SOCs, and self-healing systems dominate headlines, vendor decks, and conference panels. But when you speak with the people running Security Operations Centers (SOCs), a different, more grounded picture emerges.

Over the past weeks, I interviewed ten security professionals across internal enterprise SOCs and security service providers (MSSPs, MDRs, consultancies). Their roles span from SOC managers to DFIR engineers and Threat Hunting.

Collectively, they represent organizations of various sizes and sectors, from tens of thousands to dozens of employees, as well as different regions and cultures.

The goal was to understand what the real impact of AI on threat hunting and incident response is today, ignoring what the “marketing” says and listening to the SOC floor.

While we cannot draw general conclusions from a sample of this size, the result is that, for now, AI is helping, not replacing. The experts perceive gaps in the existing tools and are cautious about them, and they face several other challenges that are requiring their attention.

Through the rest of this article we are going to go through the most revealing insights from the experts that are defending organizations around the world, every minute of every hour of every day.

Dedicated Team or Shared Responsibility?

When it comes to the structure of Security Operations teams, there’s not one way to handle Threat Hunting. While larger organisations tend to have dedicated specialists, in-house or outsourced, most service providers don’t.

Dedicated threat hunters are expensive to maintain, especially for smaller providers that depend on tight margins.

“We don’t have dedicated threat hunters because we’re not big enough. It’s simply not financially viable”, says the SOC Deputy Manager of a French MSSP.

Logically, service providers must balance efficiency and scale, and assigning full-time roles for threat hunting is challenging, not only because of the cost and resource constraints, but also because many clients don’t understand or perceive its value.

“Some of the more mature clients understand why (threat hunting) is key, but unfortunately most of them are not yet convinced despite our best efforts”, extends the previously quoted specialist from France.

This makes it harder for service providers to justify threat hunting as a standard part of their services, a challenge that gets more complex as they need to deal with tool fragmentation across clients.

Threat Hunting then becomes a shared responsibility among analysts when it comes to service providers.

“Senior-level analysts lead investigations, and all analysts share hunting responsibilities collaboratively”, explains a SOC Analyst from a medium-size service provider from Arizona, US.

The foundational work

Before even considering any kind of automation, including AI-driven ones, Security Operations teams need to build the right foundations.

How the teams are structured, as we mentioned above, is one of those pillars, alongside data, processes, and tools.

Many of the interviewees mentioned that their biggest challenges are on getting those basics right.

“Lack of quality telemetry data is one of our biggest challenges. We’re working on improving visibility through better log management.”, says the SOC Manager of a large logistics company.

It’s nothing new that SOCs need to deal with an ever-increasing amount of data being ingested by their SIEM and other tools. Even then, there are visibility gaps caused by budget constraints, compliance restrictions or overly aggressive tuning, as one of the interviewed analysts highlighted.

Every one of the interviewees is going through different initiatives to not only address the data challenge but also their internal processes. SOARs, playbooks, methodologies (like TaHiTI) and custom approaches are some of the ways that the different organisations are looking into in order to achieve a high process maturity.

However, the variety of tools and sources plays a factor here, making it even more complicated. For instance, as examples:

1. A SOC Manager at a 150,000-employee company highlights the need to integrate CTI and refined IOCs that could trigger alerts worthy of investigation.
2. An analyst from a Spanish service provider mentions that threat hunting is still a manual or semi-manual process due to the diversity of digital assets they are monitoring in different customer environments.

What is clear across the board is that automation and AI require the right foundations in place, especially around data and processes.

Thanks for reading Cybersecurity & Business! Subscribe for free to receive new posts and support my work.

Hunting the Unknowns

When reading through the lines, there is a topic that is mentioned by pretty much every interviewee: the challenge of hunting based on more than IOCs, detections and signatures.

“The biggest challenge is detecting threats without known IOCs. Advanced threats aren’t always identified through traditional signatures, so a more behavioural approach is needed, requiring more analyst time and specialization.”, mentions a Digital Forensic Analyst from a large service provider.

This is an essential aspect of modern threat hunting, and it is still a work in progress in many cases. Many teams are relying on alerts as the trigger to investigate further, and many unknown threats don’t generate one.

Transforming intelligence into detections, creating behavioural baselines in collaboration with clients, reducing irrelevant alerts, and better log management are some of the ways SOCs are addressing this issue.

“The challenge isn’t just data volume. It’s the lack of context that makes hunting unknown threats especially difficult.”, extends a Principal DFIR Consultant from a large UK-based service provider.

Finding unknown threats is where machine learning and AI algorithms can help, according to a few of the interviewees.

A Threat Hunting Lead from one of the largest insurance companies in the world confirms that the approach is being selectively applied: “The use of AI algorithms is becoming more common. Since it can provide different angles in threat hunting, we apply it depending on the scenario and the goal.”

Moreover, another interviewee, Detection & Response Lead at the cybersecurity arm of a large physical security company, details a more advanced practice: “We use an internal correlator with machine learning to filter out irrelevant alerts. The important ones are first analysed by an AI agent trained to behave like a hunter, so our analysts already have part of the work done when they step in.”.

Hunting unknown threats is clearly resource-intensive and difficult to scale. The organisations with mature structures and processes seem to be better positioned to formalise and operationalise this kind of work.

The question is: Can this be the area where AI can bring the most value?

AI is here, to some extent

None of the experts are working in companies that have fully replaced Security Operations functions with AI, despite the promises of many new vendors.

When consulted about the usage of AI for threat hunting, Olivier Caleff, CISO of Erium, a French cybersecurity service provider, was very clear: “No. We don’t use it in production at the moment, but is is used as a supporting tool. We are waiting to have more reliable tools and positive testing before relying on it. Anyhow, we plan to enforce human control for quite some time”.

From the different answers, we can see that service providers, needing to deal with multiple tools due to the various customer technology stacks they must work with, are still not widely adopting AI, even though they do have some level of automation in place.

However, those in larger organisations, having a more homogeneous environment as well as less budget constraints, are already using (or planning to use) AI selectively in some processes, for instance, to assist threat hunters.

Nevertheless, maturity is still an issue, as a Senior DFIR Manager from a global financial company says: “AI helps in the analysis process, sometimes. Currently, it’s not mature enough to be anything more than an aid to analysts.”.

The adoption of AI is gradual, from assisting specialists in some particular cases to alert filtering and initial triage in others. There are also activities in progress in the organizations of a few of the consulted experts to adopt it further but still only as an aid to threat hunting efforts instead of a fully automated approach.

The overall sentiment is that while AI offers potential, it’s not a plug-and-play solution. Its success depends on how well organizations have structured their SOCs, curated their data pipelines, and integrated their processes.

A key takeaway? AI in threat hunting today is about augmentation over automation. The best implementations at the moment are those empowering analysts to focus on deeper investigation by handling noisy, repetitive work, and enhancing human intuition and expertise.

What’s next with AI & Threat Hunting?

While most SOCs are cautiously testing AI for reducing noise and improving alerts handling while focusing on getting the basics right, there are new categories of solutions beginning to surface.

When it comes to Tier 1 SOC Automation, products like Prophet Security, Dropzone and Qevlar AI promise to provide “hyperautomation” using AI to reduce alert fatigue and improve times to respond and mitigate.

Others are designed from the ground up to automate or accelerate threat hunting for the Tier 2/3 SOC analysts and hunters using AI, addressing some of the challenges highlighted above. CmdZero, TandemTrace and Exaforce are the most notable examples.

“All escalations in security operations require thorough human analysis before a decision can be made. Analyzing these cases is a highly manual process with a lot of grunt work, and the universal shortage of talent for this advanced skillset makes it the most significant bottleneck.“, said Dov Yoran, Co-Founder and CEO of CmdZero.

For instance, TandemTrace is a purpose-built platform to perform threat hunting at scale using AI-driven techniques. Unlike legacy SIEMs or EDRs with bolted-on AI features, platforms like this one aim to generate hypotheses, correlate telemetry, and surface anomalies without relying exclusively on known IOCs or predefined detection rules.

These products promise to:

• Reduce the time and expertise needed to start hunting campaigns
• Operate across telemetry sources (EDR, network, logs)
• Bridge the gap between threat intel and detection by automating contextual analysis

Their success will depend on showing the value to the Security Operations team when it comes to threat hunting but also in how they address the issues related to data quality, integration maturity, and human oversight.

“Threat Hunters have an incredibly complex job: they need to find a needle in the haystack, without knowing which haystack or if the needle even exists.”, remarks Almog Ohayon, CEO & Founder of TandemTrace. “The modern threat landscape doesn't pause for weekends or holidays. AI security agents can deliver continuous threat hunting and incident response, ensuring defenses are always up while attackers probe for weaknesses.”

The path to AI-driven threat hunting isn’t about replacing the hunters. It's about empowering them. And with AI agents that never sleep now on the horizon, that promise is starting to look real.