[Gartner SRM Summit 2025] A Realistic Roadmap to an AI-Driven Autonomous SOC

The session “AI-Enhanced SOC: Bridging the Gap to Advanced Automation in 2025,” presented by Kevin Schmidt, was compelling because it offered security professionals a practical, actionable blueprint centered around the concept of an Autonomous SOC.

Redefining Human-AI Collaboration: There Will Never Be a Fully Autonomous SOC

Kevin opened provocatively: “There will never be a fully autonomous SOC.” He cited Gartner’s December 2024 Research report “Predict 2025: There Will Never Be an Autonomous SOC” to support this claim. He then dispelled the myth that an Autonomous SOC means sidelining analysts. Instead he described the model as the ultimate partnership: AI handles triage, initial analysis and routine response automatically, freeing analysts to focus on high-level threat investigations and strategic decision-making.

To explain how this collaboration evolves, Kevin introduced two core concepts:

Human-in-the-Loop (HITL), where AI assists analysts by summarizing alerts or gathering context, but analysts review and approve every action; and Human-on-the-Loop (HOTL), where AI agents score their own confidence and act independently on routine cases, while analysts oversee only low-confidence or novel situations

• Augmented SOC Stage: Human-in-the-Loop: In this phase AI acts as a co-pilot for analysts. It summarizes alerts and gathers relevant context to support human judgment. All final decisions and responses remain with the analyst, who reviews and approves every AI suggestion before action.

  
  

  

• Autonomous SOC Stage: Human-on-the-Loop: At this level AI moves beyond assistance to perform independent analysis and initial response based on confidence scoring. Rather than reviewing every action, the analyst intervenes only when the AI’s confidence is low or when novel or edge-case attacks arise. In these exceptional situations the analyst supervises and makes the final decision.

  
  

This redefinition helps clarify a crowded SOC landscape and shifts the goal of AI adoption away from headcount reduction toward maximizing the value of human talent.

A Four-Stage SOC Automation Maturity Model

Recognizing that every organization’s context and maturity level differ, Kevin introduced a four-stage maturity model for AI-powered SOCs. This framework lets each organization assess its current position and follow concrete guidelines to advance to the next level.

Stage 1: Manual SOC

Features: Little to no automation; every process relies on analysts, resulting in slow response times, inconsistent outcomes and high burnout;

Challenge: Establish a solid foundation by defining clear objectives, processes and standard operating procedures;

Stage 2: Semi-Automated SOC

Features: Introduces tools such as SOAR to automate repetitive tasks like enriching alerts and generating tickets;

Key Strategy: Apply a use-case framework to automate the most impactful and time-consuming areas first - for example, the most frequent threat types or longest handling processes;

Stage 3: Augmented SOC

Features: AI co-pilots support analysts by providing natural-language context for alerts, finding similar past incidents and suggesting next steps;

Key Strategy: Operate under a human-in-the-loop model Analysts thoroughly verify every AI suggestion and provide feedback to steadily improve model confidence while rapidly upskilling junior analysts;

Stage 4: Autonomous SOC

Features: Advanced AI agents powered by LLMs and knowledge graphs independently collect and analyze data, then act on high-confidence threats;

Key Strategy: Transition to a human-on-the-loop model Only possible when security policies, response playbooks and risk governance are highly mature Define clear guidelines and controls in advance to safely allow AI autonomy;

This four-stage model provides a useful roadmap, yet organizations can skip stages depending on their readiness. Still, a solid foundation of mature operations, clear policies, defined procedures and trained personnel, is essential for success.

Measuring Success Is Mandatory

One of the session’s most emphatic messages was the importance of measurement. Every technology investment in your SOC must demonstrate tangible results. By establishing a clear baseline from the start, you can objectively prove efficiency gains and ROI after automation and AI enhancements. Kevin also outlined the key performance indicators to track at each maturity stage, ensuring you know exactly how far you’ve progressed and what impact your improvements have delivered.

As maturity grows the focus moves from throughput and speed to AI performance and confidence and to analyst satisfaction. He also warned against blindly trusting the results of automation and AI tools and advised continuously validating the outputs from security tools against established metrics.

The Future of SOC: A Human-Centric Evolution Beyond Technology

This presentation cut through the hype and anxiety around AI-driven SOCs and offered a vision of true collaboration between technology and people. Tomorrow’s SOC will not replace analysts but will empower them with AI as a capable assistant so they can focus on high-value tasks.

Advances in EPP and EDR have transformed threat detection. When PAGO first introduced MDR in Korea we were frequently asked how to handle false positives from AI and machine learning tools. The answer was simple: without human validation it is impossible to maximize the effectiveness of AI-based security tools.

In an autonomous SOC model the core concept is high confidence scoring by AI agents. When the confidence score is strong AI handles the response. When it is low or the situation is novel an analyst reviews and decides. That confidence score itself must be born from human insight and organizational context. No amount of agentic AI can fully grasp that context without analyst feedback.

In reality fully autonomous SOCs will never exist. Both augmented and autonomous SOCs rely on human participation. We must return to the fundamentals of people, process and measurement. With thoughtful preparation and continuous learning we can build security operations that are stronger, more efficient and ready for the AI era.

Author - Pyo Kwon (CPTO), PAGO Networks