The visibility gap holding back the agentic SOC
AI agents are quickly becoming the cybersecurity industry’s favorite promise.
In theory, they can triage alerts, investigate incidents, and respond to threats – acting as force multipliers for overstretched SOC teams.
Article continues below
Senior Technical Manager at ExtraHop.
Not because these agents are incapable, but because they lack the data and context to understand activity across the network and respond appropriately.
Autonomy is compelling, but without the right data, it’s less useful automation and more hopeful guesswork that is quietly creating a visibility gap at the heart of the agentic SOC.
The context problem
Most AI agents rely on the same fragmented telemetry stacks that analysts have struggled with for years. Endpoint logs in one tool, cloud signals in another, identity data elsewhere, and network traffic often underused or ignored. Each source tells part of the story, but none provide the full picture no matter what dashboard you favor.
When context is missing, agents struggle to reason about what’s normal and what’s malicious. False positives can multiply, investigations can stall, and automated responses can disrupt legitimate business activity.
Practical AI use cases illustrate both the promise and the challenge: agents can automatically isolate compromised endpoints after detecting unusual login patterns, or flag anomalous lateral movement that would take analysts hours to investigate manually.
Yet these same agents can misfire if the underlying telemetry is incomplete, triggering unnecessary quarantines or failing to detect stealthy sophisticated threats.
At its core, this isn’t a problem with the AI, but with the information available to it. AI can only act on what it knows. And in many SOCs, it simply doesn’t know enough.
Building a foundation for autonomy
Before organizations push further into automation, they need to address a more fundamental issue: the quality and completeness of their telemetry. Autonomous decision-making requires a constant stream of high-fidelity, trustworthy data – the kind that can be correlated across users, devices, applications, and workloads.
Many practitioners are returning to the foundational principle that the network remains one of the most reliable sources of truth in modern environments. While endpoints can be tampered with and logs siloed, network activity is unavoidable to attackers. It captures what actually happened – who talked to what, when, and how.
Modern environments demand even more context. Security teams also need visibility into identities behind actions and the behavior of cloud-native and Kubernetes workloads that now power critical business applications.
How context enables effective AI
When these layers – network, identity, and cloud – are unified, agents can operate with clarity. Instead of guessing, they can query rich telemetry directly, enrich alerts automatically, and make deterministic decisions about whether something truly represents risk.
In an effective agentic SOC, AI doesn’t replace analysts or blindly trigger responses. It does, though, handle the heavy lifting, correlating signals, surfacing the most relevant evidence, and resolving straightforward incidents so humans can focus on complex threats.
But this only works if the underlying data is complete, structured, and accessible. Put simply, better algorithms can’t compensate for poor visibility.
The path forward
As enterprises race to adopt AI-driven defenses, it’s tempting to treat agents as a shortcut to cybersecurity maturity. In reality, they amplify whatever foundation already exists – good or bad.
Organizations with strong telemetry and contextual insights see meaningful gains. Those without it simply automate their blind spots.
The future SOC will absolutely include AI agents. But autonomy needs to start with making sure the system has something trustworthy to see.
AI or not, in cybersecurity, your intelligence is only as powerful as the context behind it.
Check out our list of the best identity management solutions.
AI agents are quickly becoming the cybersecurity industry’s favorite promise. In theory, they can triage alerts, investigate incidents, and respond to threats – acting as force multipliers for overstretched SOC teams. In practice, many security leaders are discovering that agents are failing. Article continues below You may like Jamie Moles…
