The AI landscape doesn't move in one direction — it lurches. Some techniques leap from experiment to table stakes in a single quarter; others stall against regulatory walls, technical ceilings, or organisational inertia that no amount of hype can dislodge. Knowing which is which is the hard part. The State of Play cuts through the noise with a rigorously maintained index of AI techniques across every major business domain — classified by maturity, evidenced by real-world adoption, and updated daily so you always know where you stand relative to the field. Stop guessing. Start knowing.
A daily newsletter distilling the past two weeks of movement in a domain or two — delivered to your inbox while the index updates in the background.
Each dot marks the weighted maturity of practices within a domain — hover for a brief summary, click for more detail
AI that augments security operations centre analysts with automated triage, enrichment, and synthesised threat intelligence briefings. Includes alert prioritisation and threat landscape summarisation; distinct from incident response automation which executes playbooks rather than supporting analyst decisions.
AI-augmented SOC operations is proven, established technology with mainstream vendor ecosystem, GA agentic products, and documented production outcomes at scale—yet the sector remains trapped in a confidence-execution paradox. Technical capability is no longer the question: Gartner's inaugural 2026 Magic Quadrant for Cyberthreat Intelligence Technologies elevates agentic threat intelligence to category level, with CrowdStrike positioned furthest right for Completeness of Vision; CrowdStrike's FY26 revenue of $4.81B (22% YoY growth) and 50% agentic module adoption rate signal durable market demand; production deployments from Dropzone AI (300+ enterprise customers, 11x ARR growth), CBTS MSSP (5,000 analyst hours saved in 6 months), and Prophet Security (investigations under 4 minutes with <10 minute MTTR) deliver concrete, named outcomes. Yet a critical execution gap persists: 97% of security leaders believe AI can handle alert triage, only 35% actually deploy it; 94% of SOCs use AI somewhere but 80% rely on disconnected point solutions rather than unified platforms. Organizational readiness—data integration architecture, process redesign, analyst trust, governance maturity—remains the binding constraint. The consensus operating model is "AI-assisted analyst": human judgment retained for critical decisions while AI accelerates triage, investigation, and threat hunting workflows by 45-61% and improves accuracy by 22-29%.
Vendor ecosystem reached production maturity by Q2 2026: Gartner's May 2026 Magic Quadrant for Cyberthreat Intelligence Technologies established agentic threat intelligence as distinct category with CrowdStrike Leader, signaling market-wide shift from static reporting to operational, agent-driven threat intelligence. Major platforms GA'd agentic capabilities: CrowdStrike's Fall 2025 Falcon release defined analyst-as-orchestrator model where AI agents reason, decide, and act at machine speed; Splunk's agentic SOC (Group VP articulation) delivers documented metrics of 64% faster detection, 55% faster incident resolution, 46% false-positive reduction; Dropzone AI scaled to 300+ enterprises with named outcomes (CBTS MSSP 5,000 analyst hours/6 months, Indiana Farm Bureau 5x MTTR improvement, Zapier 85% investigation automation). Independent research (SANS white paper, May 2026) documents AI-human collaboration necessity: SOCs facing 2000+ daily alerts with two-thirds unable to keep pace; WEF's May 2026 report across 84 organizations found 20 case studies demonstrating SOC efficiency and investigation speed gains. Analyst benchmarks (Prophet Security) show autonomous L2/L3 investigation at 3-10 minutes vs. 20-40 minutes manual (85-90% MTTR reduction, ~97-98% false positive accuracy).
Yet adoption breadth masks critical execution barriers. Gartner data shows just 1-5% market adoption despite technical readiness; Torq's April 2026 survey found 94% of SOCs using AI but only 35% for triage despite 97% confidence it could handle it. Root causes: 80% depend on fragmented point solutions (preventing unified automation), analyst trust deficits remain high, and most deployments deliver triage acceleration only (not end-to-end orchestration). SANS research emphasizes organizational barrier—not headcount shortage but lack of operationalization knowledge across existing teams. Effective implementations require unified data architecture (data lake normalization), process redesign (shifting analysts from triage to investigation), governance maturity (adjustable autonomy, transparent reasoning), and 6+ month integration cycles. Adoption barriers remain organizational: 99% intend AI but 37% lack data quality, 32% face skill gaps, 31% face emerging AI-specific threats (CrowdStrike: 89% surge in AI-enabled attacks). The technology is proven. Organizational readiness—architecture, process, people, trust—remains the binding constraint on broader adoption.
— GA release of CrowdStrike Falcon agentic security platform with new generation of AI agents. Defines agentic SOC architecture where analysts act as orchestrators directing AI agents that reason, decide, and act at machine speed.
— SANS institutional research examining AI-human collaboration necessity in SOCs. Uses SANS 2025 SOC Survey data (2,000+ practitioners) showing alert processing gap and adoption necessity.
— Senior vendor executive (Splunk Group VP - Asia) articulating current Agentic SOC vision with specific deployed capabilities, concrete performance metrics (64% faster detection, 55% faster incident resolution, 46% FP reduction).
— Named MSSP (CBTS) deployed Dropzone AI and saved 5,000 analyst hours in 6 months—concrete evidence of AI-driven triage automation at scale in a managed security services context.
— Two named customer deployments of Prophet AI SOC investigation platform with specific operational metrics (investigation volume, MTTI, analyst capacity freed, cost savings). Demonstrates AI investigation capabilities at scale.
— WEF industry report with 20 real-world case studies across 84 organizations; documents specific SOC efficiency and investigation speed improvements.
— Strong financial and adoption metrics for agentic security. CrowdStrike FY26 revenue $4.81B (22% YoY), ending ARR $5.25B (24% YoY), 50% module adoption rate signals ecosystem maturity and commercial traction.
— Gartner analyst recognition signals market maturity. CrowdStrike positioned furthest right for Completeness of Vision. Report highlights market shift from static threat intelligence reporting to operational, agentic systems.
2020: AI-augmented SOC tools entered early production with cloud SOAR platforms (XSOAR, Azure Sentinel) integrating threat intelligence. 93% of surveyed SOCs adopted AI/ML for detection; 210% ROI documented for analyst augmentation. Practitioners emphasised that detection quality, not triage automation alone, was the limiting factor; human-machine teaming with retained analyst judgment was critical.
2021: Alert fatigue persisted as the dominant SOC challenge; Trend Micro study of 2,303 security professionals found 70% emotionally overwhelmed by alert volume, with teams feeling understaffed. Tool maturity concerns surfaced as critical vulnerabilities in IBM QRadar Advisor (information disclosure, versions 1.1-2.6.1) highlighted implementation gaps. False positives remained the largest SOC bottleneck (>50% of analyst effort per ISACA), positioning AI's role as noise reduction rather than threat discovery.
2022-H1: Platform maturity accelerated (Palo Alto Cortex XSIAM launch, QRadar Advisor updates) while alert fatigue crisis deepened: 59% of orgs received >500 daily alerts, 43% reported >40% false positives. Academic validation of "99% false positives" as core operational barrier. Adoption barriers emerged: 69% of analysts feared job loss; 3.5M unfilled cybersecurity roles documented talent shortage. Vendor and practitioner solutions advanced, but implementation and organisational change remained the limiting factors.
2022-H2: Vendor threat intelligence and automated detection capabilities matured: VMRay-XSOAR malware analysis integration, Sophos vision for AI co-pilot workflows, and practitioner advances in threat actor profiling (MITRE ATT&CK). However, security implementation gaps persisted: critical vulnerabilities in IBM QRadar components (RCE, DoS) highlighted tool maturity concerns. Critical discourse highlighted AI overpromise—gaps between vendor claims and proven outcomes remained the barrier to mainstream adoption of SOC augmentation.
2023-H1: LLM-driven threat intelligence automation emerged as research priority (Penn State, University of Guelph); Thales deployed 50-analyst CTI team on ThreatQuotient. Platform maturity advanced (Cortex XSOAR federal packaging, QRadar Advisor AI/ML updates). However, staffing crisis intensified: 77% of U.S. orgs operate SOCs with 3-5 analysts. Critical assessments challenged SOC effectiveness (9% attack detection rate, 45% false positives per Mandiant). Adoption barrier shifted from technical feasibility to organizational change management and analyst displacement concerns.
2023-H2: Production deployments demonstrated maturity: Palo Alto's XSOAR automated 15% of alerts on 56 TB daily data; IBM QRadar achieved 85% alert prioritization automation with 55% faster triage for consulting clients, announcing GenAI integration for Q1 2024. Yet adoption barriers intensified: Vectra AI survey of 2,000 analysts revealed 4,484 daily alerts, 83% false positives, 67% unaddressed; Devo survey found 96% dissatisfied with SOC automation due to cost and scalability. Critical reassessment emerged: Treblle and tech analysts highlighted AI-washing in cybersecurity vendor claims, questioning real adoption progress. By year-end, platform maturity was proven but organizational readiness remained the limiting factor—staffing, burnout, tool sprawl, and skepticism of vendor claims.
2024-Q1: Vendor consolidation accelerated (Cisco acquired Splunk, $28B) while agentic multi-agent architectures showed concrete ROI improvements: Sumo Logic achieved 166% ROI and 60-to-3-minute investigation time reduction via autonomous triage. MixMode/Ponemon survey revealed 22,000 weekly alerts with AI covering only ~50%; Palo Alto outlined five persistent deployment barriers (data scarcity, explainability, domain drift, expertise, false-positive collapse). Staffing crisis unabated; adoption progress slow despite platform maturity.
2024-Q2: Post-acquisition product launches: Cisco/Splunk shipped Security Cloud Control (AI-native management) and HyperShield telemetry integration; Elastic, Rapid7, and others released generative AI and agentic platforms with measurable customer outcomes (34-73% investigation/triage improvements). SANS CTI survey identified adversary AI use as top priority and dark web sources surging (27% to 48%). Critical barriers remained: data consolidation, tool integration, explainability gaps. Staffing crisis persisted; 67% organizations testing GenAI but few scaling beyond pilots.
2024-Q3: Splunk Attack Analyzer achieved GA with Cisco Talos integration, delivering 70% file scan reduction and false positive collapse at named customer (Southern Farm Bureau); Cisco/Splunk completed unified SOC platform positioning. CMU/SEI research validated AI feasibility for APT defense but emphasised implementation complexity. Threat intelligence sharing remained fragmented (91% recognize importance, 70% admit poor sharing); practitioner skepticism mounted on vendor claims of autonomous SOC capability. LLM limitations for threat classification became evident; augmentation (human-centric) distinguished from full automation. Staffing and organizational readiness remained binding constraints on broader adoption.
2024-Q4: Vendor platforms demonstrated production scale: Intezer processed 5.4M alerts across 500+ customers (80.93% classification, 2m21s avg investigation); Dropzone AI, Rapid7, and Elastic shipped GA releases with measurable triage improvements (34-73% faster). Market demand remained strong (80% prefer platform-integrated GenAI, CrowdStrike 1000+ respondents). Critical adoption barriers persisted unresolved: alert volumes continued outpacing efficiency (97.6% report yearly increases), data consolidation and tool integration remained unfixed, and industry consensus shifted from "autonomous SOC" to "AI-assisted analyst" operating model. Practitioner assessments emphasized organizational change (data governance, skill development, realistic AI expectations) as the binding constraint, not technology maturity.
2025-Q1: Vendor platform maturity continued: Rapid7's production SOC reported 99.93% auto-triage accuracy with 200+ analyst hours saved weekly. Independent CSA benchmark of 148 real analysts showed AI-assisted teams 45-61% faster with 22-29% higher accuracy; 94% became AI advocates. Market traction accelerated (Dropzone 10x ARR growth, Fortune 500 adoption). However, analyst research revealed ongoing friction: explainability gaps, concerns about AI hallucinations, and organizational barriers (data unification, process design) remained as binding constraints as technology proved viable. Consensus held: technology matured but organizational readiness (not capability) drives adoption velocity.
2025-Q2: Vendor ecosystem matured with agentic AI announcements (Cisco Foundation AI, XDR enhancements, RSAC 2025 innovations). Adoption metrics improved: Ponemon survey showed 56% experienced improved threat prioritization, 51% higher SOC efficiency, 57% faster alert resolution. However, critical pilot-to-production gap emerged: Gartner predicted 30% of successful GenAI pilots abandoned by year-end 2025 due to business unreadiness. Operational surveys (Devo, BlinkOps) revealed persistent inefficiency: 84% of SOCs had duplicate investigations, 81% prioritized automation strategically but only 6% fully embedded it, 45% required 3+ months for deployment. Consensus shifted to "AI-assisted analyst" model with human-retained judgment; binding constraints remained organizational (data consolidation, legacy integration, skill development, process change) rather than technological capability.
2025-Q3: Vendor platform innovation continued (Splunk .conf25 triage agents, SOAR playbook authoring, Malware Reversal Agent), Dropzone AI demonstrated production traction across named enterprises. Gartner projected 70% SOC TDR leverage multi-agent AI by 2028. However, SANS survey revealed critical adoption gaps: 85% SOCs reactive, 42% deploy AI without customization, AI tools ranked at bottom of satisfaction. Practitioner feedback cautioned against autonomous AI: OpenText Director stressed AI strength in anomaly detection and alert triage but underperformance on novel threats and model-poisoning risks. Deployment quality lagged vendor claims; technology proved valuable at organizational scale but adoption velocity blocked by data consolidation, integration complexity, process change, and skepticism about autonomous claims. Consensus remained "AI-assisted analyst" with human authority on critical decisions.
2025-Q4: Vendor platform maturity continued with Splunk announcements (alpha agentic triage agents, SOAR playbook authoring, Malware Reversal Agent GA) and Dropzone AI's proven production deployment (MTTR <10 minutes, 2-minute investigations). Cloud Security Alliance released independent Q4 benchmark study demonstrating AI-assisted analyst teams 45-61% faster with 22-29% higher accuracy; 94% of analysts became AI advocates after hands-on experience. However, SANS survey (Dec 2025) documented persistent adoption friction: 97.6% of SOCs report yearly alert increases, 85% operate reactively, 42% deploy tools without customization, and AI tooling ranked at bottom of satisfaction. Critical discourse emphasized "automation theater" in vendor claims: effective AI implementation makes human verification seamless rather than eliminating judgment; genuinely autonomous SOCs remain infeasible. Consensus remained: "AI-assisted analyst" operating model with human authority retained, organizational readiness (data consolidation, process design, tool integration) the binding constraint on adoption velocity, not technology maturity.
2026-Jan: Major vendor deployments advanced (CrowdStrike, Palo Alto, Zscaler, Sophos agentic SOC by Q4 2025), Dropzone AI scaled to 300+ enterprises (11x ARR growth). Symmetric IT Group demonstrated production metrics: 85% false positive reduction, investigation time cut to 2-3 minutes. However, critical adoption barriers persisted: Kaspersky survey showed 99% intend AI but face data scarcity (37%), personnel shortage (32%), and emerging AI threats (31%). McKinsey research highlighted the "GenAI divide"—only 6% of organizations report real business impact despite $200B+ investment; 90% remain in experimentation mode. Multi-agent attack campaigns detected on 30 organizations with 80-90% autonomous capability. Consensus solidified: technology maturity peaked, but organizational readiness (data integration, governance, skilled personnel, realistic expectations) and adversarial AI risks became the binding constraints on broader adoption.
2026-Feb: Dropzone AI refined production playbooks from 300+ deployments, distinguishing human-in-the-loop (HITL) for high-impact actions from human-on-the-loop (HOTL) for investigation triage. Cisco/Splunk survey of 650 CISOs validated adoption momentum: 92% enabling broader event review with AI, 39% of agentic AI adopters reporting doubled reporting speed. However, adversarial AI acceleration outpaced defensive deployment: CrowdStrike reported 89% surge in AI-enabled attacks with 29-minute breakout times (65% faster than 2024), signaling threat landscape maturation ahead of SOC augmentation. Critical adoption barriers remained quantified: Kaspersky survey (500+ orgs planning SOCs) confirmed 99% intend AI integration but faced data quality gaps (37%), personnel scarcity (32%), and emerging AI-specific threats (31%). Intezer's analysis of 25M+ production alerts found systemic triage limitations: ~1% of confirmed incidents originated from low-severity alerts, translating to ~50 real threats per organization annually remaining undetected despite AI-augmented systems.
2026-Apr: Adoption breadth reached new survey highs — WEF/Accenture data from 804 leaders across 92 countries put AI deployment in cybersecurity at 77%, with threat intelligence (39%) and SOC automation (43%) as top use cases — yet a structural autonomy gap hardened. Gartner placed AI SOC agents at "Innovation Trigger" with just 1-5% market adoption; a Torq survey of SOC leaders found 94% using AI in SOCs but 80% dependent on disconnected point solutions and only 35% actually using it for triage despite 97% confidence it could handle it. Peer-reviewed research identified four socio-technical failure modes blocking AI-CTI in finance (shadow tool use, license-first adoption, analyst trust deficits, AI model security neglect). The positive signal was capability maturation at the frontier: Prophet Security demonstrated autonomous L2/L3 investigation correlating signals across 6-11 sources in under 5 minutes, and Dropzone AI compressed threat hunting cycles from 10-20 hours to roughly one hour via federated ML search — but Cisco's own data noted that security, not capability, is the primary blocker keeping 85% of enterprises' agent experiments from reaching production. SentinelOne Purple AI reached 50%+ new license mix and Microsoft Defender's Alert Triage Agent expanded to identity and cloud alerts; a BleepingComputer analysis confirmed that most AI SOCs still deliver triage speed only, with effective deployments (Jamf 90% automated) requiring unified workflow redesign — as 99% of SOCs use AI but 81% report increased analyst workloads, showing the execution gap between deployment and impact.
2026-May: Vendor maturity signals and adoption evidence compounded: CrowdStrike's Fall 2025 Falcon GA defined the analyst-as-orchestrator model with AI agents acting at machine speed; Splunk's deployed agentic SOC reported 64% faster detection, 55% faster incident resolution, and 46% false-positive reduction; CBTS MSSP saved 5,000 analyst hours in six months with Dropzone AI; and the WEF documented SOC efficiency gains across 84 organisations spanning 20 case studies. The Gartner 2026 Magic Quadrant for Cyberthreat Intelligence Technologies elevated agentic threat intelligence to a distinct market category with CrowdStrike furthest right on vision. Simultaneously, research evidence clarified the capability ceiling: Microsoft's CTI-REALM benchmark revealed platform-specific detection engineering limits (28% on Azure vs. 58% on Linux), an independent Cyber Defense Benchmark confirmed frontier LLMs fail minimum thresholds against raw Windows telemetry, and Panther's vendor-critical analysis documented real hidden costs — six-month integration timelines, suppression drift, trust calibration failures — offsetting headline 60–85% alert reduction figures. SANS reframed the talent narrative: the binding constraint is not headcount but what existing teams don't know about operationalising AI, reinforcing organisational readiness as the sector's primary bottleneck.