Every few months, a vendor publishes a blog post claiming that AI will "revolutionise the SOC" and that autonomous agents will handle investigations end-to-end. Every few months, a practitioner on Reddit responds with some variation of "I'll believe it when the AI can parse a corrupted EVTX file from a host that hasn't rebooted in 400 days."
Both are right. Both are wrong. And the conversation between them is failing the practitioners who actually need to make career decisions right now.
Here's the honest version — the one that doesn't make good marketing for AI vendors or comfortable reading for analysts who'd rather not think about it.
The part the vendors get right
AI is genuinely good at the work that burns out analysts. Triage. Enrichment. Alert correlation. Pattern matching across millions of events. The tasks that require processing speed and consistency more than judgment and creativity.
Microsoft's "agentic SOC" vision isn't vapourware — it's a description of what their Defender platform already does in production. The correlation engine groups alerts into incidents automatically. Security Copilot summarises investigation context. The Defender Triage Agent classifies alerts using a model trained on real analyst decisions from their managed detection team. These aren't demos. These are features available to anyone with an E5 licence.
Gartner predicts AI will automate 50% of L1 SOC analyst responsibilities by 2028. Based on what's shipping today, that feels conservative for the specific tasks it targets: alert triage, initial enrichment, and pattern-based detection.
The vendors are right that large parts of the traditional analyst job — the parts that involve processing a queue of alerts, looking up IPs in threat intel, and writing the same "this is a true positive / false positive" verdicts hundreds of times per week — are being automated. That's happening now, not in a future release.
The part the vendors get wrong
Here's where the marketing diverges from production reality.
A recent report drawing on more than 30 vendor briefings and interviews with practitioners running AI SOC tools in production found that most deployments are stuck in what the authors call "pilot purgatory." A proof-of-value converts to a small deployment. The AI handles enrichment and summarisation. Human analysts retain decision authority. Expansion into higher-stakes workflows doesn't follow.
The autonomous investigation demos rely on curated data, clean telemetry, and linear attack paths. Live SOC environments produce incomplete data, ambiguous signals, and multi-stage attacks that don't follow the playbook. The AI performs well in controlled conditions and breaks down when conditions aren't controlled — which is precisely when you need it most.
One detection engineer put it bluntly: demos appear seamless during presentations but can break down at scale or when data is incomplete or ambiguous.
This doesn't mean the technology won't get there. It means it isn't there yet for the hardest problems — the ones that actually require the analyst.
The part nobody talks about honestly
Here's the uncomfortable truth that neither the "AI will replace you" crowd nor the "AI can never replace human judgment" crowd wants to acknowledge:
AI doesn't need to replace you to change your job beyond recognition.
Consider what happens when AI handles 90% of Tier 1 alert triage (which multiple vendors claim is achievable today). The remaining 10% of alerts that reach a human analyst are, by definition, the hardest 10%. The ones the AI couldn't classify. The ambiguous signals. The novel attack patterns.
That means the analyst's daily work shifts from "process 200 alerts, escalate 5" to "investigate 20 alerts the AI couldn't figure out, every one of which is genuinely difficult." The volume drops. The difficulty per case increases dramatically. The skill requirement jumps.
If your current capability is "I can triage alerts efficiently" — that's the capability being automated. If your current capability is "I can investigate the alerts that resist classification, make containment decisions under ambiguity, and explain my reasoning to a CISO" — that's the capability that becomes more valuable, not less.
The question isn't whether AI takes your job. The question is whether your skill set matches the job that's emerging.
Five questions to ask yourself honestly
These aren't rhetorical. Take five minutes. Answer them.
1. If someone took away your SIEM dashboard tomorrow, could you still investigate an incident?
This sounds abstract, but it tests something specific: do you understand investigation methodology, or do you understand the tool? An analyst who knows how to trace lateral movement through raw event logs, memory dumps, and network captures is doing work AI can't replicate. An analyst who knows how to click through a Sentinel incident wizard is doing work AI is specifically designed to replace.
The methodology transfers across tools. The tool proficiency doesn't.
2. Can you explain WHY a detection rule works — not just that it fires?
Detection engineering is moving from "write rules that match patterns" to "teach systems what matters." That requires understanding the attack technique the rule detects, the legitimate activity it could false-positive on, the telemetry that feeds it, and the confidence level of a match.
If you can write a Sigma rule but can't explain what happens in the operating system that makes the rule work, you're operating at the layer AI replaces first — pattern matching. If you can explain the attack technique, the relevant telemetry sources, and the tuning trade-offs, you're operating at the layer that becomes more valuable.
3. When was the last time you built something that's still running in production?
Not a one-off query. Not a report. Something that runs without you. A detection rule that fires on real attacks. An automation that routes incidents correctly. A hardening configuration that prevents a class of compromise.
The practitioners who build lasting operational capability are the ones AI augments rather than replaces. The practitioners who process a queue of transient tasks are doing exactly the work AI is designed to absorb.
4. Can you make a security decision and defend it to a non-technical executive?
AI can produce an investigation summary. It can even recommend a response action. What it can't do — and this matters more than the technical arguments — is own a decision. When the CISO asks "should we shut down this system during business hours?" someone needs to weigh the security risk against the business impact, make a call, and stand behind it.
That judgment — the ability to operate in the space between technical evidence and business consequence — is where the human role is growing, not shrinking. But it requires skills most analysts haven't been developing: communication, business context, risk quantification, and the confidence to make imperfect decisions under time pressure.
5. Are you learning how to work WITH AI, or are you hoping it goes away?
The most dangerous career position in security right now isn't "I might be replaced by AI." It's "I refuse to engage with AI because I don't think it's good enough yet."
The practitioners who are learning to prompt AI effectively for investigation support, using AI to generate detection rule drafts they then validate and tune, and incorporating AI into their workflow as a force multiplier — they're building the skill set the industry is moving toward. The practitioners who dismiss AI entirely because "it can't do what I do" are right today and wrong by 2028.
What the modern security role looks like
The job titles probably won't change. You'll still be called an analyst, an engineer, a hunter. But the work inside those titles is shifting.
From processing to supervising. You're not triaging 200 alerts. You're reviewing the AI's decisions on 200 alerts, investigating the 20 it escalated, and providing feedback that makes the AI better at the other 180 tomorrow. Your value is judgment, not throughput.
From writing to teaching. You're not manually writing every detection rule. You're defining what the system should care about — which behaviours are suspicious in your specific environment, what confidence threshold justifies automated response, and where human review is still required. You're training a system, not operating one.
From executing to deciding. You're not running the playbook step by step. You're deciding whether the playbook applies, whether the situation warrants deviation, and what the business impact of each response option is. The playbook execution gets automated. The judgment about when and how to apply it stays human.
From individual to architectural. You're not investigating incidents in isolation. You're designing the detection architecture, the automation pipelines, the data flows, and the governance frameworks that determine how the entire SOC operates — with or without you in the room.
What to do about it
This isn't a "upskill or die" threat. It's a description of where the industry is moving. You can move with it or not. But ignoring it doesn't make it slow down.
Learn investigation methodology, not just tools. Understanding how to trace an attack through filesystem artifacts, memory structures, and event logs is durable knowledge. Understanding how to click through a specific vendor's UI is perishable knowledge. Both matter today. Only one matters in five years.
Build things. Detection rules. Automation workflows. Hardening configurations. Response playbooks. Every artifact you produce that runs in production is evidence that you operate above the automation layer. Every shift you spend processing a queue and producing nothing permanent is time spent on the wrong side of the automation line.
Learn to work with AI now. Not because it's perfect. Because the practitioners who develop AI-adjacent skills — prompt engineering for security contexts, feedback loop management, risk-based automation governance — are building career capital that compounds. Waiting until AI is "good enough" means starting from zero when everyone else has two years of practice.
Develop business context. The analyst who understands the business — who knows that shutting down the ERP system during month-end close costs £200K per hour, who can explain residual risk to a board in language they understand, who can make a containment recommendation that accounts for both the technical and commercial reality — that analyst is irreplaceable in the literal sense. No AI model has the context of your specific organisation's risk appetite, regulatory obligations, and operational constraints.
Get comfortable making decisions without complete information. This is the skill AI specifically cannot replicate: operating under genuine uncertainty. AI is built on pattern recognition. When the pattern is novel — a new attack technique, an ambiguous signal, a situation where the evidence could go either way — the human makes the call. Developing confidence in that judgment requires practice, and practice requires putting yourself in positions where you have to decide, not just observe.
The honest answer
Will AI take your security job? No. The demand for security professionals is still outpacing supply, AI is creating new roles faster than it's eliminating old ones, and the problems that matter — real investigations, architectural decisions, risk governance, stakeholder communication — require human judgment that AI isn't close to replicating.
But will AI change your security job? Yes, and it's already happening. The role that's emerging values investigation depth over alert throughput, system design over tool proficiency, judgment over process execution, and operational creativity over repetitive diligence.
The practitioners who will thrive aren't the ones who can triage alerts fastest. They're the ones who can investigate what the AI can't, build what the AI uses, and decide what the AI shouldn't.
The question was never "Will AI take my job?" The question is: "Am I building the version of myself that the modern workplace needs?"
If you're not sure, the answer is probably no. And that's okay — as long as you start today.
Next week: The Sentinel portal migration — practical preparation for March 2027. What actually changes, what breaks, and the five-step plan.