Avatar

Having worked across nearly every layer of cybersecurity – from analyst to CISO for two different organizations – I have seen firsthand how difficult security investigations used to be. I still remember trying to manually stitch together security incidents that were scattered across multiple tools and platforms.

An alert might originate in one system. Endpoint activity might appear in another. Network telemetry lived somewhere else entirely. Threat intelligence came from yet another source.

Correlating all of that information was tedious and often frustrating. Mapping activity against the MITRE ATT&CK framework could take hours—or days—and it frequently felt impossible to do in a timeframe that would allow defenders to catch an attacker while they were still actively operating inside the environment.

More often than not, we were reconstructing events after the fact. A SIEM helped us piece together what happened, identify what had been compromised, and understand what had been lost. But investigations were largely retrospective exercises.

Things have changed a lot since those days.

Every year, Cisco Live provides a unique opportunity to see security technologies operating in a real-world environment at scale. Thousands of attendees, countless devices, hundreds of applications, and an enormous amount of network traffic creates the perfect proving ground for modern Security Operations Centers (SOCs).

Having spent time in the Cisco Live Americas 2026 SOC, one thing became abundantly clear:

  • The way SOCs operate today is fundamentally different from even a few years ago.
  • The change isn’t simply that we have better tools.
  • The change is that AI has become embedded throughout the investigative workflow, enabling analysts to operate at machine speed while focusing their attention on higher-value decision making.

In many ways, 2026 feels like the beginning of a new era for security operations.

Not Long Ago, Correlation Was Manual

Only a few years ago, SOC analysts spent a significant portion of their day manually correlating information across disconnected tools:

  • An alert would arrive from one system.
  • The analyst would open another console to investigate.
  • Then another.
  • Then perhaps a packet capture tool.
  • Then a threat intelligence platform.
  • Then an endpoint security product.
  • Then a ticketing system.

The analyst became the integration layer. The process worked, but it was slow. More importantly, it did not scale. Attackers were already operating at machine speed. Defenders were still operating at human speed.

Today, that gap is closing rapidly.

At Cisco Live 2026, many investigations flowed naturally between XDR, Splunk Enterprise Security, Secure Firewall, Secure Malware Analytics, Endace, Wireshark, and AI-assisted analysis capabilities.

Instead of spending time gathering information, analysts could spend more time understanding what the information actually meant.

That distinction is important.

The future SOC is not about replacing analysts.

It is about removing friction.

A Conversation That Captured the Shift

Two comments from one of our SOC team members perfectly captured the transformation happening across the industry.

At the RSA Conference in March:

“I just started vibe coding and it’s amazing. I just vibe coded this last night.”

Then, only a few months later at Cisco Live:

“Why would anyone NOT use AI in their work?”

Those comments weren’t made by software developers.

They were made by security practitioners.

That alone says something remarkable.

AI is no longer viewed as a specialized capability reserved for data scientists or engineers. It is becoming a normal part of everyday work.

Just as analysts eventually stopped debating whether they should use search engines or automation scripts, we’re quickly approaching a point where AI becomes simply another tool in the workflow.

The question is no longer whether AI belongs in the SOC.

The question is how effectively we can integrate it.

The Rise of Analyst-Driven Automation

One of the most interesting developments I observed this year wasn’t in a security product. It was in how analysts themselves are starting to build. Historically, if a SOC analyst wanted a custom integration, workflow enhancement, dashboard improvement, or automation, they often needed to submit a request to an engineering team and wait days, weeks, or sometimes months for implementation.

That model is rapidly changing.

Tools like Codex and other AI coding assistants are lowering the barrier to software development so dramatically that security analysts can increasingly build solutions themselves.

  • Need to automate a repetitive enrichment task?
  • Need to connect two systems that weren’t previously integrated?
  • Need a custom workflow that improves investigation efficiency?

Many of these ideas can now be prototyped in hours instead of weeks.

The phrase “vibe coding” may sound casual, but the implications are profound. For the first time, many security practitioners can translate ideas directly into working code with AI acting as a development partner. The result is a new generation of analyst-builders who can improve SOC operations without waiting for someone else to do it. Just as spreadsheets empowered business users decades ago, AI-assisted coding is beginning to empower security analysts today.

The organizations that embrace this shift will innovate faster than those that don’t.

The Rise of the Agentic SOC

One of the themes Cisco has been discussing recently is the emergence of the Agentic Workforce. Security operations may be one of the clearest examples of this concept in action.

Modern SOC workflows increasingly resemble teams of specialists working together:

  • Detection platforms identify suspicious activity.
  • Correlation engines connect related events.
  • AI systems summarize findings.
  • Investigation tools gather evidence.
  • Automation platforms execute response actions.
  • Analysts validate conclusions and make decisions.

The result is not a fully autonomous SOC. Rather, it is a SOC where humans and machines each contribute what they do best. Machines excel at speed, scale, memory, and pattern recognition. Humans excel at context, judgement, creativity, and decision making. The most effective SOCs of the future will leverage both.

Real Example: Following a Malware Investigation Across Multiple Platforms

One investigation at Cisco Live involved a malware detection associated with a downloaded executable.

A Secure Malware Analytics verdict generated an XDR incident, immediately providing analysts with a starting point for investigation.

Modern XDR platforms automatically correlate telemetry from multiple sources into a single incident, dramatically reducing the time required to understand what happened.

From there, the workflow expanded naturally across multiple integrated platforms.

The analyst was able to pivot from XDR into Secure Malware Analytics, then into Splunk, where additional telemetry revealed the originating host, destination server, timestamps, and download activity.

Integrated investigations allow analysts to move seamlessly between products without manually recreating searches or exporting data.

Further investigation identified the associated repository activity and enabled rapid scoping of the event.

What stood out wasn’t the individual tools.

It was the workflow.

The investigation flowed naturally from one data source to another without forcing the analyst to manually stitch together information from disconnected systems.

A few years ago, gathering this evidence might have consumed most of an analyst’s investigation time.

Today, the workflow itself performs much of that heavy lifting.

The analyst’s attention remains focused on understanding the situation and determining the appropriate response.

Real Example: Turning Hundreds of Alerts Into a Single Conclusion

Another investigation involved a large number of XDR incidents associated with HTTP authentication traffic. Historically, an analyst might have spent hours reviewing individual alerts to determine whether they represented malicious activity. Instead, analysts were able to pivot quickly from XDR into Splunk, then into Endace packet capture data, and ultimately into Wireshark analysis to understand the root cause.

The investigation revealed that the alerts were being triggered by legacy Basic Authentication attempts rather than an active attack. By examining the underlying traffic and decoding the authentication data, the team was able to confirm the behavior and determine an appropriate remediation strategy.

Even more importantly, the outcome wasn’t simply closing an incident.

The outcome was improving the detection pipeline itself.

The recommendation was to filter these noisy events before they entered XDR, reducing future alert fatigue and improving SOC efficiency.

This is another hallmark of modern security operations.

The goal is not merely to investigate alerts.

The goal is to continuously improve the system.

Analysts can now pivot from high-level incidents all the way down to packet-level evidence in a matter of clicks, validating findings and improving detections.

AI Is Already Embedded in Daily Operations

Many people still imagine AI as a chatbot sitting beside an analyst.

The reality is much more interesting.

At Cisco Live, AI was already present throughout the workflow:

  • Incident summaries generated automatically within XDR.
  • Correlation across massive volumes of telemetry.
  • Automated enrichment of security events.
  • Investigation pivots across integrated platforms.
  • Natural language interfaces for querying security data.
  • AI-assisted code generation using tools such as Codex.
  • Workflow automation that reduces repetitive analyst effort.

The analyst experience increasingly resembles working alongside a highly capable research assistant that never sleeps, never forgets, and can process information at a scale no human could achieve alone.

This doesn’t eliminate the need for expertise.

If anything, expertise becomes more valuable.

The analyst’s role shifts from data gathering to decision making.

The Future SOC

Looking ahead, I don’t believe the SOC of the future will be fully autonomous. Nor do I believe analysts will be replaced. What I do believe is that analysts who effectively leverage AI will dramatically outperform those who do not.

The gap between AI-enabled teams and non-AI-enabled teams is already becoming visible.

Cisco Live 2026 offered a glimpse of what comes next:

  • Investigations moved faster.
  • Context was easier to obtain.
  • Knowledge was easier to share.
  • Analysts could build their own automations.
  • AI could summarize incidents in seconds.
  • Workflows increasingly operated at machine speed.

And analysts spent less time fighting tools and more time solving problems.

That may be the most important change of all.

AI isn’t transforming the SOC because it can replace analysts. AI is transforming the SOC because it allows analysts to operate at a scale, speed, and effectiveness that simply wasn’t possible a few years ago.

The modern SOC is no longer just a collection of security products. It is becoming an intelligent, interconnected system where humans, automation, and AI work together to defend increasingly complex environments.

And based on what I saw at Cisco Live 2026, that future has already arrived.

Check out the blogs by the engineers who worked inside the SOC at Las Vegas:

Authors

Todd Dow

Solutions Engineer