Business & Technology
Lessons from deploying AI in a live SOC
When SOC teams need to cut through the noise, AI can be crucial. However, it’s true value can only be felt if it’s implemented with operational context and discipline. Through the real experience of running a live SOC, we’ve learned lessons on putting AI into production, rather than just discussing it.
The challenge facing today’s SOC isn’t hard to describe. Too many alerts, too many tools, too little time. To make matters more complicated, there aren’t enough people to keep pace with attackers who are becoming quieter, more patient, and increasingly automated.
Most security leaders already know this. The noise problem is well understood, and the skills shortage is well documented. The pressure being put on analysts is visible every day.
What’s less often shared, however, is what happens when you try to fix it. Talking about AI in SOC is easy. Implementing it inside a live, multi-customer SOC, where mistakes have consequences, is something different.
AI as a change to how the SOC operates
AI shouldn’t be approached as a feature to be added. As a managed security service provider, Gamma Communications runs a live SOC that supports multiple customer environments. Each one comes with different tools, playbooks, and governance requirements.
When we first started integrating AI into our investigative workflows, the goal was to make the SOC sustainable at scale, without endangering trust. We never set out to replace analysts or chase the next big innovation headline.
That distinction matters. Simply adding AI on top of existing processes doesn’t solve the problem. In many cases, it makes it worse.
Automation alone follows rules. It doesn’t reason, adapt or explain itself when something goes wrong. In an environment that depends on judgement and accountability, that limitation shows up very quickly.
AI only creates value when it understands the process
One lesson we learned early on was that single agent AI approaches struggle in real investigations. They can look impressive in isolation, but incidents are messy.
A single phishing case can involve headers, domains, attachments, QR codes, URLs, enrichment from threat intelligence. Not to mention the structured decision making around severity and response.
Human analysts navigate that complexity instinctively, because they have context and experience. AI, on the other hand, needs structure.
That’s why we moved towards a multi-agent approach. Different agents handle distinct parts of the investigation, and deterministic automation handles tasks that must be executed with certainty.
AI reasoning is applied where it genuinely adds value, interpreting patterns, prioritising signals, and supporting decision making. Control over judgement, escalation, and accountability is retained by humans.
An AI-powered, human-led future for SOC
Trust was the hardest thing to earn, both internally and operationally. In a live SOC, you cannot afford confident but incorrect outputs. Hallucinations must be avoided, and you shouldn’t be left with decisions that can’t be audited or explained.
Guardrails were foundational, not optional.
We constrained what the AI could see, how it could reason, and what it was allowed to produce. Strict workflows were defined, outputs were validated continuously, and human oversight over escalations and high severity incidents was maintained. Performance was also monitored over time – not just in testing, but in production, across real cases.
Consistency builds trust
The benefits didn’t show up everywhere, which is important to say. AI didn’t magically eliminate the need for skilled analysts. Instead, it changed how their time was spent.
The most measurable impact came through early investigation and triage. By accelerating data gathering, enrichment, and structuring, we saw five to ten times improvements in Mean Time to Investigate at that initial stage. Work that previously took twenty minutes could often be reduced to a few minutes, without cutting corners.
That matters, but not because speed is everything. Analysts were given the space to focus on judgement, rather than noise.
Analysts now have time to think
There’s a growing temptation in the market to treat AI adoption as a buying decision. You pick a tool, switch it on, and move on. Our experience suggests that approach rarely survives in a real-world situation
Some commercial solutions are valuable, while others lack the flexibility required in multi-customer environments. Internal development brings control, but also responsibility.
In practice, a multi-model, multi-solution approach proved necessary as it reflected how real SOCs operate. Elegance was never a driving factor.
This is where many organisations will struggle. The AI works, but implementation is often treated as a technological project, rather than an operating model change.
GenAI: Designed in, not bolted on
The uncomfortable truth is that doing nothing is no longer an option. The scale of threats, the pace of change, and the pressure on people mean the traditional SOC model will continue to fracture under load.
AI can help restore balance, but only when it’s introduced safely and deliberately. The role humans still play in security decision-making must continue to be respected.
The mistake many organisations will make is treating AI in the SOC as a technology upgrade. In fact, it’s an operating model decision, and it will expose every weakness in process, governance, and accountability that already exists.
The real question is whether your SOC is ready to absorb AI without increasing risk. That means knowing where AI should reason, where automation must remain deterministic, and where human judgement can never be removed. It means recognising that illumination comes from discipline and experience, not from adding more tools.
How do we know this? Because we’ve been there. AI was implemented inside a live, multi-customer SOC, where mistakes are visible and trust is earned the hard way.
The takeaway is simple. Illumination stems from an understanding on how people, process, and AI work together at scale.
Want to know how AI fits into your SOC? Join our live webinar on Tuesday 21st April to see how organisations can move forward with clarity rather than guesswork.
Haiilo has formed a strategic partnership with Work Networks, a UK consultancy focused on workplace adoption.
Under the agreement, Work Networks will help organisations implement and roll out Haiilo’s employee experience platform. Its work will include support for community-building, leadership engagement and communication strategies designed to make the platform part of employees’ daily routines.
The move comes as many employers continue to invest in workplace technology while facing weak adoption and engagement across their workforces. Staff are often asked to work across fragmented systems, disconnected communication channels and a growing number of digital tools, leaving employees to manage information overload and competing demands on their attention.
The partnership is part of Haiilo’s wider global partner network. The company operates from offices in the US, UK, Germany and Finland.
Adoption focus
For Haiilo, the tie-up adds a consulting partner with expertise in change management and internal communication at a time when software vendors are under pressure to show that workplace platforms are being used after purchase. The platform is designed to bring communication, knowledge and tools into one place for employees, including frontline and distributed teams.
Work Networks will support organisations through implementation and adoption, rather than only at the point of software deployment. This places the emphasis on workplace habits, leadership behaviour and communication planning, which often determine whether internal platforms gain traction with staff.
Andrew Avanessian, Chief Executive Officer, Haiilo, said: “Employees are often left navigating too many tools, too many systems and too much noise. Attention has become one of the most valuable resources inside any organisation, yet too many workplace experiences are designed in ways that constantly fragment it.
“Haiilo helps organisations create a more connected experience where communication, knowledge and tools work together seamlessly. Partners like Work Networks play a critical role in making that vision a reality, ensuring lasting adoption and meaningful change.”
Consulting role
The partnership also reflects demand from employers for more support with digital workplace change programmes. In many organisations, new systems are introduced into already crowded technology environments, making it harder for staff to know where to find information or which tools should take priority.
This challenge is often more pronounced in businesses with frontline workers or dispersed teams, where communication can be inconsistent and access to corporate systems may vary. By combining software with rollout planning and leadership engagement, companies are trying to reduce the risk that new platforms become underused.
Nick Crawford, Chief Executive Officer, Work Networks, said: “Haiilo’s platform gives organisations a powerful foundation, but technology alone often isn’t enough – organisations also need the right strategy, leadership engagement and cultural change to ensure platforms are truly adopted.
“Our partnership combines Haiilo’s platform with a people-first approach to rollout and adoption, helping organisations create digital workplaces where communication flows naturally and employees feel part of a connected community.”
The controversial, ultra-nationalist figure, whose real name is Stephen Yaxley-Lennon, is expected to speak at the Oxford Union debating society in St Michael’s Street today (Wednesday, June 17).
He will debate a motion on whether the West is ‘right to be suspicious of Islam’, with actor Laurence Fox and politician Sir Jacob Rees-Mogg also due to speak
Fears among local hospitality businesses, including pubs, restaurants, and coffee shops, have risen as a large demonstration has been planned ahead of the speaker’s arrival.
Multiple reports say as many as five roads are set to be closed from 4pm in preparation, including: St Michael’s Street, Cornmarket Street, Queen Street, Market Street, and Ship Street.
Oxfordshire County Council only confirmed St Michael’s Street would be shut due to the event.
But businesses told the Oxford Mail that county council officials had informed them their streets would be impacted. University of Oxford also posted on social media that Thames Valley Police had told them of the five road closures.
Businesses, particularly pubs who will be closing are concerned about staff and public health and safety and a loss of revenue, on what should be the busiest time for them due to the World Cup.
The Jolly Farmers Pub in Paradise Street said: “Businesses are going to suffer. Communities are going to suffer. Our reputation as a city is going to suffer.”
A pub spokesman confirmed The Jolly Farmers will be closed today for the visit.
The Three Goats Head Pub in St Michael’s Street, next door to the union, is closing from 4pm. It will therefore have to send staff home and will lose business.
Manager Jaz Rai said: “I believe in free speech, but I’m not sure why the decision was made for the first match, they should have thought about it bit more.”
Society Coffee, opposite The Oxford Union society, which usually closes at 5.30pm, will close at 4pm.
The popular Plough Inn in Cornmarket Street, is believed to be closing and boarding up, according to local pub managers.
In Ship Street, two of the three businesses are remaining open. This includes Crosstown, award-winning doughnut sellers, and No.1 Ship Street, award-winning independent restaurant.
Maddie Holloway, barista at Crosstown, will be working during the protest. She said: “There’s been many protests on St Michael’s Street before but they haven’t come here but we would close if there was a danger.”
Manager Jose Toro of New Ground Coffee in Ship Street is closing from 4pm. He said Oxfordshire County Council came to the business to warn them to not have property, such as tables and chairs, outside.
He said: “It’s out of our control but from a business perspective you can’t just shut down the city without asking anyone.”
White Rabbit in Friars Entry is closing from 4pm. General manager Edward Whinney, has prioritised staff and public safety, despite a major financial loss.
He said the closure was important as pub closures across the city could push football fanatics and protestors into nearby streets.
He said: “I was really shocked that at a time where there is so much division and anger, the Oxford Union society, which is supposed to hold constructive debates, is choosing speakers where any proper agreement is going to be lost – It is really irresponsible and I think it’s about making a statement.”
He has had to cancel 70 table bookings, losing 20 per cent of business.
He said: “I will fiercely defend free speech, but it’s staggering that businesses who need the help the most are going to be affected the hardest.
“Our first priority is making sure people are safe and happy, so we didn’t want to risk any consequences on our staff and customers.”
The Grapes in George Street is staying open for the first England World Cup game.
Manager Phoenix Herald called the timing of Tommy Robinson’s visit “ironic” but said the historic beer house is “on alert but not letting it dictate” them.
It will have extra security in the form of bouncers with town radio connections and a ‘just in case’ action plan.
Anneliese Dodds, Labour MP for Oxford East, has called the behaviour of Oxford Union’s leadership “damaging” to the city.
She said: “The Oxford Union’s decision to host Stephen Yaxley-Lennon has already been rightly criticised for ignoring the views of Oxford residents concerned about its impact on community relations.
“Now it appears local businesses are also worried that they could be targeted by supporters of Yaxley-Lennon and the division he promotes.
“When will the Oxford Union’s leadership realise their behaviour is damaging our city?”
CyberNorth and Check Point will host the Cyber Leader Summit in Newcastle, bringing Check Point’s summit series to the North East for the first time.
Part of the wider TechNExt programme, the event will bring together cyber security professionals, technology leaders, policymakers and innovators. The Newcastle edition follows previous summits in London and Manchester.
For CyberNorth, the move marks another sign of the North East’s growing role in the UK cyber sector. The organisation supports around 600 businesses and more than 5,000 active professionals across the region, with links to sectors including FinTech, space, maritime and defence.
Check Point, which sells cyber security products and services to businesses and governments, said the summit would focus on issues including AI, quantum technologies, ethics, resilience and skills. Speakers are expected from regional and national organisations, including the BBC.
Regional profile
The summit is backed by the Department for Science, Innovation and Technology, which has promoted stronger cyber practices and wider AI adoption across UK regions. Its support adds a national policy dimension to an event centred on a regional technology cluster.
Jon Holden, Chief Executive Officer of CyberNorth, said: “Bringing the Cyber Leader Summit to Newcastle in collaboration with Check Point is a huge moment for the North East cyber scene. The fact that this nationally recognised roadshow is coming to the region, following events in London and Manchester, is a clear indication of the growing reputation and capability of the North East. The region is home to exceptional cyber talent, innovative businesses and a highly collaborative ecosystem. Through key events such as the Cyber Leader Summit we’re able to bring together industry leaders, innovators and future talent to help strengthen the region’s position as a key player within the UK cyber security landscape.”
The North East has sought to raise its standing as a cyber security centre as part of a broader effort to expand the regional technology economy. CyberNorth added that its relationships with the Department for Science, Innovation and Technology and the Department for Business and Trade have helped raise the area’s profile in the UK and abroad.
Sector links
Its network extends across critical national infrastructure, quantum and other technology fields, giving it reach into both established industries and emerging areas. That cross-sector presence helps make events such as the Cyber Leader Summit useful platforms for introductions, partnerships and discussion between public and private sector participants.
Charlotte Wilson, Head of Enterprise at Check Point Software Technologies, said: “We’re delighted to bring the Cyber Leader Summit to the North East in partnership with CyberNorth and as part of TechNExt 2026. The summit is designed to encourage meaningful conversations around the challenges and opportunities facing cyber security today, from AI and quantum technologies to ethics, resilience and future skills while creating opportunities for collaboration across the wider ecosystem. The North East has a vibrant and fast-growing cyber community, and it’s important for us to support and engage with the organisations, leaders and emerging talent helping shape the future of the industry.”
The event reflects a wider trend of national and international cyber security companies looking beyond London for industry engagement. Regional clusters have become more visible as employers, investors and policymakers respond to demand for cyber skills and the spread of digital risk across sectors.
That has also sharpened attention on how local ecosystems connect with national strategy. In this case, the summit’s agenda is expected to cover both current threats and longer-term issues such as skills development and the effect of emerging technologies on resilience.
A spokesperson at the Department for Science, Innovation and Technology said: “At DSIT, we always look to support the regions in their pursuit of improved cyber security practices and, increasingly, their focus on AI development and its adoption. To strengthen resilience across the UK, it is essential that the regions continue to upskill their businesses and the next generation of professionals in these frontier technologies. That a global leader in cyber tech and AI has chosen to bring their senior leader summit to the North East, is a great indication of the calibre of businesses and potential of the region. I wish the event every success.”
Mark Rutte says Nato needs ‘more forces, more resources’ ahead of defence ministers meeting– Europe live | World news
Haiilo partners Work Networks to boost platform adoption
New Oxford campaign seeks to demystify genetic and neurological conditions using animations
-
Crime & Safety4 weeks agoOxfordshire bridge closure comes as management ‘weaknesses’ found
-
Crime & Safety4 weeks agoWhat happens to Halifax customers if Lloyds makes changes?
-
Oxford News4 weeks agoActor steps down from major role in new Harry Potter series
-
UK News4 weeks agoBurnham seeks to calm markets by committing to fiscal rules
-
UK News4 weeks agoGlass deposit scheme 'risks major problems' for retail industry
-
UK News4 weeks agoEx-minister Shapps quits aerospace firm over rule concerns
-
Crime & Safety4 weeks agoRyan Bridge speaks of London arrest after Oxford incident
-
Crime & Safety4 weeks agoOxfordshire man accused of sexual offences 40 years ago