AI SOC was the hottest category in security for two years straight. Every startup raised on it. Every analyst covered it. Now every major SIEM — Splunk, Sentinel, Chronicle — ships native AI triage out of the box. The capability got commoditized almost as fast as it got hyped.
So what happens next?
In this episode, I sit down with Filip Stojkovski, Director of SecOps AI Strategy at BlinkOps and founder of SecOps Unpacked, to work through the question the industry is quietly starting to ask: if AI SOC is now a feature, not a category, what was it actually solving — and what did it leave untouched?
Filip argues AI SOC “automated the easy part.” Triage got faster, MTTD improved, dashboards went green — while remediation backlogs stayed the same, detections stayed broken, and analysts ended up with more decisions queued for them than before. He calls this the Decision Gap, and introduces a new metric — Mean Time to Decision — that reframes where the real bottleneck lives.
From there we get into his ASOP thesis: the Agentic Security Operations Platform as the layer underneath, with AI SOC as just one of many solutions built on top — alongside Agentic IAM, Cloud Security, GRC, detection engineering, and threat hunting.
We close on the honest take: what CISOs should be asking vendors right now, what happens to pure-play AI SOC startups as incumbents absorb the capability, and Filip’s thesis that the platforms that win won’t close the most alerts — they’ll eliminate decisions that never needed a human in the first place.
If you’re building, buying, or betting on this space, this one’s worth your time.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Key Takeaways
AI SOC is following the EDR and SOAR playbook. Capabilities get unbundled into startups, prove value, then get absorbed back into the platforms. With Splunk, Sentinel, and Chronicle all shipping native AI triage, the question is no longer if AI SOC consolidates, but how fast.
AI SOC automated the easy part. Triage, enrichment, and initial investigation got faster — but the harder problems (broken detections, remediation backlogs, weak feedback loops) didn’t move. Teams declared victory on the metrics that improved and lived with the ones that didn’t.
MTTD improved. MTTR didn’t. Faster detection without faster resolution just creates a longer queue. The middle of the SOC sped up while the ends stayed manual.
The Decision Gap is the real bottleneck. Better triage produced more decisions queued for humans, not fewer. The constraint was never speed of detection — it was speed of decision.
Mean Time to Decision is the metric the industry needs. It exposes where work is actually stuck, which is between the analyst and the action — not between the alert and the analyst.
Detection engineering and response are still where the pain lives. When the middle of the SOC is automated, the bottleneck shifts to the ends — which are exactly the parts AI SOC tools don’t touch.
AI SOC is a solution, not a platform. The category that matters underneath is the Agentic Security Operations Platform (ASOP) — the layer of agentic workflows, deterministic workflows, case management, analyst copilots, and integration that AI SOC and everything else gets built on top of.
The ASOP unlocks more than AI SOC. Agentic IAM, Agentic Cloud Security, Agentic GRC, detection engineering, and threat hunting all sit on the same infrastructure. Buying five point products to do this stitches together what should be one platform.
CISOs are asking the wrong questions of vendors. Most evaluations focus on alert closure rates and triage speed. The questions that separate real platforms from polished AI SOC wrappers are about decision elimination, workflow extensibility, and what else you can build on the same foundation.
The platforms that win won’t close the most alerts. They’ll eliminate the decisions that never needed a human in the first place. The pure-play AI SOC vendors that don’t expand into platform territory get absorbed, acquired, or quietly fade as the SIEM incumbents catch up.
