In the last two years, there has been significant noise around AISOC or getting AI into the SOC or Security Operations Center. Everyone in the security ecosystem (founders, investors, buyers, and service providers) is trying to share their perspective. Some are optimistic. Some are skeptical. Some are simply riding the wave. The result?
A multi-layered clutter of narratives:
- SOAR is dead
- XDR is dead
- MDR is dying
- SIEM is dead
- AISOC is also dead
Every few months, another obituary gets written.
At Trench, we have been quietly listening to all this noise while running what product builders call the MOM test with customers, letting real problems guide the product, not market hype. Based on those conversations and deployments, we decided to share a realistic perspective on how to get AI to Security Operations that hopefully reduces the clutter rather than adding to it as we all are gearing up for RSA2026.
Let’s Start with SOC Basics
Security operations have always consisted of three fundamental layers.
1. Data Infrastructure Layer
This is where security data lives.
Logs come from multiple sources:
- Identity systems
- Endpoints
- Cloud platforms
- Applications
- Network infrastructure
This layer determines how quickly security teams can access and analyze signals.
2. Detection Layer
The detection layer sits on top of this data.
Here we have rules and analytics designed to identify suspicious patterns and generate alerts. Examples include:
- anomaly detection
- behavioral rules
- IOC matching
- correlation rules
When something suspicious is detected, an alert is generated.
3. Investigation & Response Layer
This is where humans come in.
Security analysts:
- investigate alerts
- correlate evidence
- group related alerts into incidents
- respond and remediate
In most organizations today, this layer is still heavily manual.
What Customers Expected from AISOC
When AISOC emerged as a category (with plenty of startups), customers had very clear expectations - either: Reduce SOC labor cost by 50% or Improve SOC efficiency by 2X.
But in many cases, these expectations were not fully met. Why?
Because two foundational problems were ignored.
The Two Black boxes That Broke AISOC
1. The Data Layer Is Historically Messy
Security data infrastructure has evolved in an extremely fragmented way.
Organizations today deal with:
- dozens of log sources
- different formats
- multiple query languages
- partially stored data in SIEM
- the rest scattered across other platforms
Understanding what each log means often requires multiple stakeholders across teams.
This makes security analysis complex and slow.
2. Detection Has Remained Static
The second issue is the detection layer.
Most detection systems rely on:
- static rules
- predefined correlations
- out-of-the-box detections
In reality, threats evolve quickly. But detection logic often does not evolve at the same speed.
This happens partly because security teams have limited bandwidth and talent capacity to
continuously update detection rules.
Why AISOC didn’t deliver the Promise
If data is messy and detection is static, then AI is forced to operate inside a constrained environment.
That means:
AI cannot investigate effectively
AI cannot correlate signals fast enough
AI cannot surface meaningful insights
Without fixing these two layers, AISOC expectations were unrealistic.
“Context” cannot be a differentiator
One term often used in AISOC discussions is context.
Let’s be clear: Context is not a differentiator. It is a prerequisite. Every AI system requires context to function and context engineering models are maturing every single day. And context often comes from humans in the loop. So the presence of human analysts should not be viewed as a failure of AISOC. It is part of the design.
The EV vs Fossil Fuel Analogy
Imagine trying to convert a fossil fuel car into an electric vehicle. If you simply replace the fuel inlet with a charging port, the car will not magically become electric. The engine architecture itself must change.
The internal combustion engine must be replaced with a battery system. Without that foundational change, the car will not move no matter how much marketing you do.
Security platforms face a similar challenge. Simply adding AI on top of legacy architectures does not transform the system. The foundation must change.
The Real SOC Problem
As product builders, we can expect customers to share everything on what to build or use their environment to do our AI experiments. We need to get closer to the real problem from the insights. That’s what we did and here we go.
In the age of AI-driven attacks:
Attack deployment happens in minutes. But threat detection still takes days or weeks.
This gap is where most breaches occur. Because, the legacy SIEM and SOC model is broken. The real risk isn’t the data, it’s the velocity. Zero Trust architecture was the right framework for the cloud era. But in the age of AI-powered threats, security must evolve toward a new model: Zero-Latency Threat Detection. Even organizations that deployed AISOC solutions have reported incidents where the true impact of a breach was realized weeks later. This clearly highlights the dire need for an architectural change to deploy AI agents in Security operation workflows.
First Principle
Every technology wave has three moving pieces:
Technology
Market expectations
Foundation
With AI, the first two are accelerating rapidly. But the third, foundation has been largely ignored. At Trench, we believe in this first principle that the foundation will always determine the success of any new technology layer.
What We Learned from Trench MOM Test
As product builders, we recognize the subtle but important difference between being customer-obsessed and being problem-obsessed. We chose the latter, focusing on the real problem and helping customers achieve their goals in a practical and realistic way. While building our platform, we realized something fundamental. AI in the SOC cannot succeed unless two architectural problems are solved first.
1. Clean Security Data Infrastructure
Security data must be transformed into a security-first data engineering layer.
This means:
- normalized security data
- unified query capability
- fast search across datasets
- minimal latency access
2. Dynamic Real-Time Detection
Detection systems must evolve from static rules to dynamic detection models.
Security teams should be able to:
- search signals instantly
- detect anomalies in real time
- run threat hunts in minutes
Without these capabilities, AI systems will always struggle.
That’s why, we are building a Security first Data infrastructure that can fix the foundation for the customers who can have realistic expectations from AI to solve their automation problem of detecting real threats in minutes. We believe real innovation must happen at the foundation. Existing Security Information and Event Management (SIEM) Platforms are broken to make AI really work for Security operations. The Search, Hunt and Detection workflows are slow, complex and not really AI-friendly for the Security engineers and analysts.
That is why we are building a true next-generation Security Analytics with AI native data infrastructure platform to support any level of automation that InfoSec leaders and SOC practitioners want to achieve with the power of AI agents. We call it Agentic Threat Detection Mesh. The Mesh is simply a security stack of agents that can accelerate threat detection, hunting and investigation across unified and normalized telemetry of federated log sources. Trench’s agentic threat detection mesh model amplifies:
- Visibility into blind spots across critical assets with weak or no detection coverage
- Velocity to convert real-time threat intelligence into high-fidelity detections in minutes
The role of Security engineers and analysts is evolving only to continuously review and tune the agents for the maximum outcomes. Stop running searches, triggering hunts and building detections. Agents can do all these better and faster (literally in minutes) but you need to orchestrate to make them work effectively in your environment.
Let’s Address the “Dead Stories”
Now let’s revisit some of the narratives circulating in the industry.
“AISOC is dead”
Not really. AISOC will only succeed when the foundational architecture evolves.
“SOAR and XDR are dead”
In some sense, yes. Many SOAR and XDR capabilities are simply automation primitives for an AI-driven system. But they still depend on strong data and detection foundations.
“SIEM is dead”
The legacy model of using SIEM purely for log storage and compliance is definitely fading. Expecting SIEM to detect modern threats without architectural evolution is unrealistic.
“MDR / MSSP is dead”
Not at all. Service providers simply need to rapidly adapt to a new SOC architecture that combines platform capability with human expertise.
Is Autonomous SOC Possible?
The short answer: No.
At least not if we acknowledge the importance of context and human reasoning. Security is too dynamic and adversarial for a completely autonomous system. But what is achievable is a significantly higher degree of SOC automation. What it required 20 member army of Security engineers and analysts of multiple levels now can be taken care by just 2 Security Engineers who knows how to work with Agents built with right architecture. And that is where the real opportunity lies.
Bottomline
AI in the SOC cannot meaningfully exist without fixing the foundation.
If the industry continues to layer AI on top of messy data and static detections, the clutter will continue. Hopefully this perspective clears at least some of the noise.
But the real story is underneath, we will dive into how our security-first data infrastructure powers the real AI outcomes in the coming posts. Stay tuned.
Reimagine Security Analytics For AI Era
Explore Trench →
