Notifications
Clear all
Topic starter
27/06/2026 1:52 pm
TL;DR: SOC leaders found that AI worked best for data collection and enrichment, while humans outperformed automated judgment; social engineering also dominated 2025 incidents, expanding the SOC’s remit across email, identity, hiring, and collaboration tools, according to Abnormal AI. The lesson is that context, not just speed, now separates effective detection from noisy automation.
NHIMG editorial — based on content published by Abnormal AI: SOC Unlocked season two lessons on the 2025 security frontline
Questions worth separating out
Q: How should SOC teams balance automation with human decision-making?
A: SOC teams should automate the mechanical parts of detection, such as enrichment and correlation, while keeping human analysts in charge of interpretation and response decisions.
Q: Why do organisation-specific behavioural baselines matter for detection?
A: They matter because generic detections are predictable and easy to work around, while organisation-specific baselines show how your people and systems actually behave.
Q: What do security teams get wrong about social engineering risk?
A: Teams often treat social engineering as an awareness issue instead of an operational and governance issue.
Practitioner guidance
- Keep human approval in the decision path Use automation for enrichment and sorting, but require analyst review for identity-sensitive, collaboration-driven, or trust-based alerts before containment decisions are made.
- Build organisation-specific behavioural baselines Tune detections to how your users authenticate, move, and collaborate so anomalies stand out against your own normal rather than against a generic rule set.
- Expand SOC coverage into trust pathways Add monitoring for email, collaboration, hiring, and identity approval workflows so social engineering is visible where it actually enters the business.
What's in the full article
Abnormal AI's full blog post covers the operational detail this post intentionally leaves for the source:
- How the SOC leaders described their rotation models, training practices, and analyst development paths
- Specific examples of behavioural detection patterns that worked better than generic signatures
- The interview-based lessons behind AI-assisted collection and human-led decision-making
- The full context behind the social engineering incidents and workflow abuse examples
👉 Read Abnormal AI’s 2025 SOC lessons on human judgment, social engineering, and detection →
SOC automation and human judgment: what teams need to change?
Explore further
27/06/2026 3:22 pm
Human-led judgment is now a control, not a cultural preference. The article shows that teams performed better when AI handled data collection and humans handled decisions. That is a governance statement, not a staffing slogan: automated output without human interpretation creates false certainty in identity-heavy investigations. The implication is that SOC design must preserve analyst discretion at the moment of triage.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- Only 5.7% of organisations have full visibility into their service accounts.
A question worth separating out:
Q: Who should own coverage for email, identity, and collaboration abuse?
A: Ownership should be shared across SOC, IAM, and security engineering because those abuse paths cut across monitoring, authentication, and approval processes. The right model is coordinated control, not a single team assuming the problem ends at alert triage.
👉 Read our full editorial: Why SOCs are shifting from automation to human-led judgment
