Beyond the Tiered SOC

Rethinking the SOC with Autonomous SecOps Orchestration

Author

Filip Stojkovski
December 12, 2024 • Estimated Reading Time: 9 minutes

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

In this follow-up post, I want to dive deeper into the concept of what I’ve started calling Autonomous SecOps Orchestration (ASO)—essentially, the next generation of AI-driven tools for the SOC. If you’ve been following my previous collaborations—particularly with Dylan Williams on our “Blueprint for AI Agents in Cybersec” and with Francis Odum on “Revolutionizing Security Operations: The Path Toward AI-Augmented SOCs”—you’ve seen the market analysis and foundational thinking that led us here.

I’ve received a ton of feedback since those articles went live. One recurring question has been: Why are we still using the tiered approach in SOC operations? Let’s face it, the concept of Tier 1, Tier 2, and Tier 3 analysts feels like a holdover from the early 2000s. Many cybersecurity pros dislike the idea and find it outdated. Still, the reality is that it sells—and many financial institutions, MSSPs, and MDRs are still organized around these tiers. For better or worse, this approach isn’t going away any time soon.

What’s more, “Tier 1 analysis” can mean different things to different organizations. To provide a clearer, more consistent framework, I’m proposing mapping vendor capabilities to the phases of the incident response lifecycle as defined by SANS: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. I believe this approach simplifies how we communicate what each tool covers. I’m also trying to tie these phases to the principle of the “Five Ws” (Who, What, When, Where, Why) for guiding security

(For those interested, I discussed these topics on a couple of podcasts recently, which you can check out as well.)

Resilient Cyber w/ Filip Stojkovski & Dylan Williams - Agentic AI & SecOps

In this episode, we will be sitting down with Filip Stojkovski and Dylan Williams to dive into AI, Agentic AI, and the intersection with cybersecurity, specifically Security Operations (SecOps).Thanks for reading the Resilient Cyber Newsletter!

S01 E02 - AI Agents In Security Automation with Filip Stojkovski

The AI Security Accelerator Podcast, Powered by Simbian® · Episode

 Mapping the Process: An SIEM Alert as a Starting Point

Let’s consider an example that starts with a basic SIEM alert—say, an admin account spinning up a new resource in an unusual region. How do we move from there to an autonomous, AI-driven workflow?

I covered some of this in the collaborative article with Francis Odum, but let’s break it down step-by-step:

Identification (Enrichment)

We kick off with a SIEM alert. For instance, an admin account creates a resource in a region that’s rarely used. From here, we do the usual triage. The key question: What steps can be fully automated to reduce the 30+ minutes of manual work it often takes to sift through data?

  • Alert Reception and Triage Agent Activation – Deduplication and Grouping: The ASO platform identifies similar alerts triggered for the same cloud account or user. This reduces noise and allows focus on the actual issue.

  • Alert Enrichment:

    • Internal Enrichment: The AI platform pulls info about the admin account, historical provisioning patterns, and resource types. It checks for alignment with authorized changes or expected behaviors. Here, the automation (whether whitebox or blackbox) taps into IAM or ITDR systems to gather context.

    • External Enrichment: The AI retrieves threat intel to check if the admin’s IP or related activities align with known bad actors or tactics—like cryptomining campaigns or flagged IPs. The quality of this enrichment relies on your chosen threat feeds and trust levels.

After this step, the key questions emerge:

  • Who is involved? (The admin account)

  • Where is the activity coming from?

  • When did it occur?

This sets the stage for deciding if we’re dealing with a true positive, a false positive, or something that warrants escalation.

Containment (Investigation)

Traditionally, digging through logs and connecting dots is tedious and time-consuming. Today’s AI-driven SOC platforms can handle this at scale—and in some cases, autonomously.

  • Timeline Analysis: The AI reconstructs the sequence of events, pinpointing when provisioning began. It accesses logs, hunts for indicators, and automatically builds a timeline for a clear narrative of what happened and when.

  • Forensic Evidence Gathering: Collecting forensic evidence can be fully automated as well. The platform snapshots affected cloud instances, enumerates running processes and active connections, and sets up saved searches for relevant CloudTrail logs or API activity. Analysts—or the AI itself—can then dive deeper into the details as needed.

Here, the core questions shift to:

  • What is happening? (Resource misuse? Suspicious activity?)

  • Why is it occurring? (Compromised credentials? Malicious intent?)

Remediation (Eradication & Recovery)

Automated remediation has been around since early SOAR days, but hyperautomation can push this to the next level. For truly autonomous AI-driven SOCs, though, remediation is still a mixed bag. Each organisation has its own policies and comfort levels.

  • If auto-remediation is allowed, the platform can isolate hosts, rotate credentials, or block IOCs without human intervention.

  • If the environment requires change management and approvals, the platform can generate requests or prepare Terraform/CloudFormation templates for review. This ensures compliance while still leveraging automation’s speed.

Lessons Learned: Adaptive Learning

This is where AI shines. It can:

  • Produce detailed root cause analyses and incident summaries for management and stakeholders automatically.

  • Feed newly discovered IOCs or TTPs into your Threat Intel repositories.

  • Push detection gaps directly to your backlog for the detection engineering team.

This continuous feedback loop improves defences over time with minimal overhead.

Why Are Most Vendors Focused on Identification, Not Remediation?

Let’s face it: AI-driven SOC vendors (or ASO solutions) often focus heavily on the early stages—Identification and some aspects of Containment. Building custom automations is one thing, but building truly autonomous decision-making systems is another. With ASO, it’s not just about automating; it’s about enabling the AI to make smart decisions on its own.

As Dylan Williams mentioned on the Resilient Cyber podcast, risk considerations play a huge part here. Identification tasks are low-risk and mostly about adding context. Mistakes at this stage don’t usually break anything critical. The platform primarily needs read-only access, making it easy to establish guardrails.

But as we move into investigation and especially remediation, the stakes get higher. If the AI misjudges something—say, quarantines a legitimate Microsoft process or cuts off a key business partner’s access—there can be serious consequences. The potential negative domino effect from a bad decision at the remediation stage is massive. That’s why we currently see fewer solutions offering full-blown autonomous remediation capabilities. This technology is still in its infancy, and we’re laying the foundation before we build the house.

Closing Thoughts

While the “tiered” approach may not vanish overnight, moving toward a framework aligned with the SANS Incident Response phases gives us a more dynamic way to measure and understand vendor capabilities in this evolving landscape. Most of today’s Autonomous SecOps Orchestration solutions excel at the front end—rapid enrichment, contextualization, and initial triage—because these functions are inherently lower-risk and easier to automate at scale. But as we reach deeper into the investigation and remediation phases, the stakes rise, and so do the technical, operational, and cultural hurdles.

The good news is that this is an expected part of the maturation process for any emerging technology. Just as today’s ML and LLM models are more accurate and reliable than their predecessors, tomorrow’s ASO platforms will have stronger guardrails, more robust trust frameworks, and increasingly sophisticated decision-making capabilities. Over time, we’ll see a gradual shift from human-assisted automations to more autonomous, AI-driven operations where the heavy lifting of complex investigations and targeted remediation can occur with minimal oversight. The end goal isn’t to eliminate human analysts, but to free them from manual drudgery, enabling them to focus on strategic problem-solving and higher-level decision-making.

In short, as the ecosystem matures, organisations will gain the confidence to delegate more sensitive, critical tasks to these platforms—ultimately reducing response times, improving security outcomes, and allowing the SOC to operate at unprecedented levels of speed and efficiency.

If you want to get on a call and have a discussion about security automation, you can book some time here:

Become an Ultimate Supporter of our blog and gain exclusive access to cutting-edge content, while playing a pivotal role in sustaining our community.

As an added benefit, each Ultimate Supporter will receive a link to the editable versions of the visuals used in our blog posts. This exclusive access allows you to customize and utilize these resources for your own projects and presentations.

Reply

or to participate.