Jim Strongitharm

The Security Operations Centre is being rebuilt. Not bolted onto, not tuned, but redesigned around a new partnership between human analysts and AI agents. The change is significant, and it matters now because the way modern attacks unfold (faster, more automated, more evasive) has outpaced the way most SOCs were originally designed to respond.

For the last decade, the SOC has been a queue. Telemetry came in, alerts were triaged, analysts worked the backlog, and the best teams shaved minutes off mean time to respond. That model served its purpose. It is no longer enough. Attackers are using automation and AI to compress the attack lifecycle, while defenders are still asked to keep pace by adding more headcount, more tools and more dashboards. Something has to give, and across the industry it is the operating model itself that is changing.

An Agentic SOC is a Security Operations Centre where AI agents and human experts work side by side as one team, with clear handoffs between them. AI agents take on the repetitive, high volume work of collecting evidence, correlating signals across the estate, summarising incidents and proposing next steps. Human analysts move up the value chain. They supervise the agents, judge the cases that matter, make the calls AI should not be making alone and own the outcome.

The important word in that definition is “agentic”. An AI agent is not just a model that answers a prompt. It is software that takes actions inside a defined workflow, with guardrails, audit trails and escalation paths. In a security context, that means an agent can investigate, draft a verdict, contain a host and document its reasoning, while the human remains accountable for the result.

Dave Mareels, VP of Product Management at Sophos, put it well in a recent conversation with our team:

That is the bar. AI gives us speed and consistency. People give us judgement and accountability. The Agentic SOC is what you get when you design the workflow around both.

Most of the SOC pain we see at CyberLab traces back to the same handful of problems.

The first is alert volume. Modern estates generate huge amounts of telemetry. The traditional SIEM-driven SOC ingests it, tunes it and asks an analyst to read it. Even the best teams cannot review every alert at the speed attacks now move.

The second is specialist scarcity. Experienced SOC analysts are difficult to find, expensive to retain and burn out fast on repetitive triage. The 2024 ISC2 Cybersecurity Workforce Study put the global shortfall in cyber security professionals in the millions. Hiring our way out is not a credible plan for most organisations.

The third is cost unpredictability. SIEM consumption charges, ingestion tuning and licence creep mean traditional SOC budgets are difficult to forecast. Public sector and mid-market buyers in particular need certainty, not surprise invoices at the end of the quarter.

The fourth, and the one we hear most often from CISOs, is outcomes. Boards do not want more alerts. They want fewer incidents, faster containment and clear evidence that the security investment is working. The Agentic SOC is being designed to deliver exactly that.

In an Agentic SOC, the operating model changes shape. A useful way to picture it is across three phases.

In triage, AI agents ingest signals from across endpoint, identity, network, cloud, email and OT, correlate them, deduplicate them and rank them by confidence and impact. The output is not a flood of alerts. It is a short list of investigations, each with a draft narrative attached.

In investigation, agents assemble the evidence a human analyst would otherwise have to gather by hand. They pull related telemetry, enrich it with threat intelligence, summarise the timeline and propose hypotheses. The analyst arrives at the case with the homework already done, and spends their time on judgement and verification.

In response, agents can execute pre-approved containment actions inside guardrails, such as isolating a host or revoking a session, while the analyst supervises and authorises anything beyond the agreed scope. Throughout, every action is logged with provenance, so there is a complete audit trail of who, or what, did what and why.

The result is not fewer analysts. It is analysts who spend more of their day on the work that needs a human and less on the work that does not. That is the productivity story behind the Agentic SOC, and it is also the trust story. Without clear handoffs, governance and audit, AI in security is a risk. With them, AI is leverage.

For most organisations, the practical question is not “should we build an Agentic SOC” but “how do we benefit from one without rebuilding our own”. This is where the Managed Detection and Response market has shifted noticeably in the last year. Sophos has repositioned its MDR proposition around the Agentic AI era, combining an AI-native platform with hundreds of human experts and a clear set of service tiers that buyers can match to their risk appetite. The platform now sits behind more than 600,000 organisations worldwide, with continuous detection updates and full-scale incident response included as standard.

For buyers, three things matter when assessing an Agentic SOC service.

• First, provenance and audit. Ask what each AI agent can do, who authorises it, and how every action is logged. If the provider cannot show you that audit trail, the governance is not real.
• Second, integration breadth. The value of an Agentic SOC comes from correlating signal across the whole estate, not just the parts the provider sells you. Look for hundreds of pre-built integrations across Microsoft, endpoint, identity, network and cloud, so you keep the security investments you already trust.
• Third, predictable economics. Linear, per endpoint pricing with included log retention removes the SIEM consumption risk and makes the business case much easier to defend at board level.

East Lothian Council is a Scottish local authority delivering essential public services to thousands of residents. As cyber threats targeting the public sector have grown more advanced, the council needed a modern, proactive security operations capability that could provide deeper threat visibility and faster, more effective incident response.

CyberLab worked with the council to implement Sophos Taegis Managed Detection and Response as the new foundation of their security operations. Delivered as a fully managed service, Sophos Taegis MDR provides 24/7 threat detection, investigation and response, combining advanced telemetry with expert human analysis. CyberLab supported the procurement, proof of concept and onboarding at pace, while providing ongoing strategic guidance tailored to local authority needs. The result is a modern, sustainable security operations model with predictable total cost of ownership and significantly improved threat visibility across the estate.

Graham Burke, Security and Infrastructure Manager at East Lothian Council, said:

It is a useful example of what the Agentic SOC looks like in practice for a public sector team operating under budget pressure and a demanding threat landscape.

We have spent more than 30 years helping UK organisations make sense of cyber security, and the question we are asked most often right now is how to adopt AI-augmented security operations responsibly. Our answer is built on partnership, not product.

We work with you to understand your current SOC posture, your risk appetite and your existing investments. We deliver Sophos Taegis MDR as a Sophos Platinum Partner, with deployment and proof of concept led by engineers who have done this many times before. We wrap the platform with our own enhanced customer care, including Cyber Essentials certification, annual tabletop exercises with your board, supply chain monitoring through HackRisk and yearly posture assessments. And we stay alongside you afterwards, because security operations is a relationship, not a transaction.