How Autonomous SOCs Are Changing the MDR/MSSP Landscape

NextGen MDR

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

In this edition of the cybersecurity automation blog, I wanted to dive into the topic of next-gen MDR/MSSP.

MSSP and MDR solutions have been around for a long time. In fact, my first job 15 years ago was at an MSSP vendor (HP Enterprises), so yeah, these solutions go way back. You might wonder why they’ve stuck around for so long. Well, MSSPs primarily covered the People and Process aspects while also managing security technology like SIEM, IDS/IPS, and firewalls for their customers. However, they weren’t necessarily innovating in security tech ,they were more focused on deploying and managing existing solutions.

Then MDR came along, building on the MSSP model but with a more proactive approach, adding threat hunting and response automation on top of traditional security monitoring. Instead of just managing SIEM alerts, MDRs actively hunted threats and automated responses, making them more effective at stopping attacks in real time.

Table of Contents

This edition is sponsored by Intezer

MSSP: The Early Days (From My Experience)

So, what did MSSP look like 15 years ago? In my case, HP offered MSSP services for the security products they sold, starting with IDS/IPS solutions and firewalls, later adding ArcSight.

Back then, most companies didn’t have dedicated security teams. Security professionals were usually SysAdmins with added security responsibilities, and maybe there was a CISO with a couple of advisors. We handled everything from Tier 1 to Tier 3. The alert volume was much lower than today, and a shared-service SOC could manage 20+ customers at once. The team was responsible for tuning alerts, handling forensic investigations, and responding to security incidents.

The biggest challenge? Limited visibility into customer environments. A lot of time was wasted going back and forth with customers to investigate alerts. But despite these challenges, MSSPs worked well, especially because they helped companies check the compliance boxes and provide cost-effective, 24/7 monitoring at a time when in-house SOCs were rare.

MDR: The Evolution of Security Services

MDR aimed to improve on the MSSP model by offering more than just alert triage. With the rise of threat hunting and EDR, MDRs promised a more proactive approach to security operations. They usually came with their own platform to aggregate alerts and apply automation to speed up response times.

However, MDRs also came with challenges:

  1. Tech coverage gaps – MDRs typically work best with their own platform, but they don’t always integrate with every tool in your stack, which can leave gaps.

  2. Generic detection logic – Every environment is different, but MDRs rely on standardized detection patterns. That means custom threats and niche attack techniques can go unnoticed.

  3. On-prem and custom tooling issues – Organizations with a lot of on-prem infrastructure and unique security tooling found MDRs harder to implement effectively.

Despite these challenges, MDR was a step up from MSSPs. But both models still relied heavily on human analysts, which meant costs scaled with demand ,not exactly an efficient long-term solution.

ASOC (Autonomous SOC): The Next Disruptor?

Then came the rise of AI-driven SOCs (Autonomous SOCs). With the introduction of Gen AI and LLMs, we started seeing solutions that automate Tier 1 to Tier 3 security operations.

Some of these platforms focus on alert triage (Tier 1 and Tier 2), while others automate incident response. But can AI SOCs completely replace traditional security teams? Here’s what we consider before that happens:

  1. Stack overload – Most companies already have SIEM, SOAR, XDR, and CDR. Adding yet another tool for security operations is a hard sell.

  2. SOC replacement skepticism – No CISO is confidently saying, “Let’s fire the whole SOC team and replace them with an AI SOC.” Some early adopters are experimenting with AI-driven SOCs for Tier 1 work, but fully replacing a SOC team isn’t realistic today.

  3. Compliance requirements – Many regulations require organizations to have security operations personnel. Even if AI SOCs reduce the need for analysts, auditors won’t necessarily accept a company having zero FTEs dedicated to security ops. Great article related to this : A Fair Weather SOC: 5 Signs It’s Time to Panic (and Fix It!) by Anton Chuvakin

The Future: ASOCs as Next-Gen MDR/MSSP

Rather than replacing MDR/MSSP, AI SOCs are merging with and influencing the next generation of managed security services.

For AI SOCs to fully evolve into next-gen MDR/MSSP, they need all three pillars: People, Processes, and Technology.

  • Technology – AI SOCs excel here. Their automation and investigation capabilities allow them to process a massive volume of security alerts faster and more efficiently than human analysts.

  • Processes – Some AI SOCs provide prebuilt playbooks for easy onboarding, while others allow organizations to bring their own workflows and let AI automate them.

  • People – This is where most AI SOC vendors fall short. MSSP/MDR providers have security research teams and human analysts, whereas AI SOCs are mainly focused on automation.

So, what happens next? Either:

  1. AI SOC vendors will hire and grow internal security research teams, or

  2. MDR/MSSP vendors will acquire or merge with AI SOC vendors.

Why This Evolution Makes Sense

Current MDR/MSSP vendors shine in people and processes. AI SOC platforms shine in technology and processes. If you combine the two, you get the perfect mix.

As next-gen MDR solutions gain traction, we might see a shift where:

  • Internal SOC teams focus on higher-value work like DevSecOps, Detection Engineering, Proactive Threat Hunting, and Enterprise Security Architecture.

  • AI-driven MDR/MSSP services handle most security operations.

Case Study: Intezer

As I mentioned earlier, most AI SOC solutions don’t include the people aspect. But Intezer is an exception. They’ve been an AI SOC platform for a few years, and they actually have a security research team.

There are a few places where people are involved in Intezer's operation and offering:

  1. On-demand expert / concierge – Intezer allows users to get on-demand help from a security expert for any alert or incident. This security expert can help with questions about the AI SOC verdict, assist in reconfirming or reassuring an investigation, or dig deeper (even up to deep reverse engineering).

  2. Continuous quality assurance – Intezer has a very scientific approach to ensuring that the Autonomous SOC results are always consistent and meet target KPIs. On a continuous basis, Intezer’s team manually investigates a random sample set of alerts across customer environments. This allows them to maintain an ongoing, precise comparison between AI results and human expert results, providing exact figures for critical metrics such as accuracy, noise reduction, and speed. For every AI mistake, improvement opportunities are extracted weekly to ensure continuous backend technology evolution and rigorous benchmark adherence.

  3. Threat intelligence and research team – Intezer has one of the best threat research teams in the industry, known for publications on threat actor attribution, APTs, and reverse engineering new prominent threats.

  4. Customer success team – This team ensures that the AI SOC is well implemented and that customers achieve maximum value and satisfaction from the platform.

This is a solid example of how an AI SOC can integrate the human element, something most other solutions are still missing.

If you want to get on a call and have a discussion about security automation, you can book some time here:

Join as a top supporter of our blog to get special access to the latest content and help keep our community going.

As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customize and utilize these resources for your own projects and presentations.

Reply

or to participate.