The SOC’s visibility gap comes down to staffing
AI has settled into security operations centers faster than any earlier wave of technology. Around four in five practitioners report reaching for AI or machine learning tools in their daily work. The catch shows up one layer down. Roughly a third of those same teams have built these tools into a defined workflow with structure, governance, and consistent validation. The rest pick up AI on their own, case by case, with no shared playbook for how it gets used or checked.
That splits the AI story in the latest SANS SOC Survey into two parts. Adoption is widespread. Integration trails behind it. The survey, now in its tenth year, draws on 444 responses from people working in monitoring and security operations roles, with a separate set of questions answered by senior executives.
AI tools can produce confident, well-formatted answers, and an analyst who trusts that output without the skill to question it becomes the weak point. Several SANS instructors land on the same observation. The danger sits with the person who accepts the result, and with a tool that looks authoritative even when it is wrong.
Leaders and their teams describe different organizations
The survey includes a section answered by CISOs and VP-level leaders, and their answers complicate the main findings. Executives and practitioners describe the same organization and reach different conclusions about how well it works.
The sharpest example sits in staffing. A majority of cyber leaders say management pays close attention to SOC hiring and retention needs. About a third of practitioners agree. That 27-point spread has held across every year the question has been asked. Executives describe their intent. Practitioners describe their experience. Both accounts are accurate, and the distance between them is where retention problems begin.
The effect reaches past morale. When the people who run the SOC feel that leadership overlooks their staffing needs, the team loses the ability to build institutional knowledge and grow junior analysts into senior ones. That continuity is what a serious threat environment demands.
What keeps analysts around
The survey has tracked retention drivers for a decade, and the answer stays steady. Meaningful work ranks first for the third year running, followed by career progression and training. Compensation sits in fourth place.
The point lands for organizations that cannot win a bidding war on salary. They can still offer challenging assignments, a visible career path, and investment in development. Teams that lead with raises and skimp on those three are solving for the wrong thing.
Visibility sits underneath every other decision
Cyber leaders point to one barrier above the rest: a shortage of enterprise-wide visibility. Practitioners name a lack of skilled staff first. These describe one problem from two angles. Leadership cannot see the whole environment. The team cannot get the headcount to instrument it.
The two feed each other. Thin staffing leaves parts of the environment uninstrumented, so leaders cannot see the scope of what they are missing, which makes the case for more headcount harder to win. Closing one side alone leaves both open. One SANS instructor traces much of the visibility problem to identity, a part of the environment many teams assume they cover and rarely engineer with the same care they give endpoints.
Intelligence guides the day more than the budget
Threat intelligence has become standard in the SOC. Most teams apply it to incident response, threat hunting, and daily defense. A smaller share lets it inform what the organization funds for the year ahead.
Intelligence tells an organization which threats are active and which assets attackers target. That information belongs in a budget conversation. Most teams keep it on the analyst’s desk and set annual spending from vendor proposals and past patterns. Over time, intelligence that never touches investment loses standing with leadership and slides toward being a cost center that gets tolerated.
The wider message across ten years of this data is steady. The SOC absorbs change at a deliberate speed, on its own terms. AI arrives quicker than that rhythm allows, and the next few years will test whether the structures that govern security operations can keep up with the tools they are asked to manage.
Download: Secure Foundations for AI Workloads on AWS