AI SOC as Your Security Operations Center of Excellence #AI

Today’s Reduced SOC Scope

In most large enterprises, the Security Operations Center (SOC) is focused on Threat Detection, Investigation and Response (TDIR). But what happens to the other security operations functions such as Penetration Testing (Pentesting) and Vulnerability Management (VM)? Today, security operations still function as three separate teams with different clocks and incentives.

• Pentesting and VM live to the left of the bang, before an incident, reducing exposure and validating controls.
• TDIR lives to the right of the bang, after detection, containing, and recovering when an attack materializes.

Each contributes critical expertise, but each also operates with its own metrics, workflows, and priorities. This division is natural given specialization, but it fragments context and delays outcomes. Information travels slowly across silos, handoffs lose fidelity, and feedback loops stall.

SOC Evolution

The changing threat landscape is prompting a reconsideration of this model. More complex and sophisticated attacks demand a more integrated approach across the full lifecycle, before, during, and after an intrusion. As AI is used to execute more attacks, organizations need to move faster to surface security insights buried in terabytes of telemetry and then stop attacks once they are detected. There is not enough time to coordinate across human teams to detect and respond.

In this environment, the SOC is well placed to become the “center of gravity” of security operations. The SOC is already the last safety net on the right of the bang, dealing with real incidents, adversary paths, and operational realities. From here it can be extended leftward without diluting its core mission. Pentesting and vulnerability management become more effective when informed by what the SOC actually observes. The SOC can credibly anchor an integrated operating model—if we evolve in phases. Here’s a pragmatic framework for how to do this.

Phase 1: Aligned Operations

No reorg, better collaboration, shared language, minimal disruption

The first move is alignment without reorganization. Keep the three teams intact but establish reliable collaboration framework, communication channels and shared taxonomies so each team performs its own work better by consuming the others’ signals. Practically, this looks like:

• Better handoffs that keep context. Many organizations still share slow artifacts like Excel, PDFs, and ad hoc email across teams. Replacing those artifacts with APIs and structured exchange is the fastest path to fewer dropped balls and evidence-based prioritization. Pentest artifacts should express operational attack paths in formats useful to detection engineers and responders. IR root‑cause summaries should help pentesters and VM to refine scenarios and prioritization.
• Common definitions. Concepts like severity, exploitability, and asset/business criticality should mean the same thing across pentest, VM, and incident response, as reflected across runbooks, intake forms, security practices.
• Link and integrate. Link findings to tickets and cases across team. Connect asset inventories. Always prefer APIs over file drops.
• Cross‑team visibility. Use a regular cadence of low-overhead meetings like stand‑ups, weekly risk reviews, and retrospectives to build awareness and encourage collaboration across teams.

At this stage, KPIs remain specific to each team:

• Pentest teams optimize pentest throughput and quality,
• The VM team tracks patch SLAs like “all critical systems patched within one week”, and
• SOC tracks time‑to‑triage or containment.

It is important at this stage to develop this “muscle memory” of better collaboration to prepare for Phase 2.

Phase 2: Shared KPIs

No reorg, intentional and explicit collaboration, new org-wide KPIs

Once better data is flowing, the next step is to change the KPIs to reflect security value at the enterprise level. Teams still report to their existing leaders, but they pursue common outcomes rather than optimizing for their team. Three shifts stand out:

• From team activity to shared outcome. A VM team metric like “patch critical within seven days” is useful but incomplete. In phase two, for example, the VM team also commits to responding within 24 hours to vulnerabilities flagged by the SOC as urgent because they are linked to observed attack paths. Similarly, the SOC commits to validating that remediations actually reduce incident frequency or dwell time.
• Closed loop planning. Pentest, VM, and IR should build their plans together with input from each team. Pentest findings generate detection use cases; incident trends influence what gets tested and what gets patched; VM telemetry informs which detections deserve tuning and where to add control depth. The goal here is measurable risk reduction.
• Risk‑based vulnerability management (RBVM). RBVM becomes practical and materially better when IR telemetry and pentest attack paths are part of the risk signal. This ties prioritization to your environment and your adversary reality, not generic exploitability.

These shifts enable new KPIs that align incentives such that “left of bang” and “right of bang” work as one system. For example:

• Risk‑weighted exposure reduction: decrease in exploitable weaknesses on crown‑jewel assets, validated by testing or attack simulation.
• Time‑to‑effect: mean time from detection of an attack path to a deployed, tested mitigation, and the meantime to viable detection coverage for that path.
• Closed‑loop validation: percentage of remediations verified by follow‑up testing or detection triggers.

Phase 3: Consolidated Organization

One SOC, one scorecard, a Center of Excellence as the hub

The final step is organizational consolidation, bringing pentest, VM, and TDIR under a single leadership structure. The new organization operates with one set of KPIs, supported by a new Center of Excellence (CoE) function.

The role of the CoE is to provide oversight, integration, and continuous improvement. It is the hub that makes 1 + 1 + 1 = 5. This is not a large team, and in some organizations it may be just a strong program manager. The mission is to ensure the same data is used many times for many purposes by standardizing taxonomies, enforcing data quality, curating libraries of adversary behaviors and response playbooks, orchestrating cross‑team cadences, and tracking shared backlogs. The CoE oversees API‑first integration to keep knowledge moving as quickly as incidents do.

In Phase 3 individual team scorecards are replaced with a single SOC scorecard that expresses business outcomes. These could include:

• Reduced likelihood and impact for top attack scenarios
• Decreased mean time from exposure discovery to risk decision
• Lower recurrence of root‑cause classes
• Sustained detection efficacy

The SOC owns these outcomes, not just activities, and adjusts capacity across pentest, VM, and IR to meet them. Staff can rotate across functions, from attacking to defending to hardening, so that institutional knowledge compounds rather than being stuck in siloes.

Enterprises can expect faster time‑to‑effect (the delay between discovering an exploitable path and neutralizing it), lower critical incident recurrence, and tighter alignment between controls, detection, and remediation. Costs stabilize as overlapping workflows are replaced by shared platforms and standard content. Most importantly, security becomes a continuous, bidirectional system where intelligence from the right shapes priorities on the left and hardening on the left measurably reduces the work and impact on the right. The SOC stops being only the last safety net and becomes the operating system of security where prevention and response reinforce each other, and the enterprise measures progress in real, risk‑weighted terms.

Gorka’s Practical Guidance for Security Leaders

• Sequence matters. Do not jump directly to reorg. First, replace document-based handoffs with API level exchange and shared language; then adopt shared KPIs that reflect enterprise outcomes, only then consolidate. This sequencing lowers resistance and shows value early.
• Anchor on the right, expand left. Because detection and response is the hardest capability to build credibly at scale, SOC anchored expansion tends to be more feasible than asking left of bang teams to absorb IR. Moving left from the right is simply the lower risk path.
• Keep definitions crisp. Be explicit about what sits in vulnerability management (infrastructure/platform) versus application security (SDLC). This clarity prevents governance gaps and conflicting KPIs.
• Start small with the CoE. The CoE is a construct, not a bureaucracy. Begin with a program leader who owns cadence, data standards, shared backlogs, and knowledge management. Scale only if and when the work demands it.

___

Gorka Sadowski is a cybersecurity operator and builder with 35 years of experience creating markets and shaping strategy. He previously led Security Operations research at Gartner as a Senior Director and Analyst, drove Exabeam’s transition to a security operations platform, and built Splunk’s security ecosystem. Gorka is an advisor to Simbian.

Join our LinkedIn group Information Security Community!