At RSAC 2026, the SANS Institute delivered a defining statement. For the first time in the conference’s 25-year history, every dangerous attack technique on its annual list involved AI.
In live demonstrations, attackers moved from initial access to full domain control in less than a minute using AI-driven workflows.
The attack lifecycle has compressed to the point where many organizations cannot operationalize a response before the outcome is already determined.
This is the uncomfortable reality enterprises must confront: beyond detection capabilities, the defining constraint in cybersecurity is organizational speed.
Cyber resilience now depends as much on organizational responsiveness as technical detection capability. Enterprises must be able to adapt, deploy, and operationalize defenses at the pace attacks unfold.
That requirement extends far beyond the SOC itself. Procurement cycles, governance approvals, security reviews, deployment bottlenecks, and operational change management are now part of the internet security control plane whether organizations recognize them or not.
A twelve-month procurement cycle was inefficient when attackers needed weeks to move laterally across an environment. Now that AI-enabled attacks can traverse cloud, SaaS, and identity management infrastructure in minutes, that same cycle becomes a material risk factor.
Most organizations still budget cybersecurity purchases twelve months in advance. Only a minority of projects go live within six months of contract approval, while some large enterprises take a year or longer to operationalize new capabilities after signing contracts.
That delay creates exposure. Organizational change velocity has become a compensating security control.
Why Legacy SOC Architectures Are Breaking
The traditional SOC was engineered for a fundamentally different threat model defined by known signatures, perimeter-based controls, and human-led investigation workflows. It assumed that the analyst was the primary reasoning engine, but obviously, that now no longer holds. The deeper problem is operational architecture.
Legacy security operating models were built around deliberate process cadence: layered approvals, segmented ownership, sequential investigations, quarterly planning cycles, and extended deployment timelines. Those structures were survivable when defenders and attackers operated at roughly human speed. AI has broken that balance.
Posture-based prevention technologies like CNAPP and CSPM reduce exposure but offer limited value against active cloud threats unfolding in real time. Legacy SIEM platforms aggregate raw data but were not designed to reason across hundreds of SaaS applications, multiple cloud environments, and sprawling networks of human and non-human identities at machine speed.
Investigation workflows remain largely sequential. Analysts triage alerts, pivot between consoles, reconstruct activity manually, and escalate findings through multiple operational layers. Every transition introduces latency. In an AI-driven attack chain, latency compounds into compromise.
Attackers don’t need zero-day exploits anymore. They’re walking through the front door using OAuth abuse, API integrations, SaaS-to-SaaS trust relationships, session hijacking, and identity compromise. They blend into legitimate workflows while moving across cloud, SaaS, AI, and identity systems with precision and speed.
Alert volume only magnifies the structural problem. One major managed SOC reported processing an average of two alerts per minute throughout 2025. That is not simply a staffing challenge. It is evidence that the underlying operating model no longer scales against machine-speed offense.
The Rise of the Agentic SOC
The legacy SOC requires a structural reset toward the Agentic SOC: an operating model designed to match adversaries on speed, automation, and adaptability.
In this model, AI systems handle high-volume investigative work autonomously. They correlate evidence across disparate systems, generate hypotheses, validate attack paths, and recommend or execute response actions within defined guardrails. Human analysts remain accountable, but their role shifts toward oversight, business judgment, exception handling, and strategic decision-making.
Detection, investigation, and response collapse into a continuous operational pipeline rather than separate stages divided by escalation queues and manual pivots. Forensic data is ingested and correlated in real time, producing unified attack timelines without the friction of console switching or fragmented tooling. AI agents can conduct continuous investigations, compressing response times from hours to seconds.
Critically, the Agentic SOC is an organizational redesign centered around execution velocity. Organizations using the Agentic SOC will build operating models capable of continuously deploying and adapting those tools. They will reduce friction between security, procurement, governance, engineering, and operations so defensive capability can evolve at the pace threats evolve.
That distinction matters. Many enterprises already possess capable technologies but remain constrained by internal change velocity. Security teams identify gaps quickly but cannot operationalize solutions fast enough to matter. In practice, organizational inertia becomes an adversary’s advantage.
SaaS Expansion and the Visibility Problem
The attack surface continues to expand aggressively across SaaS ecosystems. Enterprises now rely on hundreds of interconnected applications, each introducing distinct identity models, integrations, permissions structures, and potential misconfigurations. These environments create ideal conditions for rapid compromise and lateral movement.
Posture management tools frequently miss the initial compromise and the live attack activity that follows. Identity blind spots, OAuth abuse chains, and fragmented telemetry create conditions where attackers can operate with near invisibility.
A major constraint is the SaaS visibility gap. Many enterprises still fail to meaningfully collect and operationalize SaaS telemetry across their environments. Even when logs are ingested, they are frequently dumped into SIEM platforms as raw data that analysts struggle to normalize, correlate, and investigate at machine speed. The result is massive telemetry volume with limited operational visibility precisely when attackers are moving fastest.
Delayed deployment cycles compound the problem further. Security capabilities that take months to evaluate, approve, and operationalize often arrive already behind the threat landscape they were intended to address. In the AI era, execution velocity becomes part of the defensive architecture itself.
What Boards, CIOs, and CISOs Must Do Now
Boards and executive leadership teams must recalibrate around a new reality: organizational tempo is now inseparable from cyber resilience. Rigor around vendor evaluation, governance reviews, contract diligence, and implementation planning remains necessary. But those cycles must compress to align with the material risk introduced by AI-speed attacks.
Leadership teams should start with realism. Measure actual mean time to respond (MTTR), not the theoretical number documented in a playbook, but the real number demonstrated across recent incidents. Then ask whether that timeline would contain an AI-enabled attack capable of traversing cloud and SaaS infrastructure in under twenty minutes. If the answer is no, the organization is facing a structural problem rather than an isolated tooling gap.
Equally important, organizations must begin measuring change velocity itself. How long does it take to move from identifying a security gap to deploying and operationalizing a capability in production? How long do procurement approvals take? How long do integrations stall in testing environments? How many operational dependencies exist before a security control becomes active? Those timelines should be tracked, benchmarked against threat speed, and reported alongside MTTR and dwell time metrics.
Organizations should establish fast-track evaluation and deployment frameworks for security technologies, particularly cloud-native and AI-native platforms where the risk of delayed deployment may exceed the risk introduced by accelerated diligence.
Security leaders should also audit their own environments for operational latency. How many manual pivots does an analyst perform during an investigation? How long does it take to transform raw telemetry into a correlated attack timeline? Every friction point represents adversary dwell time by another name.
And critically, organizations must acknowledge the limitations of posture-based security. Configuration reduces exposure, but it does not stop an active attack already moving through the environment. The SOC that succeeds in the AI era will not be the one with the cleanest posture dashboard. It will be the one capable of detecting and containing live threats before operational impact occurs.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
