The Security Operations Gap: More Tools, Slower responses, and the Promise of AI 

Author: Aaron Landgraf, VP Product Marketing, Red Canary, a Zscaler company
Security leaders are currently grappling with a puzzling contradiction: Despite increased budgets and more sophisticated toolsets, they face slowing incident response times in shorter windows. This paradox, highlighted in Red Canary’s latest Security Operations Trends Report, points towards a solution involving artificial intelligence (AI) as a critical path forward for 2026 planning.

Increased Spending, Increased Complexity and Risk

In its survey of 550 cybersecurity leaders, Red Canary found that budgets have seen a 12% increase on average over the past year.  80% of security leaders say they’re spending more than ever on security – yet breaches and threats keep growing. 

A major driver of this proliferation: The attack surface expanded by 41% in the past 12 months, amplifying exposure. Email, identity, and endpoints remain primary targets, with 82% of those surveyed experiencing email incidents, 79% identity/user account incidents, and 78% endpoint incidents. This underscores a stark reality: Attackers increasingly log in rather than break in.

Additionally, tool sprawl adds complexity. While organizations have reduced their security tools from 91 to 65 on average, consolidation hasn’t universally improved resolution times. A concerning 73% of teams report an increase in detection-to-resolution time over the last year, with 35% experiencing a significant increase.

The business impact is substantial. Organizations estimate that cyber incidents cost them $3.7 million on average in the past year. Nearly half experienced outages or service disruptions.  44% saw customer or employee data compromised, stolen or held to ransom. And 40% incurred other financial costs like ransoms or fines. 

Widening Skills Gaps and the Strategic Imperative to Outsource

The report highlights continued skill shortages in critical functions for reducing dwell time and stopping active threats. Key areas lacking expertise include:

• network security
• penetration testing
• intrusion detection
• incident response
• SIEM data management
• detection analytics
• threat hunting

These shortages force teams into reactive alert triage instead of proactive detection and response, creating exploitable blind spots.

In response, leaders are rebalancing internal and external workloads. Teams are increasingly outsourcing day-to-day SIEM management, threat intelligence, and incident response—not to shirk responsibility, but to reduce noise and manage commodity threats at scale. This hybrid approach allows internal teams to focus on their unique environments while partners provide collective visibility and 24/7 coverage.

AI: From Promise to Production

Against this backdrop, AI has transitioned from hype to a fundamental enabler of modern cyberdefense. 65% of organizations surveyed are already using AI to help with detection analytics. And 28% of those remaining plan to invest within the next 12 months. 

Early adopters report tangible benefits:

• improved accuracy through fewer false positives and negatives
• faster detection and response
• higher analyst productivity
• more complete context and actionable alerts.
• reduced hiring pressure and alleviation of skill gaps
• greater adherence to secure-by-default practices

Leaders are also realistic about AI risk. 85% of security leaders say forget the AI apocalypse – the real risk is being overwhelmed by the thousand missed threats that will get through if we don’t automate more. Still, governance is essential as AI is a productivity multiplier for both defenders and adversaries. Strong model safety, clear policies, and auditable automation differentiate between helpful speed and harmful shortcuts.

A Practical Approach to Safe and Effective AI in the SOC

A practical AI strategy for the SOC is vital, as many teams have already experienced incidents related to their own AI tools. An effective approach blends powerful automation with stringent guardrails and human judgment:

• Formalized AI agent roles: By treating agents like employees—with simple and clear job descriptions, KPIs, and performance reviews—you ensure higher quality outputs, which ultimately enables scale. Agents that fail, much like humans, often take on too much responsibility, too soon.
• Human-in-the-loop by design: AI assists analysts, not replaces them. Models summarize and propose outcomes or next steps, but humans validate high-impact decisions, reducing cognitive load without sacrificing control.
• Agentic workflows with guardrails: AI agents handle repetitive tasks—pivoting across telemetry, assembling timelines, fetching threat intelligence, and drafting incident narratives—within defined playbooks with policy checks and audit trails. If confidence thresholds are not met, the workflow escalates to a human.
• Continuous evaluation and safety: Model changes are tested against real-world adversary behaviors and assessed for accuracy, latency, and hallucination risk. Prompt hygiene, role-based access, data minimization, and red teaming help prevent data leakage and model abuse.

The Bottom Line

By consolidating strategically, partnering for scale, and embedding safe, human-centered AI into SOC workflows, organizations can contain current threats faster and prepare for future ones. Teams best positioned to capitalize on this opportunity will be those who measure what matters, automate what can be automated, and concentrate scarce human expertise where it provides the greatest defensive advantage.  

To learn more about these trends, download Red Canary’s 2025 Security Operations Trends Report. For more information on Red Canary’s approach to AI in the SOC, visit redcanary.com. If you’re ready to optimize your SOC and securely integrate and use AI, that’s where GuidePoint Security can help.