Simbian guide urges AI-first strategy for overwhelmed SOC teams

Simbian has released a comprehensive guide setting out a new approach for security operations centres (SOCs) in response to surging alert volumes and the accelerating impact of artificial intelligence (AI) on cybersecurity threats.

AI shift

Industry forecasts indicate that AI-driven capabilities will become a standard for SOCs in the near future. According to Gartner, by 2026, half of all SOCs are expected to implement AI-based decision support. The approach moves beyond simply adding new tools. The focus is on redesigning how security teams organise and respond, aiming for autonomy in operations rather than incremental complexity.

"It's not about adding more tools or dashboards; it's about re-engineering how security thinks and operates. Security leaders need to embrace the era of foresight and stop firefighting. The challenge isn't to detect faster anymore. It's to think faster than the next breach," said Sumedh Barde, VP and Chief Product Officer, Simbian.

Alert overload

Cybersecurity teams are facing an increasing number of alerts. A survey by Software Analyst Cyber Research found that, on average, US CISOs reported their SOC teams receive 982 alerts each day, while larger organisations may experience over 3,000 alerts daily across at least 28 tools. Of these alerts, 40% are not reviewed, and it can take up to 70 minutes to investigate a single incident. These figures illustrate the scale of operational drag that can hinder timely responses and leave gaps in security posture.

Attack dynamics

The threat landscape is evolving with adversaries adopting more sophisticated and automated tactics. Human analysts remain under pressure due to the fragmented and often time-consuming nature of cyber incident investigations. Attackers spend around 30 minutes on each attack, dividing their activity into discrete phases to skirt around organisation defences, evade alert fatigue, and prioritise high-value targets. AI-powered SOCs are intended to shift the economics, making such attacks less practical for malicious actors.

Strategic recommendations

Simbian advocates for a fundamental change in approach to SOC strategy, recommending organisations adopt an 'exposure-first' model rather than a 'detection-first' approach. The guide outlines steps to be taken by CISOs, including the integration of AI agents to reduce operational drag and deliver measurable resilience, connecting automation with concrete actions. Simbian also suggests that performance metrics and return-on-investment criteria should be revised to match the realities of increasingly autonomous operations.

Rise of agentic threats

Recent reports highlight that AI technologies are not solely defensive assets. Incidents of AI tools being used offensively have emerged, including the development of automated spying and multi-stage cyberattacks requiring minimal human involvement. These developments place additional pressure on SOCs to operate at a speed beyond conventional human response capabilities.

"We've long heard that LLM adoption would drive an unprecedented rise in malicious actor activity. That moment has arrived. Anthropic's recent report indicated that their own technologies were misused to create the first publicly reported AI Spy which performed a multi-staged attack. Using tools it carried out reconnaissance by cataloging targetted infrastructure, identifying and validating vulnerabilities, harvesting credentials, moving laterally, collecting data, and exfiltrating intelligence. All of this required very little human intervention," said Ambuj Kumar, CEO and co-founder, Simbian.

Anthropic (the makers of Claude) have also called for greater deployment of AI in defensive applications within the SOC, particularly in the areas of automation, threat detection, vulnerability assessment, and incident response.