{"id":8520,"date":"2026-06-18T09:01:00","date_gmt":"2026-06-18T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8520"},"modified":"2026-06-18T09:01:00","modified_gmt":"2026-06-18T09:01:00","slug":"5-new-security-operations-roles-the-ai-soc-will-create","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8520","title":{"rendered":"5 new security operations roles the AI-SOC will create"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

For years we\u2019ve heard the frightening prediction that AI will take jobs away from people. It will and it already is<\/a>, but that doesn\u2019t mean it won\u2019t also create new jobs and skills demands \u2014 like every other labor trend driven by technology advances.<\/p>\n

Take security operations for example. Historically, security operations centers (SOCs)<\/a> were built on a three-tier analyst model. Tier 1 analysts were junior personnel, paid to monitor activity and triage alerts. Their job was often described as \u201ceyes-on-glass\u201d as they tried to uncover signals among the noise. Tier 2 analysts specialized in investigating alerts (lots of them) that seemed fishy to the Tier 1 crew. When something was truly suspicious or malicious, they took remediation actions or worked with IT teams and others on incident response. Finally, Tier 3 analysts were the most senior and generally focused on threat hunting and engineering. Beyond hunting, these gurus performed deep forensic investigations, controls tuning, and detection engineering<\/a>.<\/p>\n

Fast forward to 2026 and the AI-SOC<\/a> (or the agentic SOC, autonomous SOC, human-augmented AI-SOC, etc.) is not only here but also maturing quickly. At last count, there are over 120 vendors claiming to participate in this market.<\/p>\n

As of today, AI-SOC capabilities center on autonomous alert triage and basic investigations. When something looks awry \u2014 a suspicious login, an EDR alert, etc. \u2014 agents call disparate tools to enrich the alert, create a timeline of activities, produce a confidence score, and even suggest steps for remediation. Sounds like an efficient Tier 1 analyst<\/a> to me.<\/p>\n

In the near future, AI-SOCs will delve into Tier 2 analyst tasks with automated remediation. Additionally, agent swarms will have specialized roles for detection, investigations, remediation, and even system tuning. Some vendors also propose agents for threat hunting and continuous posture management.<\/p>\n

There\u2019s still a lot of innovation, development, and real-world testing needed, but it\u2019s clear that agents will increasingly perform more of the heavy lifting. So where does that leave humans? Here are a few roles where cybersecurity professional skills will be needed and in high demand.<\/p>\n

Security data engineer<\/h2>\n

AI agents can deliver value only if they have continuous access to the right data. This requires moving beyond basic SIEM parsers and API connectors. Security data engineers must know the ins-and-outs of all the data: threat intelligence, identity and access management (IAM), cloud logs, endpoint\/network\/application telemetry, business context, third-party access patterns, and so on.<\/p>\n

All this data must fit into unified data layers that support multi-modal ingestion. This requires managing massive data pipelines to ensure context-rich, normalized, and high-fidelity logging from a potpourri of assets, cloud infrastructures, SaaS applications, and identity providers.<\/p>\n

Ideally, security data engineers will transform today\u2019s data format and API mess into cohesive data layers using standards such as the Open Cybersecurity Schema Framework (OCSF).<\/p>\n

AI security agent orchestrators<\/h2>\n

As agent-based solutions proliferate into swarms, someone has to act as the conductor of the orchestra. This involves an understanding of how to piece together multi-agent systems while defining boundaries and guardrails, establishing memory persistence, and determining which agents can take autonomous actions and which activities still demand a human-in-the-loop.<\/p>\n

Aside from technical agentic chops, AI security agent orchestrators will need a keen understanding of business-centric AI applications and workflows, as well as how all this relates to the latest threat intelligence.<\/p>\n

AI model trainers<\/h2>\n

Rather than \u201cset it and forget it,\u201d AI models for security operations demand continuous updating and specific context for each individual organization based on threats, industry, and business processes.<\/p>\n

AI model trainers must become adroit with retrieval-augmented generation (RAG)<\/a> to update models with local threat intelligence, asset criticality maps, new identities, and internal network architectural changes. Trainers must also be experts at fine-tuning datasets to ensure accurate and optimized results.<\/p>\n

AI-augmented threat hunters<\/h2>\n

With AI agents in tow, threat hunting evolves from a sporadic to continuous activity<\/a>. This means moving beyond cyber threat intelligence (CTI) update triggers such as new indicators of compromise (IoCs) to focus on adversary behavioral knowledge across entire campaigns and TTPs (throughout the MITRE ATT&CK framework).<\/p>\n

In the near future, agents do the basic work while AI-augmented threat hunters use their experience to come up with highly sophisticated, creative, and complex attack scenarios that standard detection logic likely misses. Hunters then utilize AI to instantly write complex queries across massive datasets. The goal? Hunt for adversary intentions \u2014 sensitive data exfiltration, data encryption, etc. \u2014 rather than easy adversary tradecraft such as file hashes or IoCs.<\/p>\n

AI-savvy red teaming\/penetration tester<\/h2>\n

As AI cascades across the enterprise, SaaS applications, and third-parties, organizations will need a new breed of red teamers to discover weaknesses and gaps in enterprise AI infrastructure and applications across the software supply chain.<\/p>\n

To accomplish this, AI-savvy red teams<\/a> and penetration testers must possess the skill set and knowledge to circumvent new types of AI-enabled security defenses. Once beyond security controls, red teaming and penetration testing roles move on to attack an enterprise\u2019s internal AI deployments<\/a> \u2014 testing for things such as data poisoning, prompt injection vulnerabilities, and unauthorized access to underlying data stores used for building and fine-tuning various AI-models.<\/p>\n

As the saying goes, \u201cAI won\u2019t take your job, but someone who knows how to use AI to their advantage will.\u201d Cybersecurity professionals who follow this logic, invest in their skill sets, and pursue jobs like those described above will flourish professionally, prosper economically, and be extremely valuable to their organizations.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

For years we\u2019ve heard the frightening prediction that AI will take jobs away from people. It will and it already is, but that doesn\u2019t mean it won\u2019t also create new jobs and skills demands \u2014 like every other labor trend driven by technology advances. Take security operations for example. Historically, security operations centers (SOCs) were […]<\/p>\n","protected":false},"author":0,"featured_media":8521,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8520","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8520"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8520"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8520\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8521"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}