The modern security operations center (SOC) in 2025 is a far cry from the siloed, reactive setups of the past. Twenty years ago, SOCs concentrated on perimeter defense, firewalls, antivirus, and basic IDS. Security analysts manually sifted through logs and alerts, often overwhelmed by false positives. Monitoring of threats was largely confined to on-premises, internal infrastructure. Cloud, mobile, and IoT weren’t yet major concerns. Security Information and Event Management(SIEM) tools were just starting to gain traction, offering basic log aggregation and correlation. SOCs were small, in-house, isolated teams with limited automation and little integration across other departments.
Fast forward to the present day and SOCs have evolved from dimly lit rooms full of blinking monitors to intelligent, distributed ecosystems that blend human expertise with automation and machine precision. Today’s SOC is a unified, data-driven ecosystem that blends automation, AI, and cloud-native technologies to detect, respond to, and even anticipate threats in real time. That’s because most SOC teams have moved on from thinking “What threatens me?” to, “What advantage does my adversary have over me?”
It starts with the data and the need to couple and curate internal telemetry, events and context with external threat intelligence. And curation is critical as you need to sift through enormous amounts of data to find the relevant data for action. Internal analytics is only valuable if contextualized and prioritized. Similarly cyber threat intelligence is only valuable if it provides complete, accurate, curated and actionable insights. To move fast, SOC analysts now need integrated threat curation, prioritization and response based on the combination of internal and external data.
For internal data,Security Information and Event Management (SIEM) and/or EDR capabilities which bring deeply enriched advanced analytics into threat detection are key. SIEMs have historically been the nerve center of the SOC, having evolved to include machine learning, user behavior analytics and detection, and they integrate with threat intelligence feeds. EDR systems are growing in importance as a source of data for the SIEM or as a standalone tool to capture and analyze internal events and logs. For external data, ThreatIntelligence Platforms (TIPs) are essential to curate and prioritize the vast amount of data about adversaries and threats which is available from a whole host of sources, be that commercial, open source, and more. Reducing the external data set into more relevant, actionable and timely insights is key and is something a TIP can do that a threat feed will not.
To accurately prioritize SOC activities, it’s essential to map the organization’s internal infrastructure and external threat landscape to identify where they intersect or overlap. This overlap is the priority area that the SOC needs to address. Having only a broad picture of the external threat landscape is not helpful and can lead to chasing ghosts. WhatSOC teams need is a curated set of data that is relevant and focused on priority threats to their organization.
Whether it is internal or external, the most important aspect is that it is the right data. This is one of the reasons ThreatQuotient was acquired by Securonix. They needed an external perspective to add to their internal knowledge to create a comprehensive, curated data set to utilize for context, automation and agentic AI. Why? Because automation and AI run on data to create content, make decisions and act. Ultimately you need to get the right data to the right places at the right time so your team, and increasingly the automated technology that supports it can take the right decisions and actions. And if you put dirty data in, you get dirty data out, which can lead to errant actions and bad decisions.
Why is this so important? Because bad data leads to errors, and errors create a lack of confidence and a lack of trust. SOC analysts must be able to trust the databecause this drives trust in automation and any content generated by AI. This is a classic example of why you need to pull data in a curated way. Put simply, non-curated data in your threattools won’t bring you into that Gartner intersection where you need to focus.
ThreatQuotient’s 2024Evolution of Cybersecurity Automation Adoption report highlights how trust in automation is evolving and improving. Only 20% of respondents reported a lack of trust in the outcomes of automated processes, improving from 31% the previous year. That’s a notable shift and underpins my point around the importance of having trust and confidence in automation’s reliability.
Ultimately, if your SOC analyst has a miserable experience with data, they won’t trust the outputs and they won’t act upon the intelligence. There is a lot at stake, and quite frankly, no one wants to have to clean up on Aisle 7 and take responsibility for messy or bad decisions arising because of bad data. This is why it is so important to always have a human-in-the-loop to verify any AI output.
On a more positive note, combining curated threat intelligence, automation and agentic AI, SOC analysts will be able to filter out false positives, enrich alerts with actionable context and automate historical threat sweeps and incident response. This reduces alert overload, speeds up root cause analysis and minimizes manual handoffs – cutting investigation times from hours to minutes, enabling automated containment before threats escalate. Ultimately, the right combination of external and internal threat intelligence underpins all the potential efficiencies and productivity gains of automation and AI in the SOC, enabling SOC teams to go faster and do more to proactively defend their organization.
20130 Lakeview Center Plaza
Suite 400
Ashburn, VA 20147
