Why SOCs are shifting from automation to human-led judgment

At a glance

What this is: This is Abnormal AI’s 2025 SOC lessons roundup, and its core finding is that human judgment still outperforms automated decision-making in the SOC.

Why it matters: It matters because SOC operating models increasingly overlap with identity, collaboration, and workflow risk, so IAM, NHI, and human security teams need shared detection and response assumptions.

👉 Read Abnormal AI’s 2025 SOC lessons on human judgment, social engineering, and detection

Context

The modern SOC is not failing because it lacks automation. It is struggling because attackers increasingly target trust, context, and identity workflows that generic detections do not model well. When security teams automate collection but keep judgment human, they preserve context at the point where it matters most.

This discussion sits directly inside identity governance because social engineering now reaches email, collaboration, hiring, and access workflows, not just endpoint tooling. That means SOC maturity is now tied to how well an organisation understands human behaviour, privileged access, and identity-driven attack paths across the environment.

Key questions

Q: How should SOC teams balance automation with human decision-making?

A: SOC teams should automate the mechanical parts of detection, such as enrichment and correlation, while keeping human analysts in charge of interpretation and response decisions. That balance preserves context, reduces false confidence, and makes it harder for attackers to exploit trust-based or identity-driven abuse paths that simple workflows miss.

Q: Why do organisation-specific behavioural baselines matter for detection?

A: They matter because generic detections are predictable and easy to work around, while organisation-specific baselines show how your people and systems actually behave. That lets teams spot subtle deviations in identity use, collaboration patterns, and access timing that copied rules would miss.

Q: What do security teams get wrong about social engineering risk?

A: Teams often treat social engineering as an awareness issue instead of an operational and governance issue. In practice, it targets the systems where people approve, delegate, invite, and authenticate, so detection and access control must extend into those workflows.

Q: Who should own coverage for email, identity, and collaboration abuse?

A: Ownership should be shared across SOC, IAM, and security engineering because those abuse paths cut across monitoring, authentication, and approval processes. The right model is coordinated control, not a single team assuming the problem ends at alert triage.

Technical breakdown

Why human judgment still outperforms automated SOC decisions

Automation is strongest when it reduces mechanical work such as enrichment, correlation, and triage sorting. It becomes brittle when it is asked to replace interpretation, because security decisions depend on context that rarely exists in the first alert. In practice, a model or playbook may identify what happened, but a skilled analyst is still needed to decide whether the event is benign, suspicious, or the start of a broader campaign. That distinction matters most in identity-heavy incidents, where the same login, token use, or collaboration event can have very different meaning depending on timing and user behaviour.

Practical implication: keep humans in the decision path for identity-sensitive alerts and reserve automation for collection, prioritisation, and enrichment.

Behavioural detection beats copied signatures and generic rules

Behavioural detection looks for deviations from an organisation’s own baseline rather than relying on signatures that attackers already know. Generic detections are easier to predict, easier to bypass, and often too broad to be useful in live operations. Organisation-specific baselines capture how users authenticate, how identities move, and how work normally happens across email, cloud, and collaboration platforms. That makes them harder to evade and more useful for surfacing subtle abuse such as trusted-account misuse, unusual access timing, or internal phishing campaigns that do not resemble malware-led attacks.

Practical implication: build detections around your own identity and behaviour patterns instead of copying rules that were designed for someone else’s environment.

SOC maturity depends on identity and collaboration coverage

The article’s strongest thread is that modern attacks do not stay inside the traditional security perimeter. Social engineering now lands through email, identity workflows, hiring processes, and collaboration tools, which means the SOC has to understand how trust is manipulated across business systems. This is a governance problem as much as a detection problem, because the organisation’s attack surface now includes the places where people approve, invite, authenticate, and delegate. SOC programmes that ignore those paths will miss the real entry points used in 2025-style incidents.

Practical implication: extend monitoring and playbooks beyond endpoints and malware into identity, messaging, hiring, and collaboration channels.

Threat narrative

Attacker objective: The attacker’s objective is to exploit trusted business processes so the intrusion looks legitimate long enough to evade detection and cause impact.

1. Entry begins when attackers use social engineering to manipulate trust through email, collaboration tools, identity workflows, or hiring-related interaction.
2. Escalation follows when the attacker leverages that trusted interaction to gain access, influence decisions, or move into higher-value identity-driven systems.
3. Impact occurs when the organisation accepts malicious behaviour as legitimate, allowing broader compromise, response delays, or operational disruption.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Human-led judgment is now a control, not a cultural preference. The article shows that teams performed better when AI handled data collection and humans handled decisions. That is a governance statement, not a staffing slogan: automated output without human interpretation creates false certainty in identity-heavy investigations. The implication is that SOC design must preserve analyst discretion at the moment of triage.

Behavioral detection is the practical answer to trust abuse. Generic detections fail because attackers can study and anticipate them, while organisation-specific baselines surface what is abnormal in context. This aligns with NIST CSF detection thinking and zero-trust assumptions about continuous verification. The practitioner conclusion is simple: if your detections are portable, they are probably predictable.

Social engineering has become an identity governance problem, not only a security operations problem. Email, collaboration, hiring, and access approval workflows now form part of the attack surface, which means SOC coverage and IAM governance can no longer be managed in separate silos. The field needs shared visibility across human identity, privileged access, and business-process abuse. Practitioners should treat trust pathways as governed assets.

Burnout is an exposure multiplier because it weakens operational judgment. The article’s strongest teams rotated roles, invested in training, and exposed analysts to real incidents rather than trapping them in repetitive queue work. That creates resilience in both people and process. The takeaway for the field is that SOC maturity depends on analyst development, not just tooling depth.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• From our research: Only 5.7% of organisations have full visibility into their service accounts.
• Forward look: NHI Lifecycle Management Guide shows why rotation, offboarding, and visibility need to be governed as one control plane.

What this signals

Trust-path monitoring is becoming a baseline SOC requirement. When attackers can move through email, collaboration, and identity workflows, the programme has to watch where decisions are made, not only where malware lands. That makes the SOC an identity-adjacent function, especially for organisations using the NIST Cybersecurity Framework 2.0 to connect detect and respond activities.

Analyst development is now a resilience control. Teams that rotate people through incidents, tools, and roles produce better judgement and less burnout than teams that trap people in repetitive queue handling. The operational signal is clear: if the SOC cannot grow people, it will eventually struggle to grow capability.

Behavioral detection is now an organisation-specific asset. With 68% of organisations saying they do not know how to fully address NHI risks, per the Ultimate Guide to NHIs, teams need detection models that understand how identities and trust actually behave in their own environment.

For practitioners

• Keep human approval in the decision path Use automation for enrichment and sorting, but require analyst review for identity-sensitive, collaboration-driven, or trust-based alerts before containment decisions are made.
• Build organisation-specific behavioural baselines Tune detections to how your users authenticate, move, and collaborate so anomalies stand out against your own normal rather than against a generic rule set.
• Expand SOC coverage into trust pathways Add monitoring for email, collaboration, hiring, and identity approval workflows so social engineering is visible where it actually enters the business.
• Rotate analysts across tools and incidents Move staff between alert triage, investigation, and incident response work to reduce fatigue and build judgment from real cases rather than from queue repetition.

Key takeaways

• The article’s central lesson is that SOC effectiveness depends on human judgment supported by automation, not replaced by it.
• Social engineering has widened the SOC’s mission into identity, collaboration, and hiring workflows where trust can be manipulated.
• Teams that build organisation-specific behavioural detections and rotate analysts through real incidents are better positioned to handle 2025-style attacks.

Key terms

• Behavioral Detection: Behavioral detection identifies suspicious activity by comparing it with an organisation’s own normal patterns of use. It is more effective than generic signatures when attackers hide inside trusted workflows, because it focuses on identity movement, timing, and context rather than static indicators alone.
• Social Engineering: Social engineering is the manipulation of human trust to make a user, analyst, or business process take an unsafe action. In modern SOC operations it often targets identity approvals, email, collaboration tools, and hiring workflows rather than only passwords or malware.
• Analyst Burnout: Analyst burnout is the point at which repetitive security work, high alert volume, and low role variety reduce judgement and performance. In SOC programmes it becomes an operational risk because tired teams miss context, over-rely on automation, and respond more slowly to subtle abuse.
• Identity Attack Surface: The identity attack surface is the set of authentication, approval, delegation, and collaboration paths an attacker can exploit to appear legitimate. It extends beyond login systems to the business workflows where trust is granted, which makes it a core SOC and IAM concern.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: SOC Unlocked season two lessons on the 2025 security frontline. Read the original.