Segmentation of the AI SOP Market and Types of AI SOC

Clarification of AI SOC, AI SOP, AI Assistants, and SOC AgentsAI SOC is a very general term that has actually existed for a long time.In a broad sense, AI SOC refers to SOCs empowered by AI. This is not a technical term nor a product category (Note: SOC is not a product), but specifically refers to a type of Security Operations Center. Here, AI refers to various AI technologies, including traditional AI and GenAI. It can be said that AI technology has been applied since the first generation of SOCs, for example, rule-based reasoning correlation analysis engines.In 2015,Gartner published a report on intelligent SOCs, pointing out the need to utilize advanced security analytics to implement intelligent SOCs, with machine learning (ML) algorithms for anomaly detection of unknown threats becoming prevalent. Since then, other AI and ML algorithms have emerged to enhance key capabilities such as exposure assessment, alert analysis, situational assessment, and prediction.

Security operations are a process, a collection of procedures, protocols, and operations. Traditional AI has solved some key problems in the security operations process, but it cannot connect the entire operational process, providing limited assistance to overall operations, and still requires a lot of work from security operations personnel.

In the past two years, GenAI/LLM has rapidly risen to prominence, becoming synonymous with AI.GenAI and Agentic AI possess excellent characteristics that surpass traditional AI, such as universality, inclusiveness, autonomy, collaboration, and rapid knowledge activation, which can significantly enhance the efficiency of security operations and are reshaping SOCs.With the deepening application of GenAI/LLM in the field of security operations, the AI SOC we often discuss now typically refers to SOCs empowered/enhanced by GenAI (especially LLM). In fact, the AI in AI SOC must be a composite AI (Composite AI), integrating both traditional AI and GenAI.The core of GenAI/LLM-enabled AI SOC lies in having a GenAI/LLM-enabled security operations platform (AI Security Operations Platform, abbreviated as AI SOP, also referred to as AI SOC platform). Therefore, when we discuss AI SOC today, the core is to discuss the key technologies of AI SOP.Currently, Gartner has defined two specific AI SOP technical concepts: the early “Cybersecurity AI Assistants” and the currently most popular “AI SOC Agents” (also known as “security operation agents”). Almost all SOPs currently apply the “Cybersecurity AI Assistant” technology, while “SOC Agents” have quickly become the main technological development direction of AI SOP.

Cybersecurity AI Assistant/Helper/Co-pilot” leverages GenAI technology to mine existing knowledge from cybersecurity tools, generating relevant content or code to assist the security team’s daily work.

SOC Agents” solutions utilize GenAI and agent technology to enhance various daily activities in security operations. They can assist investigations through natural language queries, reduce false positives, enrich alert information, clarify attack path backgrounds, summarize reports, and provide next-step action suggestions.

SOC Agents are sometimes referred to in the industry as “AI SOC Analysts” to make them appear more humanized and tangible, such as companies like DropZone.AI, Gurucul, Prophet Security, Simbian, Torq, etc.

Segmentation of the AI SOP Market

From a product perspective, the AI security operations platform (AI SOP) market can be divided into three sub-markets/products: “SOP with built-in AI assistants”, “SOC Agents”, and “SOP with built-in SOC Agents”.

SOP with Built-in AI Assistants

Currently, most SOPs (including SIEM, XDR, etc.) have expanded their AI assistant functionalities, leveraging the basic content generation capabilities of (general or security-specific) LLMs. Some have further applied RAG technology, embedding it into application backends or providing dedicated chat UI to offer basic operational assistance to security operations personnel, such as writing alerts or security incident summaries, generating query statements, generating script code, interpreting threat intelligence, retrieving security knowledge, and providing security operation (investigation/disposal, etc.) suggestions, among others.

At present, AI assistants are the most basic application of LLMs, helping security operations personnel with some “gigs”, while the main operational work is still done by humans, and their level of autonomy (L2) is still relatively low.With the application of Agentic AI and agent technology, AI assistants are gradually becoming a standard capability of AI SOC.

Despite being relatively basic, SOPs with built-in AI assistants can be referred to as “AI SOP” or “AI SOC platforms”.

SOC Agents

This is the current hot product track, gathering a large number (40+) of startups. SOC Agents are not a complete SOP but rather an independent product/component that interfaces with existing SOPs through an overlay deployment method【Note 1】, achieving the intelligent, automated, and autonomous operation of existing SOP security operations. SOC Agents do not clean up the existing large SOP market and are favored by existing SOP customers.

Note 1: For more information on overlay deployment, please refer to the section “Integration Deployment Model of Agents” in the article “Practical Experience of Foreign Agentic SOC Platforms”】

Currently, the industry often refers to such products as “AI SOC”, which I believe is inaccurate. Firstly, “AI SOC” is not a product but a system; secondly, these products are not complete security operation platforms. Therefore, it is appropriate for Gartner to refer to them as “AI SOC Agents” (SOC Agents), indicating they are intelligent agent products of SOC systems. Although SOC Agents are not complete SOPs, they can be classified under the AI SOP market.

This sub-market is currently very hot, with many third-party organizations closely tracking this track. Not only has Gartner conducted specific definitions and research on this, but other organizations such as Software Analyst Cyber Research have also conducted in-depth studies, as seen in the report “Comprehensive Report | Analysis of the AI SOC Market Landscape 2025“. IDC China has also recently released several reports in this field.

SOC Agents’ main functions focus on providing automatic alert triage capabilities to L1 security analysts, alleviating or even eliminating the workload of L1 security analysts, some also provide HITL/HOTL (Human-in-the-loop/Human-on-the-loop) mechanisms. The triage here is not based on LLM text classification【Note: Some use pre-trained or fine-tuned LLMs for this, which is not as effective as using discriminative AI】, but rather an entire alert triage process, including alert enrichment, classification and grading, alert escalation/security incident submission, etc.

At the same time, many SOC Agents are beginning to provide capabilities for L2/L3 security analysts, such as security incident investigation, security incident response, security incident disposal report generation, threat hunting, team collaboration assistance, etc.

In addition to targeting analysts at all levels, SOC Agent systems have also developed agents for different roles such as operations managers and security content engineers, such as:

  • For operations managers: risk assessment analysis agents, security operations performance evaluation agents, security content effectiveness evaluation agents, etc.

  • For security content engineers: security content (such as correlation analysis rules, playbooks, black and white lists, etc.) generation and optimization agents, threat intelligence extraction agents, etc.

Additionally, there are SOC Agent systems targeting vulnerability operations and asset operations.

It is important to note that the overall level of autonomy (L3) of current SOC Agent systems is still not very high, with significant human involvement, but it has improved one level compared to the autonomy level of “AI assistants”.

SOP with Built-in SOC Agents

Currently, some vendors are beginning to offer SOPs with built-in SOC Agents, which I refer to as “Agentic SOP” (Autonomous Security Operations Platform).

Agentic SOP refers to SOPs empowered by Agentic AI, which, based on SOP functionalities, uses LLM as the thinking hub, possessing autonomous reasoning, planning, and decision-making capabilities, able to invoke various tools to automatically complete predetermined security operation tasks, and achieve routine security operation goals through human-machine collaboration.

These SOPs clearly aim to replace existing SOPs; they possess complete SOP functionalities while also incorporating SOC Agent functionalities. These vendors mainly include large comprehensive vendors (such as Splunk, PANW, CrowdStrike), comprehensive tech giants (such as Microsoft, Google, etc.), and innovative companies (such as Exaforce, Radiant Security, etc.)【Note 2】. The article “Recent Developments in Foreign Agentic SOC (2025Q3)” provides updates on the latest product developments of the first two types of typical companies.

【Note 2: Regarding innovative companies, they are mainly concentrated in the SOC Agent field, with over 40 companies, while there are not many innovative companies developing complete Agentic SOPs, as this involves both agent technology and next-generation SOP technical architecture, which is quite complex】

It is worth noting that SOPs with built-in SOC Agents all possess AI assistant functionalities, covering those with built-in AI assistants, but not vice versa. However, as the SOC Agent technology route becomes clearer, SOPs with only AI assistant functionalities are increasingly moving towards SOC Agents.

SOPs with built-in SOC Agents have opened the path to AI-native security operation platforms. However, the current AI-native level of these SOPs is still relatively low.

Classification of AI SOC Types

For users (such as client users, security operation service providers, etc.), AI SOC refers to a set of AI security operation systems they build using AI SOP. Depending on the AI SOP products used in AI SOC, it can be divided into three types【Note 3】.

Note 3: It should be noted that due to the rapid development of SOC Agent technology, almost all AI SOCs have adopted this technology. I believe that studying AI SOCs constructed solely using AI assistant technology is of little significance, thus they are not included in the classification】

AI SOC built on “SOP with built-in SOC Agents”

This is the clearest type of AI SOC, utilizing a brand-new technical architecture, with native AI capabilities and agents, where the effects of AI are maximized. However, this type of AI SOC poses higher challenges to the user’s entire operational system, as it also involves re-adapting the organization and processes.

AI SOC built on “Traditional SOP + SOC Agents”

This type of AI SOC may be more favored by existing SOC users, as it generally maintains the existing security operation system while adding an intelligent automated operational scheduling layer. This type of AI SOC has a more controllable impact on the client’s organization and processes, and the costs are also lower. Currently, due to the high deployment rate of foreign SOCs, most AI SOP products are concentrated in the SOC Agent track.

However, in this model, the existing SOC data platform often has many defects, which limits the effectiveness of AI. For more information, please refer to the section “Integration Deployment Model of Agents” in my article “Practical Experience of Foreign Agentic SOC Platforms”.

AI SOC built on “Traditional SOP + General Agent Platform + Agent Development”

This type of AI SOC is often found in large, advanced enterprises with AI development capabilities. They conduct research and based on existing SOPs, procure (or deploy open-source) a general agent platform (such as n8n, Akira, Beam, Coze, Dify, etc.), develop the necessary agents for security operations based on this general agent platform, and interface them with existing SOPs to achieve intelligent, automated, and autonomous security operations. Currently, there are also many general agent platforms, making this a competitive sub-market.

This model requires high development capabilities and understanding of security operations business from the clients themselves, and often these enterprises’ existing SOCs are also self-built. Some security operation service providers may adopt this model, but their challenges lie not in the agents but in the coordination and effectiveness of the overall SOP technical architecture.

Conclusion

When researching all AI SOC / AI SOP, another important facility is LLM. Currently, AI SOP has various combination modes with LLM: embedded or external, closed or open.

  • Embedded: refers to LLM embedded in AI SOP products, provided as a complete package to customers.
  • External: refers to AI SOP itself not carrying LLM, but connecting to an external independent LLM through an interface.
  • Closed: means the LLM system embedded (or external) to AI SOP is fixed, and users cannot choose when selecting AI SOP.
  • Open: means the LLM system external (or embedded) to AI SOP is open, supporting various third-party commercial, open-source, or user-owned LLMs, allowing users to choose freely.

Currently, the mainstream trend in the industry is for AI SOPs to adopt external LLM modes and use open interfaces, supporting various LLMs.

Finally, to give a practical example, the MetaSec-SOP from my company, Ruian Zhiyuan (metasec.com.cn), is an AI SOP that integrates SOC Agent technology, utilizing a new data architecture and process architecture. Its SOC Agent subsystem can also serve as an independent component to interface with users’ existing SOPs, achieving autonomy in existing SOPs. MetaSec-SOP can connect to various LLMs, allowing users to choose freely. Welcome to learn more.

【Appendix】 Classification of Autonomy Levels of AI SOP

Segmentation of the AI SOP Market and Types of AI SOC

L0 indicates a non-autonomous SOP. At this level, security operations rely entirely on human involvement, with all security operations performed manually by human analysts configuring and operating various security operation tools.

L1 indicates a SOP with preliminary autonomy. At this level, security operations have achieved automation of repetitive tasks, using rule-based expert systems (such as SOAR) for automatic execution, with processes and work steps predefined, and the invocation of various security operation tools also pre-arranged.

L2 indicates the introduction of LLM and a certain level of autonomy in SOP. At this level, security operations are primarily human-driven, with LLM serving as an auxiliary tool for humans. The processes and steps of security operations are still predefined, and the invocation of tools is also pre-arranged, but some operational process nodes utilize LLM, achieving partial autonomy in tasks.

L3 indicates a true SOP with autonomous planning and decision-making capabilities centered around LLM (also known as SOC 4.0 or Agentic SOP). At this level, LLM becomes a partner to humans rather than a simple tool, but human involvement is still required in all operational aspects (including configuration, supervision, decision-making, optimization, etc.), with security operations planned and decided based on LLM, autonomously generating processes and steps to achieve task objectives, and being able to autonomously invoke security operation tools (including LLM and traditional AI-based tools), although these tools need to be prepared in advance.

L4 indicates a highly autonomous SOP. At this level, AI will autonomously carry out most security operations, with humans primarily serving supervisory and guiding roles, and the main operational processes and steps are autonomously generated, decided, and optimized, with the ability to autonomously create new security operation tools and use them as needed.

The diagram does not depict the L5 (fully autonomous) level of SOP, as this level is unlikely to be achieved in the foreseeable future and may never be.

【References】

Practical Experience of Foreign Agentic SOC Platforms

Analysis of AI Agents and Agentic AI in SecOps, and the SOC Autonomy Level ModelGartner Analysts Discuss AI Agents and Agentic AIRecent Developments in Foreign Agentic SOC (2025Q3)Moving Towards the AI-empowered SOC 4.0 EraTrends in Security Operations Development from the Gartner 2025 North America Security SummitTrends in Security Operations Technology Development from RSAC 2025Review of Security Operations Technology Trends in 2024Analysis and Practice of Autonomous Security Operations Platform Technology

Leave a Comment