A friend of mine runs a 12-person SOC at a financial services firm in Dubai. Last year he promoted his best Tier-1 analyst to a role that didn’t exist six months earlier. The title on the offer letter was “SOC AI Operations Lead.” The salary was 40% higher than her previous role. Her job, roughly, is to make sure the AI agents investigating alerts are doing it correctly.
She doesn’t triage alerts anymore. She hasn’t opened the SIEM queue in months. What she does is review the AI’s investigation reports, flag the ones where the reasoning looks off, tune the detection logic when patterns shift, and brief the SOC manager on which agents are performing well and which need adjustment. She told me the job is harder than Tier-1 triage. Considerably harder. But she also said she hasn’t thought about quitting since the role change, which is notable for someone who was updating her LinkedIn every other week.
This is happening everywhere, not just at well-funded firms. The Tier-1 role as it existed for the last decade, open alert, check five tools, close ticket, repeat, is being automated faster than most career guides have caught up with. The question isn’t whether the transition is happening. It’s where the analysts go next.
The four roles that didn’t exist three years ago
When I talk to SOC leaders who’ve already deployed AI triage, the same four roles keep showing up. Not as future plans. As current headcount.
The first is the AI supervisor. This is the analyst who reviews AI-generated verdicts, challenges the ones that look wrong, and approves containment actions that require human judgment. It sounds simple until you realize that evaluating whether an AI investigation is correct requires deeper security knowledge than performing the investigation yourself. You need to understand the attack technique well enough to know whether the AI’s reasoning holds, and you need to catch the cases where the AI is confident and wrong, which are the dangerous ones.
The second is the detection engineer. This person writes the rules that AI agents execute against. Not SIEM correlation rules, though those are part of it. Detection logic that defines what “suspicious” means in your specific environment. The third-shift nursing staff login pattern. The weekly backup script that looks like encoded PowerShell. The vendor VPN that connects from a different country every month.
Detection engineering is where the analyst’s operational experience becomes institutional knowledge that the platform can act on.
The third is the agent tuner, sometimes called AI trainer. When the AI keeps flagging the same false positive, someone needs to figure out why and fix it. When a new attack technique bypasses existing detections, someone needs to update the behavioral model. This role sits between security operations and data science. You don’t need a PhD. You do need to understand how the models make decisions well enough to adjust them.
The fourth is the automation architect. The person who designs the workflows that connect AI decisions to containment actions. If the AI says “block this IP,” what happens next? Which firewall? Which rule? What’s the rollback plan? What if the IP belongs to a customer? Automation architecture is where playbook design meets real-world consequence, and getting it wrong means the AI breaks something in production.
Why the old ladder doesn’t work anymore
The traditional SOC career path was linear. Tier 1 for a year or two, then Tier 2 if you’re good, then Tier 3 if you’re patient, then maybe SOC manager if you’re political enough. Each tier meant handling more complex incidents, but the fundamental activity was the same: investigate alerts, resolve tickets, write reports.
That ladder assumed the bottom rungs would always exist. If AI handles Tier-1 triage, the bottom rung is gone. Not in five years. Now. An MSSP reported going from 144,000 monthly alerts to 200 requiring human attention. The humans who used to process those 143,800 alerts need somewhere to go.
The new career path isn’t a ladder. It’s a fork. After your first year or two, you pick a direction: detection engineering, AI operations, threat hunting, or automation architecture. Each path requires different skills. Each one pays differently. And none of them involve sitting in front of a queue clicking through alerts for eight hours.
64% of cybersecurity job listings now require AI, ML, or automation skills. Three years ago that number was negligible. The market has already decided what the next generation of SOC roles looks like. The question is whether the current generation of analysts is being given the runway to get there.
The skills gap isn’t what you think
The common narrative is that analysts need to “learn AI.” This is approximately as helpful as telling a doctor to “learn computers” in 1995. Learn what about AI? The math behind transformers? How to fine-tune a model? How to write a prompt?
The actual skills gap, from what I’ve seen, is more specific. Analysts need to learn how to evaluate AI output critically. Not trust it. Not distrust it. Evaluate it. That means understanding what a confidence score actually represents, knowing when to challenge a verdict, and having enough domain expertise to catch the cases where the AI’s reasoning is technically correct but the conclusion is wrong because of missing context.
They need to learn basic scripting. Not software engineering. The ability to write a Python script that automates an enrichment step, queries an API, or processes a log file. This isn’t optional anymore. It’s the difference between an analyst who can identify a detection gap and an analyst who can fix one.
And they need to learn how to communicate findings to people who don’t understand security. When the AI handles the grunt work, what’s left is the judgment calls and the explanations. The analyst who can write a two-paragraph executive summary that accurately conveys severity, business impact, and recommended actions is more operationally valuable than the analyst who can manually triage 400
alerts, because the AI can triage the 400 alerts.
What the transition actually looks like
I asked my friend in Dubai how the transition went for his team. He didn’t sugarcoat it.
Two analysts thrived. They were the ones who’d always been curious about why alerts fired, not just whether they were real. They picked up detection engineering quickly because they already understood the logic behind the rules. They just hadn’t had time to work on it because they were buried in the queue.
Three analysts struggled initially but adapted over about four months. They needed training, mentorship, and most importantly, permission to be bad at the new job for a while. The hardest part wasn’t the technical skills. It was the mental shift from “process the queue” to “think about the system.” These were people who’d spent two years being measured on tickets closed per shift. Telling them to slow down and think critically felt wrong until it didn’t.
One analyst left. Not because the new role was bad, but because he’d joined the SOC specifically because the work was predictable and low-ambiguity. He knew how to triage alerts. He didn’t want to evaluate AI decisions or write detection logic. He moved to a compliance role and is reportedly doing well.
The lesson from that experience, and from similar conversations I’ve had: the transition isn’t automatic. You can’t deploy an AI platform on Monday and expect your Tier-1 team to be detection engineers by Friday. The organizations that handle it well invest in training before deployment, create the new roles before eliminating the old ones, and accept that productivity will dip for a quarter while people learn.
The ones that don’t end up with burned-out analysts who were already close to quitting, now asked to do a harder job with no preparation, no training, and no clear career path. That’s how you lose your best people to a competitor who planned the transition properly.
The part that should make you optimistic
Here’s the thing that gets lost in the anxiety about AI replacing jobs. The new roles are better than the old ones.
Not easier. Better. The work is more interesting. The problems require actual thought. The career ceiling is higher. Detection engineers and AI operations leads make meaningfully more money than Tier-1 analysts, and they burn out at significantly lower rates because they’re not staring at a queue of 4,000 alerts wondering which ones are real.
The ISC2 workforce gap is 3.5 million. That gap isn’t for people who can click through a SIEM. It’s for people who can think critically about security problems, engineer detections, tune AI systems, and communicate risk to business leaders. Those are the roles that AI triage is creating, and they’re the roles the industry has been short-staffed on for a decade.
The SOC career path isn’t disappearing. It’s splitting into four paths that are all more interesting, better paid, and more sustainable than the one they’re replacing. The analyst who’s worried about being
replaced should be asking their manager: which of these four roles are you investing in, and when does my training start?