Eighteen months ago, the AI SOC was a marketing line. Today it's a budget item. The category has crossed over from interesting to inevitable, with billions of dollars now flowing into AI-powered security operations platforms, agentic SOC tools, and AI co-pilots built into every layer of the security stack. The data shows SOCs are buying, deploying, and standing up AI capabilities at the fastest pace the industry has ever seen.
And yet, the same SOCs reporting record AI adoption are reporting underwhelming outcomes. The first objective benchmark on the value of AI in the SOC was published in the SOC-CMM 2026 Maturity Report in May, drawing on survey data collected from roughly 200 SOCs across regions, sectors, and delivery models between late January and mid-March 2026. Only about 10% of respondents said AI has delivered excellent value to their SOC. About 19% reported good value. The remaining 71% landed at some value or none at all.
Eighteen months into AI deployment, that's a structural signal. What follows is a read on what the data confirms, and on what the next wave of AI in security operations must deliver if the industry is going to close the gap.
What the SOC-CMM 2026 data shows
Three findings stand out in the SOC-CMM report's AI section, and they correlate cleanly with each other once they are read together.
First, adoption is up across every category of AI used inside the SOC. Off-the-shelf large language models grew 55% year over year. AI co-pilots grew 145%. AI agents grew 118%. Supervised machine learning grew 96%. Customized LLMs grew 64%. SOC teams are over-investing in AI without the operational maturity to extract value from what they bought.
Second, the dominant adoption pattern is what the report calls the taker model: off-the-shelf AI deployed inside an existing security stack without customization. About 65% of SOCs surveyed describe themselves as takers. Another 20% are shapers, customizing what they buy. Only 15% are builders, training models against their own data. The takers are the largest cohort and the cohort reporting the least value. Across hybrid SOCs, in-house SOCs, and MSSP SOCs, the perceived value distribution is nearly identical. That uniformity is the tell. The pattern cuts across delivery model, region, and sector. The cause is structural.
Third, the report flags that the two SOC improvement challenges that grew year over year are lack of best practices (+17%) and complexity of increasing maturity (+11%). Every other challenge category, including lack of budget and lack of management support, dropped. SOCs aren't telling the survey they don't have money or executive support. They're telling the survey they don't know what they're supposed to be doing with the AI they bought. That is the AI maturity gap in one data point.
Why the first wave of AI in the SOC underperformed
The first wave of AI SOC tools shipped as features bolted onto existing security products. SIEMs got AI triage. EDRs got AI investigation. SOAR platforms got AI playbook generation. Ticketing tools got AI summarization. Each feature was real. Each one worked in isolation. None of them shared context with the next.
What that means in practice is that SOC analysts now have five AI assistants instead of one. The triage agent in the SIEM does not know what the detection engineer silenced last week. The threat hunting agent in the EDR does not know what the threat intel team flagged that morning. The summarization agent in the ticketing tool does not know what the investigation surfaced two hops ago. Each agent accelerates its own slice of the workflow. None of them fixes the handoffs between slices, which is where most SOC time and most SOC value live.
SOC operators describe this pattern in conversations across the industry. They describe faster individual tasks and the same fragmented workflow. They describe being asked to learn five new agent interfaces while the core problem, which is that the SOC operates as a chain of disconnected stages, didn't move at all. The AI accelerated each silo without connecting them.
The SOC-CMM 2026 report puts numbers on this dynamic too. The technology domain is again the highest-scoring maturity domain across the dataset, at an average of 2.7 out of 5. The process domain, where the handoffs between SOC stages live, scores 2.3. The people domain, where the institutional knowledge and decision-making capacity live, scores 2.3 as well. Buying more tools, including AI ones, does not move those numbers. In some SOCs it makes them worse, because each new tool adds a handoff.
What's different about the SOCs that report excellent value
The 10% of SOCs reporting excellent value from AI are not running different point tools. They're running AI inside a different architectural structure. Three things separate them from the 71%.
- AI that operates across the SOC lifecycle, not inside one stage of it. Threat intelligence, threat hunting, detection, investigation, and remediation are five stages of one workflow. When agents operate across all five stages and feed each other context, the SOC compounds. Every closed investigation calibrates the next detection. Every threat hunt result updates the next intel cycle. Every remediation feeds back into the playbook the next agent uses. The connected fabric is what produces sustained value. The SOCs reporting excellent value tend to have AI architectures that look like fabric. The SOCs reporting good value tend to have stacks of features.
- AI that knows the dynamic environment it's operating in and continuously draws on it. Generic AI produces generic investigations. "Normal" looks different in a healthcare environment than a fintech one. A detection rule that fires on a real threat in one environment will fire on routine activity in another. An investigation that escalates correctly in one environment will overlook the right answer in another. SOCs reporting value have AI systems that capture and persist institutional knowledge: the assets that matter, the analysts whose judgment shaped past incidents, the sanctioned actions, the escalation criteria, the tickets that turned out to be nothing and the ones that turned out to be everything. Without that grounding, AI in the SOC produces the average of the internet, which is the wrong answer in most environments.
- AI that is governable. The SOC-CMM 2026 report identifies effective SOC governance as the single most challenging area of SOC improvement, with 39% of respondents naming it. AI governance and SOC governance overlap. The agentic SOC operates inside customer-defined guardrails. It exposes a defensible reasoning trace for every action. It earns autonomy in stages rather than asking for it upfront. AI in the SOC cannot be a black box. The SOCs that figured this out are the SOCs where analysts trust the system enough to give it standing authority. That trust is what produces the productivity gain. Without it, the system stalls.
The architecture problem, in plain terms
Most enterprises trying to extract value from AI in the SOC today are running point AI inside a fragmented architecture. The point AI works inside a broken architecture. That is the architecture problem.
If a SOC's detection engineering team works in a different tool than its investigation team, AI in either tool will accelerate that team's slice of the workflow and do nothing about the handoff between them. If a SOC's threat hunters cannot easily test hypotheses across the same telemetry its investigations use, AI in either workflow will move only that workflow forward. If a SOC's remediation playbooks live in a SOAR tool that does not see what its investigation agent concluded, AI remediation will execute against stale context.
The fix is connecting the stages. More AI inside the same fragmented architecture compounds the original problem. That connective fabric is what "second wave" means. The first wave delivered AI per stage. The second wave delivers AI across stages.
What the second wave must look like
The five stages of the SOC must operate as one agentic fabric grounded in the customer's environment. Every closed investigation calibrates the next detection. Every threat hunt result updates the next intel cycle. Every remediation feeds back into the playbook the next agent uses. The SOC compounds.
In practice, a platform built this way sits on top of the SIEM, EDR, identity, cloud, ticketing, and threat intel stack an organization already owns rather than replacing it. The connective layer is what lets each stage feed the next instead of operating in isolation. Where that architecture is in place, SOCs report sharper investigations completed faster, detections that get surfaced and tuned instead of left silent or noisy, threat hunts that run continuously rather than episodically, and remediation that operates inside defined guardrails with full reasoning traces and audit-grade decision records.
The second wave of AI in the SOC must look architectural, not featural. The vendors and platforms that figure that out are the ones whose customers will move from "some value" to "excellent value" in next year's benchmark.
Spotlight: End-to-End Agentic AI for Security Operations
One platform built around this architecture is Conifers' end-to-end agentic SOC, launched in May 2026 on its CognitiveSOC™ platform. Rather than adding AI to a single stage, it connects threat intelligence, threat hunting, detection engineering, investigation, and remediation into one operating fabric grounded in each customer's institutional knowledge. The five functions feed each other context, so hunts inform detection, investigations calibrate future detections, and remediation runs inside customer-defined guardrails instead of static playbooks.
Governance is built in from the start. Every agent action carries a reasoning chain and an evidence trail, and customers set the scope and authority each agent operates under, expanding autonomy as confidence builds. That is the move from human-in-the-loop to human-on-the-loop oversight. The system runs on top of the stack a SOC already owns, with more than 60 integrations across EDR, identity, cloud, email, and ITSM, and no rip-and-replace migration.
The window is closing faster than most SOCs think
Adversaries are not waiting for the second wave to arrive. Google's Threat Intelligence Group disclosed the first confirmed AI-developed zero-day exploit earlier this year. Anthropic's Claude Mythos preview is identifying critical vulnerabilities at machine speed. JPMorgan's CISO published an open letter in April 2025 warning that the economics of cyber risk are shifting and that security buyers need to demand secure-by-default products instead of the current pace of rushed feature releases.
The defenders running first-wave AI inside a fragmented SOC will be the ones explaining what happened the morning after a breach. The defenders running second-wave AI as a connected fabric, with institutional knowledge inside the loop and governance built in from the start, will be the ones who saw it coming. The 10% number in the SOC-CMM 2026 report is a signal about the architecture most SOCs run right now. It is also a signal about which side of the next breach narrative each SOC will be standing on.
Visit Conifers.ai to request a demo and experience the power of a full lifecycle agentic SOC.
Frequently Asked Questions
Why are most SOCs reporting limited value from AI in 2026?
The SOC-CMM 2026 Maturity Report found that about 71% of SOCs see only some value or no value from their AI deployments. The root cause is architectural rather than technological. Most SOCs deployed AI as features inside individual products such as SIEMs, EDRs, and ticketing systems. Each feature accelerated its own stage of the workflow. None of them shared context across stages. The handoffs between threat intel, detection engineering, investigation, and remediation, which is where most SOC time goes, did not improve. AI accelerated the silos without connecting them. That is what produces "some value" instead of excellent value.
What does "second wave AI" in the SOC mean?
Second wave AI in the SOC means agentic AI that operates across the full SOC lifecycle rather than inside a single stage. The five stages of the SOC, threat intelligence, threat hunting, detection engineering, investigation, and remediation, run as one connected fabric. Agents share context. Closed investigations calibrate future detections. Threat hunt results update threat intel cycles. Remediation actions feed back into the playbook the next agent uses. The SOC compounds. This is the architectural pattern shared by the roughly 10% of SOCs reporting excellent value from AI in the SOC-CMM 2026 data.
Is the problem that SOCs are not buying enough AI?
No. The SOC-CMM 2026 data shows AI adoption growing aggressively across every category, with off-the-shelf LLMs up 55%, AI co-pilots up 145%, and AI agents up 118% year over year. SOCs are buying. The problem is that adoption is outpacing operational maturity. Two-thirds of SOCs are deploying off-the-shelf AI inside an existing security stack without modifying anything else around it. That cohort reports the least value. Buying more AI without changing the architecture it operates inside compounds the original problem instead of solving it.
How does institutional knowledge change AI SOC outcomes?
Generic AI produces generic investigations. A detection rule that fires on real threats in one environment will fire on routine activity in another. An investigation that escalates correctly in one organization will miss the right answer in another. AI systems that continuously ingest and persist dynamic institutional knowledge, the assets that matter, the analysts whose judgment shaped past incidents, the sanctioned actions, the escalation criteria, the historical incident outcomes, produce investigation results that match how a specific SOC operates. AI without that grounding produces the average of the internet, which is the wrong answer in most environments. Institutional knowledge is the difference between AI that produces noise and AI that produces decisions.
Three questions matter most. Does this AI operate across the full SOC lifecycle, or only inside one stage of it? How does the AI learn and persist the institutional knowledge of the organization's specific environment, and what happens to that knowledge when analysts leave? Can the team audit every agent action with a defensible reasoning trace, and can it govern agent autonomy in stages as trust builds? A vendor that cannot give clear answers to all three is selling first-wave AI, no matter what the marketing says.
What is the agentic SOC, and how is it different from a SOAR or AI co-pilot?
The agentic SOC is the category of security operations platform where AI agents operate as decision-makers across the SOC lifecycle, not as assistants inside a single product. A SOAR automates predefined workflows using static playbooks. An AI co-pilot accelerates an analyst's individual tasks. An agentic SOC runs agents that reason through investigations, surface and tune detections, threat hunt continuously, and remediate inside customer-defined guardrails, all while sharing context across stages. Analysts move from "in the loop" on every step to "on the loop" overseeing the system.
How quickly can a SOC move from first-wave AI to second-wave AI?
Faster than most teams assume. The shift is architectural, not a rip-and-replace. The connective layer that turns point AI into agentic fabric does not require buying new tools or replacing existing ones. It requires connecting what the SOC already owns into a system that compounds. Most SOCs underestimate how quickly the shift can be made once the architecture is in place.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
We added Palo Alto Networks PAN-OS authentication bypass vulnerability CVE-2026-0257 to our KEV Catalog. Visit 
