Estimated reading time: 8 minutes
Canadian philosopher Marshall McLuhan once said, “One of the effects of living with electric information is that we live habitually in a state of information overload. There’s always more than you can cope with.” This idea now sums up cybersecurity work. Recent research on AI in the SOC shows teams overwhelmed by alerts as they try to keep up with new technology. The challenge is finding the right balance between automation and human judgment.
“Security teams are under relentless operational pressure,” said Monzy Merza, CEO of Crogl. “They are managing thousands of alerts every day while defending against increasingly complex attacks. AI is emerging as a critical force multiplier inside the SOC.”
A new Ponemon Institute report, sponsored by Crogl, shows a tough situation. Companies get thousands of alerts every day but only look into a small number. The report points to heavy workloads, mixed results from AI, and growing worries about data exposure.
Executive Summary: AI Expands, But Pressure Persists
Security operations centers (SOCs) face relentless demand. Organizations generate an average of 4,330 alerts each day. Analysts investigate only 37% of them.
The report frames this gap as a structural issue. It identifies data pipelines and speed as core constraints. Staffing alone cannot solve the problem.
Enterprises also reported an average of 16 cyberattacks in the past year. Half involved malicious insiders. Nearly half involved phishing or social engineering.
AI adoption continues to rise. About 62% of organizations use AI in some capacity. However, only 44% believe AI alone effectively reduces threats.
“The research makes clear that automation alone is not enough. Organizations that combine agentic speed with strong human oversight, disciplined workflows, and clear data governance are positioned to see the greatest impact,” Merza said.
The Alert Crisis: Volume Outpaces Human Capacity
The report’s first finding delivers a blunt assessment. Alert volume has surpassed human capacity.
Seven analysts often manage thousands of daily alerts. Nearly two-thirds go uninvestigated.
Only 43% of organizations rate themselves as effective at detecting and responding to threats.
Merza emphasized the risk exposure directly: “That’s a huge risk exposure.” He added, “If nearly two-thirds of security alerts go uninvestigated on a given day, you are making a bet that none of those uninvestigated alerts was the one that mattered.”
He reframed the issue as a systemic challenge. “Alert volume is a data pipeline problem before it’s a staffing problem.” He continued, “The question isn’t how to investigate more alerts with more people. The question is how to make sure the right alerts reach a human analyst with full context already assembled.”
He also highlighted efficiency gains. “Crogl assembles in seconds what takes an analyst 20 minutes manually.” This shift points toward architecture, not headcount, as the solution.
Human Analysts Remain Central To AI Success
The report delivers a clear signal:
Human analysts are still the most important variable in the AI-powered SOC.
Even in AI’s rise, people remain critical. About 52% of respondents rate human analysts as highly effective. Only 44% say the same for AI alone.
AI excels at speed and pattern recognition. It processes large datasets quickly. However, it lacks human judgment in ambiguous situations. The report states, “The goal is augmentation, not replacement.”
Organizations deploy AI to assist analysts. Benefits include faster resolution and improved triage. AI also frees analysts to focus on strategic work.
ONE MINUTE WATCH – CYBER INSURANCE NEWS PODCAST CLIP
Cybersecurity Monitoring: Why People Still Matter in a SOC
AI Adoption Grows, But Integration Fails
AI adoption appears strong. In reality, deployment faces major obstacles.
Two issues dominate:
- Workflow integration challenges (50%)
- Dispersed, hard-to-normalize data (49%)
Merza addressed the disconnect. “The headline looks reassuring. 62% of organizations have adopted AI.” He added, “If you stop there, you might think the industry has turned a corner.”
He warned against that assumption. “AI adoption alone should not reduce a risk premium.”
He explained the underwriting impact. “The question that matters is whether the AI is improving how analysts triage, investigate, and respond.”
He also flagged a critical gap. “Most current deployments don’t provide the audit trail to verify it. That’s a material gap between what organizations think they have and what they can demonstrate.”
Merza summarized the issue clearly: “AI adoption is a starting line, not a finish line.”
Governance And Visibility Become Critical Requirements
The report emphasizes consistency and transparency. About 63% of organizations demand predictable AI behavior.
The report states, “The goal is not an AI that is always right, but rather an AI whose reasoning can be audited and corrected.”
Merza reinforced the importance of visibility. He said organizations must understand how AI decisions are made. Without that, they cannot prove due care.
He added, “If you can’t show what data your AI touched, when, and why, you can’t demonstrate due care in a claims situation.” This requirement carries direct implications for cyber insurance underwriting.
Third-Party AI Expands The Attack Surface
The study points out that worries about outside AI vendors are growing.
About 61% worry vendors may use their security data to train AI models. Another 59% fear the use of derivative data.
Merza dismissed the idea that these fears are exaggerated. “This isn’t paranoia. This is the security community accurately reading what’s in most AI vendor terms of service.”
He explained why security data is unique. “It reveals your infrastructure topology, your detection logic, your response playbooks, and the specific vulnerabilities you haven’t patched yet.”
He outlined three clear actions:
- “Read the contracts,” especially data usage clauses.
- “Know your deployment model”
- “Build the audit trail.”
Merza stressed deployment choices. “The choice between SaaS-hosted and self-hosted AI isn’t just a cost decision. It’s a risk boundary decision.”
He noted that 45% of SOC environments operate in air-gapped networks. In those cases, “a SaaS-first AI tool isn’t inconvenient, it’s disqualified.”
High Performers Show A Different Model
The report identifies high-performing organizations. About 34% demonstrate a strong security posture.
These organizations share key traits:
- They keep SecOps in-house.
- They deploy AI with discipline.
- They prioritize governance and visibility.
They also align AI with human expertise. They improve analyst performance rather than replacing it, and they maintain control over data and infrastructure. This approach reduces risk and improves outcomes.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Conclusion: AI Needs Humans To Deliver Value
The report delivers a consistent message. AI plays a critical role in SOC operations. However, it cannot replace human judgment. Security teams must combine AI speed with human insight. They must also address data fragmentation and governance gaps.
The report concludes: “The data isn’t complicated. The implementation is.”
Attackers already use AI to automate attacks. Defenders must respond at a similar speed. Organizations that align AI with human expertise will gain the advantage.
Plain-English Analogy
Imagine airport security during the busy holiday season. Machines quickly scan bags and flag anything suspicious, but human officers make the final call. If scanners miss something, the risk goes up. If officers ignore alerts, it’s also dangerous. The safest airports use both fast machines and skilled people. The SOC works similarly.
FAQ: Key Questions About The AI In The SOC Report
Part 1: Core Findings And Operational Impact
Alert volume overwhelms teams. Organizations receive about 4,330 alerts daily. Analysts lack time and context to review all alerts effectively.
The study does not measure financial loss directly. However, risk exposure remains high. As Monzy Merza said, ignoring alerts means “making a bet” that none are critical.
The main issue is data overload. Alerts come from fragmented systems. Analysts must process them quickly with limited resources.
Only 44% of respondents rate AI as highly effective. AI improves speed and triage but lacks full decision-making capability.
AI speeds alert resolution, improves triage, and frees analyst time. It helps teams focus on high-priority threats.
Part 2: AI Challenges, Insurance Impact, And Future Outlook
Integration fails due to fragmented data and workflow issues. About 50% cite integration challenges, while 49% cite poor data quality.
No. Merza stated that adoption alone is not enough. Insurers must evaluate whether AI improves detection, response, and visibility.
Security data may be reused or exposed. About 61% fear vendors using their data to train AI systems.
Humans provide judgment and context. The report shows 52% rate analysts as highly effective, above AI alone.
High performers keep operations in-house, govern AI carefully, and use AI to support analysts. They prioritize visibility and data control.
Related Cyber Insurance Posts
- Cyber Warfare Escalates Worldwide As AI Turns Digital Conflict Into Constant Pressure
- Why Cyber Insurance Underwriting Is Moving Beyond Questionnaires – NEW PODCAST
- “We’re Still One Big Systemic Event Away”: A Conversation with Willis’ Peter Foster
- 70% of Leaked Secrets Remain Active for Years – GitGuardian Report Exposes Secrets Sprawl Cybersecurity Risk
- All Things Cyber Liability Insurance With Travelers’ John Menefee
