Billions of dollars have poured into AI-powered security operations over the past 18 months, yet only 10 percent of security operations centres (SOCs) rate the value they are getting from these tools as "excellent." The figure, highlighted in analysis covered by The Hacker News on 5 June, reveals a widening gap between rapid procurement and genuine operational payoff.
The finding does not indicate outright failure. The majority of SOCs report that their AI investments deliver adequate or good results — baseline utility rather than transformative impact. But the distance between "adequate" and "excellent" is precisely where the industry's next chapter will be written.
From marketing pitch to budget line
A year and a half ago, AI in security operations was largely a vendor talking point. Operational realities — chronic analyst shortages, relentless alert volumes, and ever-wider attack surfaces — have since turned it into a budgeted necessity. Agentic AI platforms, threat-detection engines powered by machine learning, and co-pilot assistants now sit inside SIEM, XDR, and other core security stacks in organisations worldwide.
The speed of that transition has outpaced the groundwork needed to make the technology sing. Buying and deploying a platform is one thing; reshaping workflows, integrating data sources, and training analysts to trust and supervise AI-driven decisions is another.
Four capabilities the 'second wave' must deliver
Industry consensus now frames the current generation of SOC AI as a first wave — necessary but incomplete. Analysts and practitioners point to four capabilities that will determine whether the next crop of tools can push satisfaction scores meaningfully higher:
Contextual understanding — AI must go beyond pattern matching on individual alerts and learn the specific topology, risk profile, and business context of each environment it protects.
Agentic reliability — Autonomous agents that investigate, triage, and respond to incidents need to do so consistently and predictably, without introducing new failure modes.
Seamless interoperability — Security teams run heterogeneous toolchains spanning multiple vendors and data formats. Platforms that cannot integrate across that landscape will deliver fragmented value at best.
Transparent reasoning — When an AI system flags an event or recommends an action, analysts need to understand why. Opaque outputs erode trust and slow adoption precisely among the people these tools are meant to support.
Closing the satisfaction gap
For security and IT leaders, the central takeaway is that procurement and optimisation are not the same exercise. The 10 percent "excellent" rating should prompt organisations that have already deployed AI platforms to ask whether they have invested sufficiently in environment-specific tuning, deep workflow integration, and analyst training — the unglamorous work that typically separates adequate deployments from exceptional ones.
The broader technology community will recognise the pattern. Every major enterprise technology wave has followed a similar arc: rapid adoption, then a longer, harder push toward optimisation. Security operations is now firmly entering that second phase. The vendors that can deliver on contextual understanding, agentic reliability, interoperability, and transparent reasoning will be best positioned to move that 10 percent figure upward — and the organisations that demand those capabilities will be best placed to benefit.
過去十八個月,數十億美元湧入由人工智能驅動的安全運營領域,然而僅有10%的安全運營中心(SOC)將其從這些工具中獲得的價值評為「卓越」。這項數據在《The Hacker News》6月5日報導的分析中被強調,揭示了快速採購與實際操作回報之間日益擴大的差距。
這項發現並非表示徹底失敗。大多數SOC報告其AI投資帶來了足夠或良好的成果——屬於基礎實用性,而非變革性影響。但「足夠」與「卓越」之間的距離,恰恰是業界下一章節將被書寫之處。
從市場推銷口號到預算項目
一年半前,安全運營中的AI主要是供應商的賣點。操作現實——長期的分析師短缺、持續不斷的警報量以及不斷擴大的攻擊面——此後已將其變成了預算中必要的支出。自主代理AI平台、由機器學習驅動的威脅偵測引擎以及副駕駛助手,現在已嵌入全球組織的SIEM、XDR及其他核心安全架構中。
這種轉變的速度已超越了讓技術發揮作用所需的基礎工作。購買和部署平台是一回事;重塑工作流程、整合數據來源以及訓練分析師信任並監督由AI驅動的決策,則是另一回事。
「第二波」必須具備的四項能力
業界共識現在將目前一代的SOC AI視為第一波——必要但不完整。分析師和從業者指出,以下四項能力將決定下一代工具能否推動滿意度分數顯著提升:
情境理解 — AI必須超越對單個警報的模式匹配,學習其所保護的每個環境的特定拓撲結構、風險概況和業務背景。
自主代理可靠性 — 自主調查、分類和應對事件的代理需要能夠一致且可預測地執行這些操作,而不引入新的故障模式。
無縫互通性 — 安全團隊運行的是跨多個供應商和數據格式的異構工具鏈。無法跨此種景觀整合的平台,充其量只能提供零散的價值。
推理透明度 — 當AI系統標記事件或建議採取行動時,分析師需要理解原因。不透明的輸出會侵蝕信任,並恰恰在這些工具旨在支持的人群中減緩採用。
彌合滿意度差距
對於安全與IT領導者而言,核心要點是採購與優化並非同一回事。10%的「卓越」評級應促使已部署AI平台的組織自問,是否已在環境特定調校、深度工作流程整合和分析師培訓方面投入足夠——這些不那麼引人注目的工作,通常區分了足夠的部署與卓越的部署。
更廣泛的科技界將認同此模式。每個主要的企業技術浪潮都遵循相似的軌跡:快速採用,隨後進入更漫長、更艱難的優化推動階段。安全運營現已穩固進入第二階段。能夠在情境理解、自主代理可靠性、互通性和推理透明度方面交出成績的供應商,將處於最佳位置,將10%的數字向上推動——而要求這些能力的組織,將最能從中受益。