Lessons from deploying AI in a live SOC

When SOC teams need to cut through the noise, AI can be crucial. However, it’s true value can only be felt if it’s implemented with operational context and discipline. Through the real experience of running a live SOC, we’ve learned lessons on putting AI into production, rather than just discussing it.

The challenge facing today’s SOC isn’t hard to describe. Too many alerts, too many tools, too little time. To make matters more complicated, there aren’t enough people to keep pace with attackers who are becoming quieter, more patient, and increasingly automated.

Most security leaders already know this. The noise problem is well understood, and the skills shortage is well documented. The pressure being put on analysts is visible every day.

What’s less often shared, however, is what happens when you try to fix it. Talking about AI in SOC is easy. Implementing it inside a live, multi-customer SOC, where mistakes have consequences, is something different.

AI as a change to how the SOC operates

AI shouldn’t be approached as a feature to be added. As a managed security service provider, Gamma Communications runs a live SOC that supports multiple customer environments. Each one comes with different tools, playbooks, and governance requirements.

When we first started integrating AI into our investigative workflows, the goal was to make the SOC sustainable at scale, without endangering trust. We never set out to replace analysts or chase the next big innovation headline.

That distinction matters. Simply adding AI on top of existing processes doesn’t solve the problem. In many cases, it makes it worse.

Automation alone follows rules. It doesn’t reason, adapt or explain itself when something goes wrong. In an environment that depends on judgement and accountability, that limitation shows up very quickly.

AI only creates value when it understands the process

One lesson we learned early on was that single agent AI approaches struggle in real investigations. They can look impressive in isolation, but incidents are messy.

A single phishing case can involve headers, domains, attachments, QR codes, URLs, enrichment from threat intelligence. Not to mention the structured decision making around severity and response.

Human analysts navigate that complexity instinctively, because they have context and experience. AI, on the other hand, needs structure.

That’s why we moved towards a multi-agent approach. Different agents handle distinct parts of the investigation, and deterministic automation handles tasks that must be executed with certainty.

AI reasoning is applied where it genuinely adds value, interpreting patterns, prioritising signals, and supporting decision making. Control over judgement, escalation, and accountability is retained by humans.

An AI-powered, human-led future for SOC

Trust was the hardest thing to earn, both internally and operationally. In a live SOC, you cannot afford confident but incorrect outputs. Hallucinations must be avoided, and you shouldn’t be left with decisions that can’t be audited or explained.

Guardrails were foundational, not optional.

We constrained what the AI could see, how it could reason, and what it was allowed to produce. Strict workflows were defined, outputs were validated continuously, and human oversight over escalations and high severity incidents was maintained. Performance was also monitored over time – not just in testing, but in production, across real cases.

Consistency builds trust

The benefits didn’t show up everywhere, which is important to say. AI didn’t magically eliminate the need for skilled analysts. Instead, it changed how their time was spent.

The most measurable impact came through early investigation and triage. By accelerating data gathering, enrichment, and structuring, we saw five to ten times improvements in Mean Time to Investigate at that initial stage. Work that previously took twenty minutes could often be reduced to a few minutes, without cutting corners.

That matters, but not because speed is everything. Analysts were given the space to focus on judgement, rather than noise.

Analysts now have time to think

There’s a growing temptation in the market to treat AI adoption as a buying decision. You pick a tool, switch it on, and move on. Our experience suggests that approach rarely survives in a real-world situation

Some commercial solutions are valuable, while others lack the flexibility required in multi-customer environments. Internal development brings control, but also responsibility.

In practice, a multi-model, multi-solution approach proved necessary as it reflected how real SOCs operate. Elegance was never a driving factor.

This is where many organisations will struggle. The AI works, but implementation is often treated as a technological project, rather than an operating model change.

GenAI: Designed in, not bolted on

The uncomfortable truth is that doing nothing is no longer an option. The scale of threats, the pace of change, and the pressure on people mean the traditional SOC model will continue to fracture under load.

AI can help restore balance, but only when it’s introduced safely and deliberately. The role humans still play in security decision-making must continue to be respected.

The mistake many organisations will make is treating AI in the SOC as a technology upgrade. In fact, it’s an operating model decision, and it will expose every weakness in process, governance, and accountability that already exists.

The real question is whether your SOC is ready to absorb AI without increasing risk. That means knowing where AI should reason, where automation must remain deterministic, and where human judgement can never be removed. It means recognising that illumination comes from discipline and experience, not from adding more tools.

How do we know this? Because we’ve been there. AI was implemented inside a live, multi-customer SOC, where mistakes are visible and trust is earned the hard way.

The takeaway is simple. Illumination stems from an understanding on how people, process, and AI work together at scale.

Want to know how AI fits into your SOC? Join our live webinar on Tuesday 21st April to see how organisations can move forward with clarity rather than guesswork.