The AI arms race in cybersecurity: Why your SOC needs to evolve now

The pace of exploitation is no longer measured in days or hours but in minutes and seconds. According to the Microsoft Digital Defense Report 2025, adversaries are now using generative AI to scale social engineering and automate lateral movement with startling efficiency. Phishing campaigns crafted by large language models are achieving click-through rates up to 4.5 times higher than traditional methods.

The speed of these attacks is equally alarming. The CrowdStrike 2025 Global Threat Report highlights that the average breakout time, the window between initial compromise and lateral movement, has plummeted to just 29 minutes. The fastest recorded breakout occurred in a mere 27 seconds. This acceleration is driven by what many call "vibe coding," where attackers use AI to build exploits and scripts at machine speed. Sophisticated threats that were once the sole province of nation-states have been democratized, placing every organization in the crosshairs. It is rapidly becoming an axiom in information security: If you are not using AI to battle AI, you will lose.

This rapid acceleration of sophisticated attacks is fundamentally changing the role of the SOC analyst. We are undergoing the most significant transformation since the invention of the SIEM, shifting away from eyes-on-glass alert triage toward a high-impact era of threat engineering.

A useful analogy: When spreadsheet software arrived in the 1980s, people predicted the end of accountants. The opposite happened. Accountants who embraced the tools expanded their practices, took on more clients, and did better work. SOC analysts face the same moment. AI will not eliminate them. It will change what they do.

While the role is evolving, we must be wary of the false promise that AI will simply replace these experts. Anyone promising an "autonomous SOC" or a "reduced-staff SOC" is selling a dangerous fantasy. These narratives view AI in isolation, as if defenders are the only ones with access to the technology.

In reality, the adversary has implemented AI faster and more aggressively than most defensive teams. Reports from Microsoft and OpenAI have already identified state-affiliated actors using AI for advanced reconnaissance and malware development. Defensive AI is not a "win button." It is the minimum entry fee just to stay level with the attacker. You will still need business context, mission-specific knowledge, and security expertise. The goal is not to have fewer people. The goal is to ensure your people are not overwhelmed by machine-speed attacks.

To survive this arms race, we must move beyond autonomous myths and embrace an agentic reality. An agentic SOC is not a product you buy. It is a transformation in how security operations work. It involves a series of agentic workflows and skills working on behalf of the analyst automatically, behind the scenes, and transparently.

Today’s traditional SOC looks like a pyramid: a large base of entry-level analysts manually sifting through alerts with a smaller senior tier handling investigation and response. The agentic model flips that into a diamond. The routine entry-level work is handled by AI agents. Analysts move up to become threat engineers — experts who manage, tailor, and validate the agents they support. Each SOC analyst essentially becomes an SOC manager of their own team of automated analysts.

Enabling these agentic workflows requires a platform built on a world-class data foundation that is deeply infused with security expertise. Elastic Security is the heart of the agentic SOC because we approach security as a data problem that requires elite defensive DNA. To understand the power of this shift, consider the data problem. The legacy SOC is like a researcher in a massive library who spends 90% of their day just searching for the right book.

The Elastic agentic SOC is the Iron Man suit that scans every book in that library instantly. It identifies the threat and equips the analyst to stop it before it even reaches the door. The human provides the intent and judgment, while the platform provides the machine speed, sensors, and automated response systems.

While others are security companies trying to retrofit data onto their platforms, Elastic was born for data and evolved by world-class security experts to solve the scale and complexity of modern threats.

• Background agency (the silent partner): AI should fit into existing workflows, not detract from them. For example, during a supply chain attack, Elastic agents do not wait for a prompt. They have already pulled the process tree, cross-referenced threat intelligence, and mapped the OODA loop. By the time you get a Slack message, the Observe and Orient phases are finished.

• Precision prevention and agentic response: Because attackers move in seconds, we prioritize automated response powered by agentic workflows. Prevention is the fastest possible response. Elastic Defend provides world-class included prevention, while our agentic workflows trigger automated remediation to stop damage and loss to the organization instantly.

• Model sovereignty: You choose the brain of your SOC. Whether you want to use frontier models like GPT-4o or fully disconnected local models for air-gapped missions, Elastic supports it. You adopt AI at your pace and your risk, not the vendor's.

• Searchable scale: Only Elastic offers federated data mesh technology. With searchable snapshots, you can keep petabytes of data on low-cost object storage and get answers in seconds. The questions go to the data, which reduces transfer fees and maintains data boundaries.

These pillars directly support the need for machine speed in a landscape where minutes matter. Modern attacks execute so quickly that if your average response time is 30 to 40 minutes, the attacker has already won.

The agentic future requires a platform that handles the full OODA loop. You must prevent malicious activity before it executes, then use AI agents embedded in workflows to detect and respond by surfacing context automatically and triggering automated remediation. We must stop damage to the organization by compressing the time from detection to remediation to seconds.

The direction is clear: The security vendors worth partnering with are those building toward agentic operations with data as the foundation and security as the mission. The shift to agentic operations is not a roadmap feature. It is a requirement for survival in a landscape where the attackers never sleep.