SOC Automation
In April of 2025, researchers published the AI 2027 report as part of the AI Futures Project, a non-profit forecasting the future of AI. It was a wide-ranging scenario prediction for the next three years in AI. This chapter looks at the most important development in cybersecurity, the rapid rise of SOC Automation, and makes predictions based on some of the conclusions from the report.
Like most scenario planners, the authors started with today and projected forward based on how we got here. The “intelligence” of LLMs is growing at 10X a year. That makes it hard for anyone to predict the near future because humans are bad at grasping exponential growth.
The entire AI 2027 scenario hinges on one thing: that the engineers responsible for improving models at OpenAI, Anthropic, Google, Grok, Meta, and DeepSeek will use existing models to assist them, as indeed they are already. This will progress until they have created AI research assistants that are smarter than our smartest humans. By 2027 there will be “superhuman AI researchers.”
After that, AI intelligence grows so fast that superintelligence will appear to have happened overnight. Alvin Toffler and Adelaide Farrell will be nodding their heads at the level of disruption this will cause. “See, this is what we were talking about in Future Shock.”
The same trend is evident in cybersecurity. By 2027, there will be superhuman SOC analysts. Rather than delve into the report’s predictions about misalignment — evil AIs wiping out the human race — consider the implications for our comparably mundane world of cybersecurity.
This scenario is based on the rapid increase in intelligence in AIs with superintelligence only one year away.
As we go to press we learned of the first large technology company to say they had eliminated their SOC team to be replaced with fully automated agents triage of alerts. It’s happening.
Of the 378 AI Security vendors tracked in the IT-Harvest Dashboard, 58 are in a category I call SOC Automation. The concept is simple: alert triage will be handled by AI agents.
There have always been two sides to cybersecurity:
The protective side represented by firewalls, hardened configurations, multi-factor authentication, and encryption — things that either stop attacks altogether or dramatically increase the costs for the attackers.
The detective side is where the SIEM (Security Information and Event Management) comes into play. Everything that can be is instrumented to report what is happening. Logs and alerts are funneled into a centralized SIEM where they are prioritized based on algorithms. SOC analysts use analytic tools to “hunt” down the causes of the tiny, tiny fraction of alerts that they have time for and take actions to stop an ongoing attack or clean up after an attack.
(Yes, there is a third side to cybersecurity, compliance, which seeks to demonstrate that the protective and detective sides are deployed and working.)
Note that the average age of the 50+ SOC Automation startups is three years. And the average headcount (leaving out Torq, a pre-ChatGPT company) is 27 people. Note also that the biggest post-ChatGPT company, Exaforce, announced a $75 million series A investment from Khosla Ventures, Mayfield and Thomvest Ventures in April 2025.
You may think the Exaforce press release over-hypes their “Agentic SOC Platform that combines AI agents (called “Exabots”) with advanced data exploration to give enterprises a tenfold reduction in human-led SOC work, while dramatically improving security outcomes.” But you would be wrong.
About the same time Torq acquired an Israeli startup that was still in stealth. Ofer Smadari, CEO, said: “By integrating Revrod into Torq HyperSOC 2o, our most advanced platform yet, we’re delivering the world’s first OmniAgent: a robust, collaborative, AI-driven system that autonomously investigates, triages, and remediates threats with near-human-level analysis and precision.”
When I wrote about the rise of SOC Automation in April of 2025, I predicted that “by the end of the year, they will work so well that most of these vendors will experience skyrocketing sales. Only those that attract enough investment will be able to scale to meet the demand.” After writing that in a Substack post, the startups reached out to tell me I was wrong. They were already getting sales. As of this writing, many are over $3 million in ARR.
If a CISO can invest in SOC Automation and 10X their alert triage, let alone stop attacks, they will pay. And if you argue that LLMs are not good enough to displace humans, what happens to your argument in 12 months when the LLMs are ten times better? Thinking exponentially can dramatically impact your scenarios.
The founders of AI Security companies are all thinking exponentially. The investors too. This is going to be a scaling race. Strategic buyers are going to pay extraordinary amounts to place their bets and not get left behind. Rapid advances in technology can leave the biggest companies floundering for relevance.
Here are more predictions based on the concept of the intelligence explosion described in AI 2027. Keep in mind that we are talking about the biggest technological shift in our lifetimes; bigger than the internet, mobile computing, virtualization, and cloud computing. So there are going to be outsize changes in the landscape.
By the end of 2026, 95% of all SOCs will use AI agents, including those of MSSPs. In other words, most medium to large companies will see a dramatic decline in their security spend and will no longer need a large percent of their security teams.
More than 50% of SMBs will subscribe to automated detection and remediation from new suppliers.
Several of these companies will have billion-dollar valuations before the end of 2026. Not a stretch considering that Protect AI, one of the AI Model Protection companies, was reportedly acquired by Palo Alto Networks at a cost between $600 and $750 million.
One of these companies will be on track to have a billion dollars in revenue at the end of 2027. That’s right. Faster growth than Wiz ever saw.
The costs for attackers will skyrocket. Only nation states will have the resources to devise attack methods that will bypass AI defenses. It will be cheaper to infiltrate a target with human spies than it will be to devise a cyberattack that can penetrate the AI defenses.
I have always found it a valuable exercise to recognize when massive change is on the horizon and predict the impact. Everyone in the security industry should be evaluating the advent of superintelligence and making plans to take advantage of it. Start by looking at these 61 vendors which have taken in $1.5 billion in funding:
| Company | Country | Investment ($M) | Employees |
|---|---|---|---|
| Torq | USA | $330M | 397 |
| Blink Ops | Israel | $100M | 118 |
| exaforce | USA | $76M | 86 |
| Intezer | USA | $58M | 79 |
| 7AI | USA | $202M | 74 |
| TENEX.AI | USA | $27M | 65 |
| Prophet Security | USA | $41M | 62 |
| Radiant Security | USA | $15M | 61 |
| Andesite | USA | $38.25M | 56 |
| Simbian | USA | $10M | 55 |
| Dropzone AI | USA | $57.35M | 54 |
| Cognna | USA | $2.2M | 52 |
| Legion Security | USA | $38M | 51 |
| Qevlar | France | $15.03M | 51 |
| Conifers.ai | USA | $25M | 46 |
| PRE Security | USA | $6M | 44 |
| AiStrike | USA | $5.15M | 41 |
| Daylight Security | Israel | $40M | 41 |
| Nua | South Korea | - | 39 |
| Vinci Logic | France | - | 39 |
| Command Zero | USA | $45.27M | 37 |
| Mate Security | Israel | $15.5M | 36 |
| Imperum | Netherlands | - | 36 |
| Secure.com | United Arab Emirates | $4.5M | 36 |
| Crogl | USA | $30M | 34 |
| Camelot Secure | USA | - | 30 |
| Bricklayer AI | USA | $7.5M | 29 |
| Miru Labs | USA | $2.7M | 26 |
| StrikeReady | USA | $15.6M | 26 |
| CipherData | USA | - | 25 |
| Nebulock | USA | $8.5M | 24 |
| Arcanna AI | USA | $4.9M | 22 |
| DeepTempo | USA | - | 21 |
| Sevii | USA | - | 20 |
| Backline AI | USA | $9M | 20 |
| Method Security | USA | $26M | 19 |
| Opnova | USA | $3.75M | 18 |
| RedCarbon | Italy | - | 18 |
| Tencyle | Israel | - | 17 |
| GUARDDOG | USA | $3.38M | 16 |
| Redblock | USA | - | 16 |
| Circumvent | Australia | $6M | 14 |
| Kenzo Security | USA | $4.5M | 14 |
| Embed Security | USA | $6M | 13 |
| WiseBee | USA | $2.5M | 12 |
| Variance (was Intrinsic) | USA | $3.6M | 12 |
| Culminate | USA | - | 10 |
| Priam Cyber AI | United Kingdom | $2.62M | 10 |
| Wraithwatch | USA | $8M | 10 |
| Zaun | USA | $1.5M | 10 |
| Edge Delta | USA | $81M | 8 |
| System Two Security | USA | $7M | 8 |
| TandemTrace | Spain | - | 8 |
| Alpha Level | USA | $1M | 6 |
| Tier4 AI | USA | - | 6 |
| Cotool | USA | $0.5M | 4 |
| Huntbase | United Kingdom | - | 4 |
| SEKOIA.IO | France | $79.33M | 3 |
| Surf.ai | USA | Stealth | - |
| Fig Security | USA | - | 9 |
MDR Powered by AI
Rather than deploy agents in your SOC, why not outsource to an AI-powered MDR provider? Here are three.
What’s Next for SOC Automation?
In 2025 the most common architecture for SOC Automation solutions was to deploy specialist agents, each with its own expertise. There may be one for each SIEM and alert repository, and each sensor (firewall, IDS, NDR, UEBA, threat intelligence feeds, etc.). All of these specialists are managed by an “orchestrator” that assigns tasks and compiles results and makes decisions.
2026 will be a breakout year for AI deployed to take over the SOC. It’s a binary set of outcomes. Either SOC Automation works better than what organizations do today or it doesn’t. If it proves to be better, the challenge for the providers is going to be how to scale to meet demand. Many have the funding to scale, but there are many ways to stumble and many competitors waiting to fill the void in capability, delivery, or support.
If it doesn’t, just wait. LLMs are improving in most measures of intelligence at the rate of doubling every two and a half months. An important question to ask any AI Security vendor is how they are structured to take advantage of that rapid rise in capability. Will you benefit from that? In other words, you may make an investment at parity in total cost of ownership today, but see a doubling in return on investment in a few months.
Story
Sam Jones
Sam Jones is the co-founder and CEO of Method Security, a cybersecurity startup building autonomous cyber systems for America’s top security teams. The company raised $26 million in November 2025 from General Catalyst, Andreessen Horowitz, and other notable investors. Founded in 2023, Method is quickly becoming one of the hottest startups in its sector, with Jones at the helm from day one. But his path into cybersecurity didn’t start with a grand plan — it started with a lucky first job three days after high school graduation. Since then, Jones has moved through the Air Force Cyber mission, Palantir’s data-driven world, and the unforgiving rigor of autonomous military aviation at Shield AI, collecting a single, consistent obsession along the way: build systems that can operate at scale, safely, and with discipline.
From Air Force Cyber to Cybersecurity Innovation
I didn’t set out to build a security company. I didn’t even set out to build a career in cybersecurity.
I had just graduated high school, and three days later I landed an internship with General Dynamics Information Technology (GDIT) doing Air Force security work. It happened almost by accident, but that job lit something up in me. The work was a lot of classic network security: architecture, firewall configurations, setting up tests, simulating scenarios. Not glamorous, maybe, but it was hands-on and real.
I remember thinking: this is cool — this is interesting. And once that hook goes in, it doesn’t really come out.
I studied computer science and always thought of myself as a software person. But early on I got an opportunity to work for the Air Force as part of a scholarship payback — civilian commitment, the kind of deal where you learn quickly that mission comes with constraints. I worked for Air Force Cyber, the cyber component of the Air Force, and that’s where security became real for me. It wasn’t just “defend a network,” it was offense and defense in a way the commercial world rarely gets to see. You’re close to the operators, close to the consequences. It’s the widest, most vivid aperture into what cyber actually means when it matters.
But there was a problem. A big one. If you’re deep inside government structures like that — especially at the bottom of the totem pole — you don’t build software the way builders want to build software. Not the fast, iterative, opinionated kind. And I knew, even then, that I wanted to build.
So when my commitment was done, I drove straight to New York City and joined Palantir in 2014. My goal was simple: I wanted to be on what I believed was the best software team in the world at the time. I ended up running Palantir’s cyber business and product development. Cyber wasn’t the company’s core focus — there were bigger verticals, bigger use cases — but we still did work that shaped how I think about security to this day.
Some of the projects were almost surreal: helping military organizations and partner nations integrate huge amounts of data into a single “data fabric” so they could make unified risk decisions at national scale. When you’ve lived inside that kind of model — where “data integration robustness” isn’t a buzzword but the difference between coherence and chaos — you start to see where most security tools fall short. The technical lesson I took from that era was less about alerts and more about tradecraft: the discipline of data, the architecture of truth, and how brittle everything becomes when the integration layer is weak.
That’s also where I met my co-founders Daniel Kelly and Sean Hacker. We worked together in that world — building, shipping, scaling at serious scope — so we had a shared baseline for what “good” looks like.
After Palantir, I made what looks like a left turn: I joined Shield AI in 2018 when it was still early — around employee #20. Shield AI builds autonomy for military jets and drones. This was before AI became a meme. And it’s not the kind of AI where you can hand-wave away failure with a product blog post.
In autonomy, you can’t mess up. There’s no “slop.” There’s no “we’ll patch it later.” It’s no-fail. That environment builds a particular kind of engineering honesty into you: simulate everything, regression test relentlessly, treat data like a first-class artifact, think hard about human-in-the-loop versus on-the-loop. And without realizing it at first, that philosophy started to become my lens for every other domain — including security.
A Glimpse of the Future Lit a Spark for Something New
Here’s the part that still makes me smile: I had the idea for Method Security in my third week at Shield AI.
I wrote myself a note — one of those private receipts you leave behind for your future self — basically saying: do what you’re doing for drones, but do it for cyber. Build the always-on attack agent.
The only thing missing was the raw material. At the time, language models weren’t there yet. Not really.
So I went and got reps. I joined Stellar Cyber because I wanted to prove to myself that I could be an executive in a security company, that I could navigate the channels and the distribution mechanisms you need to win. But the moment the models got good enough, I called my friends from Palantir and said: It’s time. We have to start this company now.
In the earliest days of Method, we did what builders always do: we hacked together a prototype to see if the world we imagined could actually exist.
I built a little pentest bot using GPT-3. It was dumb, honestly — but it was enough to prove the direction. Then, on our first weekend as a company, we built version two with GPT-3.5, pointed it at my home network, added some of the data “magic” we knew how to do well, and got it to autonomously hack my printer.
Was it a little canned as a demo? Sure. But it was real software. It did the thing. And that prototype is what we took to Andreessen Horowitz. We showed them. We raised our seed round in October 2023. Less than a year after ChatGPT changed the temperature of the world. But the demo wasn’t the point.
The point was the thesis: how can we safely allow organizations to attack themselves at ludicrous speeds compared to the human rate-limited world they live in today? The safety part is not a tagline. It’s the entire game.
Those Who Win Obsess Over the Fundamentals
Even early, we had a strong technical opinion, one that shaped every decision we made: the models would get commoditized, and they would get better, fast. That meant the advantage wouldn’t come from clever prompt tricks or “agent swarms” that looked exciting in 2023. It would come from the infrastructure underneath: data tooling, guardrails, deterministic enforcement, and interfaces that make models productive without letting them drive the car. So we built that.
We built MCP-like interfaces before MCP was a thing because we knew we’d need a strongly typed, networked data substrate, something like what Palantir now famously describes as an ontology for LLMs. And we built guardrails — not vague “AI safety” vibes, but deterministic system controls where the system stays in charge.
A lot of companies that spent their time chasing agent theatrics in 2023 and 2024 ended up with work that doesn’t matter now because the baseline models moved. But the investments we made — those aged well. They’re paying off. By the time of this interview, Method is a Series A company. Andreessen Horowitz led our seed; General Catalyst led our Series A. We’re 19 full-time people and nearly all of us are hands-on engineers — 16 out of 19. That’s not an accident; it’s a belief system. Transformational companies are engineering culture companies. Yes, you need sales to win. But the best products — the ones that reshape categories — come from builders who obsess over the fundamentals.
We have customers in the Fortune 500, the U.S. government, the Department of Defense, and others. Commercial customers are fully in production, using us offensively and defensively. The offensive traction surprised even us. Everyone knows elite teams have red teams, but I didn’t fully appreciate the hunger for better tooling until we shipped into that reality.
Government adoption is more nuanced, as it should be. Defensive workflows are in production. Offensive use cases often start in training environments and labs. And, frankly, our platform forces bigger questions — training, doctrine, what “always-on” even means when your adversary has automation too. Those changes don’t happen overnight.
Don’t Simply Bolt “AI” Onto Yesterday’s Process
When people ask me about scale, I split the question in two.
Can the platform handle massive, complex customers? Yes. We deliberately chose our first customers because they were hard — serious Fortune 500 complexity, a military service as an early government customer. That’s usually a death wish for startups. For us it was intentional muscle-building. We came from building software at that scale, and we wanted to prove it again.
Could we suddenly support a thousand customers overnight with the full go-to-market and support infrastructure? Not yet. We know exactly what to do, but we haven’t spent time building that machinery because our current strategy is low-density, high-value customers: fewer logos, deeper impact.
And if you ask me what I tell enterprise security teams who want “some of that AI” — I get almost annoyingly simple.
Work backwards from the problem.
Boards love to decree, “We need AI,” and then the organization buys the wrong thing. Instead, start by empowering your security team to prototype. Give them accredited models in workflows they can touch. Let excitement and use cases emerge organically. Then look for the repetitive, soul-draining tasks — reporting, triage, AppSec analysis — where humans are acting like glue between systems. That’s where automation belongs.
People also ask whether teams will build their own agents. They already are. Some customers build lightweight applications around their SIEM. If you have the right software platforming, it’s remarkably easy. But without that platform layer, you can’t do the hard parts: the data work, the C2 work, the unglamorous AI infrastructure. That’s the divide. Our view is: let customers bring their workflows and extend the platform, but don’t make them reinvent the machinery nobody actually wants to maintain.
As for the giants — the platform vendors buying up AI security startups — I respect them. I use many of their products. But I’ve also watched how hard it is for incumbents to truly platformize beyond the first big thing. When technology change accelerates, it creates space for challengers. And right now, the velocity is extraordinary. There are areas where I think incumbents are perfectly positioned to crush, especially anything tightly adjacent to SOC and detection/response workflows where they already own the data layer. But what we do — this posture-and-attack platform, with a different integration and data story — I think we can stand alone.
That’s the thread that ties my whole career together, from Air Force networks to nation-scale risk decisions to autonomy that can’t fail:
Speed matters — but structure matters more.
And in the machine age, the teams that thrive won’t be the ones who bolt “AI” onto yesterday’s process. They’ll be the ones who build systems that can move fast without letting go of the wheel.