The AI-Powered SOC: How Intelligent Agents Are Rewriting the Rules of Threat Hunting and Detection
AI is not replacing security analysts — it is multiplying their reach, compressing their response times, and shifting their work from reactive triage to proactive hunting. This paper examines how leading security teams are deploying AI and autonomous agents to gain an asymmetric advantage over adversaries who are using the same technology to attack them.
Executive Summary
The average enterprise security operations centre receives between 1,000 and 10,000 alerts per day. Analysts investigate fewer than 20% of them. The median time to detect a breach remains 194 days globally. These numbers have not meaningfully improved in a decade of investment in SIEM, SOAR, and threat intelligence tooling, because the underlying problem — too much signal, too few humans, adversaries who adapt faster than rule sets — is structural, not technological.
AI is changing that equation in ways that are measurable, reproducible, and already being realized by the most advanced security teams in the world. This paper examines the specific mechanisms by which AI and autonomous agents are transforming threat detection and hunting: from behavioral analytics and unsupervised anomaly detection to AI-assisted investigation, automated threat intelligence synthesis, and the emerging category of agentic SOC workflows where AI systems take autonomous investigative action and return findings for human review.
We also examine the adversarial dimension: attackers are deploying the same technology, using AI to generate polymorphic malware, craft targeted phishing at industrial scale, and automate reconnaissance. The security teams winning in this environment are not the ones with more analysts — they are the ones using AI to make each analyst disproportionately more effective than their adversary.
Why the Traditional SOC Is Structurally Failing
The Security Operations Centre model was designed for a different threat environment. The SIEM-centric architecture — collect logs, write rules, triage alerts — was viable when networks had defined perimeters, attack techniques were relatively stable, and the volume of telemetry was manageable. None of those conditions apply today.
Enterprise Attack Surface Management research from ESG (2024) found that the average enterprise has 40% more external-facing assets than their security team is aware of. CrowdStrike's 2024 Global Threat Report documented that the average adversary breakout time — the interval between initial access and lateral movement — has fallen to 62 minutes, down from 84 minutes the prior year. The fastest observed was 2 minutes and 7 seconds.
Against this backdrop, the structural failures of the traditional SOC are not failures of effort or investment. They are failures of architecture:
Alert Volume and Fatigue
The average enterprise SOC receives between 1,000 and 10,000 security alerts per day, of which 45% are false positives (IBM X-Force, 2024). Analysts experiencing alert fatigue develop systematic habits of dismissal — closing alerts without investigation — which is precisely the behaviour adversaries exploit. The SANS Institute's 2024 SOC Survey found that 74% of analysts report regularly ignoring alerts due to volume.
Rule-Based Detection Decay
SIEM detection rules are written against known attack patterns. As adversaries adopt living-off-the-land techniques (LOTL) — using legitimate system tools like PowerShell, WMI, and certutil to move laterally — rule-based detection rates collapse. MITRE's 2024 ATT&CK Evaluations demonstrated that signature-based detection missed an average of 42% of technique-level adversary actions that behavioral analytics detected.
Expertise Scarcity and the Junior-Senior Gap
The global cybersecurity workforce shortage is estimated at 4 million unfilled positions (ISC2, 2024). Organizations that can afford senior threat hunters — analysts capable of proactive hypothesis-driven investigation — typically have one or two. The majority of SOC capacity is junior analysts doing triage work, with limited ability to escalate effectively or contextualize sophisticated attacks.
Telemetry Volume Outpacing Human Analysis
A modern endpoint running EDR, NDR, and cloud telemetry collection generates gigabytes of security-relevant data per day. The data required to detect a sophisticated intrusion exists in this telemetry — but finding it requires correlating signals across systems, timeframes, and data types at a speed and scale that exceeds human cognitive capacity.
How AI Is Changing Detection
The shift from rule-based to AI-driven detection is not incremental — it represents a fundamentally different relationship between the security system and the data it analyzes. Rule-based systems look for what they are told to look for. AI-based systems learn what normal looks like and surface deviations — including deviations that have never been observed before.
Behavioral Analytics and UEBA
User and Entity Behavior Analytics (UEBA) uses machine learning to build baseline profiles of normal behavior for every user, device, and service in an environment — then continuously scores deviations from that baseline. A user who normally accesses three cloud applications during business hours suddenly accessing 40 in the middle of the night triggers a behavioural anomaly score, regardless of whether any specific action violates a defined rule. Vendors including Darktrace, Exabeam, and Microsoft Sentinel have demonstrated false positive rate reductions of 50–70% compared to rule-based systems, while increasing detection coverage of insider threats and credential abuse — the attack categories most likely to evade signature detection.
Unsupervised ML for Unknown Threat Detection
Darktrace's Cyber AI, built on unsupervised machine learning developed at the University of Cambridge, is trained on the specific network topology and behavioral patterns of each customer environment rather than on shared threat intelligence. This means it can detect novel attack techniques with no prior signature — a capability that proved decisive during the initial phases of several high-profile ransomware incidents where the malware was a previously unknown variant. Darktrace reported in 2024 that their AI detected and autonomously contained a 2023 credential-based intrusion at a manufacturing client within 4 seconds of initial suspicious activity — before a human analyst was notified.
Graph-Based Threat Detection
Microsoft Sentinel, Splunk, and Google Chronicle have invested heavily in graph-based detection models that treat security telemetry as a network of relationships rather than a series of discrete events. An isolated login from an unusual geographic location may not trigger a rule. That same login, when connected to a subsequent access of a sensitive SharePoint library, a download of 500MB of files, and a connection to a known C2 IP range — all within 47 minutes — presents as a clear attack chain in a graph model. Microsoft's Fusion detection engine, which underlies Sentinel's advanced threat detection, uses graph neural networks to identify these multi-stage attack patterns across billions of daily signals.
NLP for Threat Intelligence Processing
Threat intelligence has a volume problem analogous to the alert problem. MITRE ATT&CK contains 700+ techniques and sub-techniques. ISACs publish hundreds of threat reports per month. Vendor advisories, CVE feeds, and dark web intelligence sources produce a continuous stream of structured and unstructured threat data. AI systems using natural language processing can ingest this corpus, extract IOCs and TTPs, map them to ATT&CK, correlate against current environment telemetry, and surface relevant intelligence to analysts in seconds — work that previously required a dedicated threat intelligence analyst spending hours per day.
AI Agents in SOC Operations — What's Actually Happening
The frontier of AI in security operations has moved beyond detection to autonomous investigation. Agentic AI systems — systems that can plan, reason, use tools, and take multi-step actions — are being deployed to perform the triage and enrichment work that consumes 60–70% of junior analyst time, freeing human capacity for the judgment-intensive work that AI cannot yet replicate.
Microsoft Security Copilot
Copilot for Security, generally available since April 2024, is the most widely deployed AI security assistant currently in production. Its agentic capabilities include: automated alert triage (summarizing the alert, retrieving related entity context from Entra ID, Defender, and Sentinel, assessing severity, and drafting an initial investigation hypothesis); threat hunting assistance (translating natural language hunt hypotheses into KQL queries, executing them, and summarizing results); and incident summarization for management reporting. Microsoft has published data showing Copilot reduces analyst investigation time by 30% on average, with junior analysts achieving accuracy levels previously associated with senior practitioners.
Palo Alto XSIAM
Palo Alto's Extended Security Intelligence and Automation Management (XSIAM) platform uses AI to automatically correlate alerts into incidents, execute playbooks, and reduce what traditionally required SIEM, SOAR, and UEBA into a single AI-driven platform. XSIAM's 'Cortex XSOAR' integration layer allows security teams to define agentic workflows where the AI investigates an alert, queries threat intelligence, checks asset context, and either closes the alert autonomously (for low-confidence threats) or escalates with a complete investigation package attached. Early adopters report 75% reductions in mean time to respond (MTTR).
Google Chronicle + Gemini
Google's Gemini AI integration into Chronicle (Google's cloud-native SIEM) enables natural language interaction with security telemetry at petabyte scale. Analysts can query their entire historical log corpus using plain English — 'show me all lateral movement involving service accounts over the last 90 days' — and receive structured results with timeline visualizations. Gemini's threat intelligence integration pulls in Google's threat intelligence from Mandiant and VirusTotal, automatically enriching alerts with attribution, technique mapping, and historical context.
CrowdStrike Charlotte AI
Charlotte AI is CrowdStrike's conversational AI assistant embedded in the Falcon platform. Beyond question-answering and report generation, Charlotte AI includes autonomous threat hunting capabilities: an analyst can describe a hunt hypothesis in natural language, Charlotte translates it into a Falcon QL query, executes it across the endpoint telemetry, identifies matching hosts, and presents findings with remediation recommendations. CrowdStrike reports that Charlotte reduces time-to-hunt by 50% for experienced threat hunters and enables junior analysts to execute hunts that previously required senior expertise.
SentinelOne Purple AI
SentinelOne's Purple AI differentiates itself through its focus on agentic autonomy: the system can, with appropriate permissions, take remediation actions autonomously — isolating a compromised endpoint, killing a malicious process, or rolling back ransomware-encrypted files — without waiting for analyst approval. This positions it at the leading edge of what Gartner has termed 'autonomous SOC' capabilities, a classification that implies AI systems making and executing security decisions with human oversight rather than human approval for each action.
The Collective Intelligence Multiplier
The most significant capability AI provides to security teams is not the replacement of human judgment — it is the multiplication of human reach. A senior threat hunter working alongside AI can investigate 10x the volume of leads they could manually, apply their expertise to the 10% of cases that genuinely require it, and use AI to continuously re-test their hypotheses against evolving telemetry rather than completing a point-in-time investigation and moving on.
This dynamic is especially pronounced in collective security models — where multiple experienced analysts contribute domain expertise to the same environment. AI becomes the connective tissue that synthesizes findings across specialists in real time: the network analyst's anomaly detection feeding into the identity specialist's authentication pattern analysis, the endpoint findings correlating with the cloud telemetry review, all unified into a coherent threat narrative that no individual analyst working in isolation could have assembled.
"The organizations that will win the AI security race are not those that replace analysts with AI — they are those that use AI to make a small number of elite analysts perform like a team ten times their size."
— George Kurtz, CEO, CrowdStrike, RSA Conference 2024
Philip Tetlock's Good Judgment Project research, discussed in Fortify North's first white paper, demonstrated that teams with access to each other's reasoning outperform individual experts by 23% on prediction accuracy. In a security context, AI accelerates and scales this effect: instead of analysts manually sharing notes in a war room, AI systems continuously correlate findings across all specialists in real time, surface contradictions and confirmations, and present unified situational awareness that is updated continuously as new telemetry arrives.
Threat intelligence sharing is the collective intelligence principle applied at industry scale. ISACs (Information Sharing and Analysis Centers) aggregate threat data from member organizations. AI systems processing STIX/TAXII feeds can now synthesize intelligence from hundreds of member organizations in seconds, correlating an indicator observed at one financial institution against behavioral patterns at another, and surfacing high-confidence threats that no individual member's telemetry would have detected alone.
AI and MITRE ATT&CK: Closing the Detection Coverage Gap
MITRE ATT&CK has become the lingua franca of threat detection — a structured taxonomy of adversary tactics, techniques, and procedures that allows security teams to assess their detection coverage and identify gaps. In 2024, MITRE conducted its sixth annual ATT&CK Evaluations, testing leading security products against simulated nation-state threat actor behaviours.
The results revealed a consistent pattern: products relying primarily on signature-based detection covered an average of 58% of evaluated techniques. Products with AI-enhanced behavioral detection covered an average of 78% — a 20 percentage point advantage that directly translates to fewer adversary actions going undetected during a real intrusion.
AI is being deployed in two directions against the ATT&CK framework: using ATT&CK to train AI detection models (supervised learning against labeled technique examples), and using AI to automatically map observed behaviors to ATT&CK techniques (reducing the time to produce a TTP-mapped incident report from hours to seconds). Microsoft Security Copilot's ATT&CK mapping feature, for example, analyzes an incident's timeline and automatically annotates each observed action with the corresponding ATT&CK technique ID — work that previously required a senior analyst with deep ATT&CK knowledge.
For threat hunting specifically, the ATT&CK-AI combination enables hypothesis-driven hunting at scale. A hunter can define a hypothesis — "we may have an adversary using T1059.001 (PowerShell) for lateral movement" — and an AI system translates this into a hunt query, executes it across the full endpoint telemetry corpus, clusters results by similarity, and prioritizes the most anomalous instances for human review. A hunt that previously took a senior analyst two days to complete manually can be executed in under an hour.
The Adversary Is Using AI Too
The AI advantage in security is not one-directional. Threat actors — from nation-state APT groups to financially motivated ransomware operators — are actively integrating AI into their attack workflows. Understanding the adversarial AI landscape is essential context for deploying defensive AI effectively.
AI-Enhanced Phishing and Social Engineering
The most immediately impactful adversarial AI use case is spear-phishing generation. LLMs allow threat actors to generate highly personalized, grammatically perfect, contextually appropriate phishing emails at industrial scale — eliminating the poor grammar and generic content that have historically served as phishing tells. Google's TAG (Threat Analysis Group) documented in 2024 that multiple APT groups (including APT42, linked to Iranian intelligence) are using AI to generate phishing content that passes human review with no detectable machine-generated characteristics. Verizon's DBIR 2024 notes that phishing click rates have not declined despite increased security awareness training, partly attributable to the improved quality of AI-generated lures.
Polymorphic Malware and AI-Generated Code
CrowdStrike's 2024 Global Threat Report documented a 117% increase in adversarial use of AI to generate novel malware variants. AI-assisted malware development allows threat actors to create functionally equivalent malware variants at a pace that signature-based detection cannot match — each variant is sufficiently different at the code level to evade hash-based and static signature detection while performing the same malicious function. The SentinelOne threat intelligence team has documented WormGPT and FraudGPT, underground LLM variants trained on malware codebases, being actively marketed on criminal forums for as little as $70/month.
AI-Automated Reconnaissance
The intelligence-gathering phase of an attack — identifying targets, mapping their attack surface, finding leaked credentials, correlating public information into actionable intelligence — is being automated using AI. Tools that previously required skilled OSINT analysts can now be replicated by AI systems that scrape, correlate, and synthesize public information at a scale and speed no human team can match. Microsoft's Digital Crimes Unit reported in 2024 that they observed AI-automated reconnaissance tools being used to identify valid corporate email addresses, credential pairs from historical breaches, and exposed cloud storage buckets as precursors to targeted phishing and business email compromise attacks.
Deepfake-Based Identity Fraud
The convergence of AI voice cloning and real-time video synthesis has enabled a new category of social engineering attack. In a widely reported 2024 incident, an employee of a multinational financial firm was deceived by a video conference in which all other participants — including the company's CFO — were deepfake recreations, resulting in a $25 million unauthorized wire transfer. Voice cloning attacks impersonating executive voices to authorize fraudulent transactions have been documented at multiple organizations. Detection of real-time deepfakes remains an unsolved problem at production quality levels.
How Fortify North Deploys AI in Threat Hunting
Fortify North integrates AI and agentic capabilities into every threat hunting and detection engagement — not as a replacement for specialist judgment, but as the infrastructure that allows our collective to operate at a scale and speed no team of its size could achieve using conventional workflows.
Conclusion: The Asymmetric Opportunity
The history of security technology is a history of defenders adopting new capabilities while adversaries adapt. What is different about the AI moment is the asymmetry of the opportunity: AI disproportionately benefits defenders who can deploy it effectively, because defenders have access to rich, labeled, organization-specific telemetry that adversaries cannot replicate. An AI system trained on your environment's specific behavioral patterns, attack surface, and risk profile is a fundamentally different detection capability than generic threat intelligence.
The organizations that will realize this advantage are not necessarily those with the largest security budgets. They are those that combine three things: AI tooling deployed thoughtfully against their specific threat model; human expertise capable of directing that tooling and interpreting its outputs; and the operational model to integrate the two effectively. The collective intelligence model — multiple specialists working in parallel, with AI synthesizing their findings — is the organizational structure best suited to realizing the full potential of AI in security operations.
The adversaries are already using AI. The question is not whether to deploy AI in your security operations. It is whether you will deploy it more effectively than they do.
References
- [1]IBM Security. (2024). Cost of a Data Breach Report 2024. IBM Corporation.
- [2]CrowdStrike. (2024). 2024 Global Threat Report. CrowdStrike Holdings.
- [3]Verizon. (2024). Data Breach Investigations Report 2024. Verizon Communications.
- [4]SANS Institute. (2024). SOC Survey 2024: The State of Security Operations. SANS Technology Institute.
- [5]ISC2. (2024). Cybersecurity Workforce Study 2024. International Information System Security Certification Consortium.
- [6]MITRE Corporation. (2024). ATT&CK Evaluations Enterprise Round 6. MITRE ATT&CK.
- [7]Gartner. (2024). Market Guide for AI-Augmented Security Operations. Gartner Research.
- [8]Microsoft. (2024). Microsoft Digital Defense Report 2024. Microsoft Corporation.
- [9]Google Threat Analysis Group. (2024). Protecting the Threat Landscape: AI and Advanced Persistent Threats. Google LLC.
- [10]SentinelOne. (2024). Adversarial AI: The Threat Landscape Report. SentinelOne, Inc.
- [11]Darktrace. (2024). Annual Threat Report 2024: The State of AI-Native Defense. Darktrace PLC.
- [12]Tetlock, P. E., & Gardner, D. (2015). Superforecasting: The Art and Science of Prediction. Crown Publishers.
Want AI-enhanced threat hunting in your environment?
Fortify North's collective deploys AI-assisted detection and hunting across your full telemetry stack. Contact us to discuss a threat hunt engagement.