AI for SOC, Where do we stand today ? 

 

A quiet revolution is underway in European SOCs. Faced with ever-growing volumes of security events and a persistent shortage of skilled experts, a new generation of AI-powered security tools is emerging, designed to identify correlations that human teams can no longer process alone. AI is not replacing analysts but accelerating and enhancing their work. Between ambitions of hyper‑automation, challenges around model transparency, and the growing push for European digital sovereignty, the landscape of detection and incident‑response solutions is evolving at breakneck speed.  

To support this ongoing market transformation, the French National Cybersecurity Agency (ANSSI) and the French National Cyber Coordination Center (NCC‑FR) hosted by ANSSI have launched an ambitious initiative to capture the state of the art by conducting a structured study with major European players specializing in SOC‑oriented security solutions. 

The study had two main objectives: 

1. Identify European players developing solutions for SOCs that integrate AI-based features. 
2. Build an overview of the use cases available on the market, including those offered by leading US vendors operating in Europe. 

A booming European market undergoing consolidation  

 

The study covered 48 vendors. Among them, 34 originate from the European market (out of an initial pool of 72 European actors identified), while the remaining 14 are major US‑based vendors firmly established in Europe. The market shows clear signs of consolidation, marked by numerous acquisitions, most often involving European companies being acquired by US firms. These acquisitions primarily aim to reinforce detection and response capabilities, expand protection coverage, or, more marginally, integrate AI components directly dedicated to detection. Vendors are therefore converging toward a unified platform approach capable of addressing the full spectrum of SOC needs. 

 
Some European initiatives, such as the OPEN XDR alliance, aim to provide a collective response to platform‑related challenges without relying on acquisition strategies between actors. 

Meetings held with vendors revealed several key insights : 

 

 

First, GenAI, or Generative AI (AI capable of generating original content from instructions), is starting to appear within SOC solutions, primarily through chatbots integrated into analysis interfaces; however, their capabilities remain highly limited and inconsistent. These chatbots almost always rely on external technologies, particularly LLMs provided by a small group of major players such as OpenAI, Google, Meta, Anthropic, or Mistral AI, who largely dominate the market. This reliance on third‑party solutions, which often involves transferring data to the environments of these providers, raises significant concerns regarding the protection of sensitive information handled within SOCs. 
To reduce this dependency, several vendors are now considering adopting open‑source LLMs that can be deployed directly within their own environments, enabling greater control over their data and keeping sensitive flows internally. 

 

Next, the use of PredAI, or Predictive AI (AI capable of predicting or classifying an input based on “knowledge” acquired during a training phase), is considerably more mature. Some European vendors have been relying on such approaches for more than fifteen years to support use cases ranging from behavioral detection to alert prioritization, demonstrating genuine maturity and established expertise. Most of these use cases remain concentrated in the detection phase, where predictive models are currently the most widely leveraged, best mastered, and most relevant. 

In addition, several vendors are beginning to explore agentic approaches, with the ambition of gradually delegating part of the repetitive or time‑consuming tasks, particularly the initial qualification of alerts and certain steps of the investigation process. 

Finally, these observations should be interpreted with caution: the vendors engaged in the study represent only a fraction of the technological dynamism currently shaping the market. 

Figure2 : Overview of European vendors in Detection & Incident Response solutions 

 

Overview of AI use cases in detection and incident response tools  

Figure 3 : Overview of AI use cases in the SOC operations chain 

 

The study identified around fifty use cases. Within detection and incident response tools, a clear distinction emerge between two main families of use cases: 

• Those based on Predictive AI models, primarily designed for incident detection; 
• and those relying on Generative AI, which are generally oriented toward investigation and incident response tasks. 

Even though the use cases are numerous and difficult to list exhaustively, several major categories can nonetheless be identified. Each of these clusters is designed to address similar challenges and pursue the same objective.  

For incident detection, AI is used for: 

• detecting abnormal behaviour from users or assets; 
• detecting anomalies in network traffic; 
• detecting events indicative an attack; 
• detecting phishing attempts; 
• and detecting malicious files. 

While these sets serve the same purpose, another aggregate is emerging: one in which the full range of use cases is addressed through Generative AI, particularly via chatbot-assistant. Vendors are currently concentrating much of their effort on these analyst‑oriented assistants, into which they are progressively integrating multiple use cases. Their priority is first to simplify access to documentation and provide answers to operational questions, before extending these capabilities toward more advanced qualification or investigation tasks. 

To achieve this, nearly all vendors follow the same approach: 

• leveraging a third-party foundation model; 
• applying prompt engineering to make the best use of the model’s capabilities by guiding it toward specific topics; 
• and using RAG (Retrieval‑Augmented Generation), which customizes and enriches the model’s output by supplying it with a prioritized documentation base to ground its responses. 

Finally, although still limited, so-called agentic use cases, based on autonomous agents, are beginning to emerge. They are currently offered primarily by the most advanced and mature vendors in the sector, as well as by start-ups seeking to disrupt the market. 

Unlike the majority of vendors, who are gradually integrating AI use cases into an existing cybersecurity platform, these new entrants are betting on specialized AI-driven solutions designed to address a specific cybersecurity task. Among these use cases are agents dedicated to threat hunting, advanced malware analysis (including automated reverse engineering), as well as the initial qualification of alerts.  

These use cases, however, remain only marginally deployed to date.  

 

To go deeper… 

 

ANSSI has published a comprehensive report detailing all the results of the study: https://cyber.gouv.fr/enjeux-technologiques/intelligence-artificielle/etude-de-marche-lia-au-service-de-la-detection-et-de-la-reponse-a-incident/ 

This document now serves as a key reference for understanding current trends and the future evolution of AI’s role in detection and incident response.  

Ultimately, the study highlights a European cybersecurity market that is undergoing rapid restructuring, driven by the rise of AI but also marked by a strong consolidation dynamic. Within this shifting landscape, AI continues to gain maturity across SOC tooling: from Predictive‑AI‑based detection use cases, to GenAI‑powered analytical assistants, all the way to early but promising agentic approaches. This trajectory confirms that intelligent automation will become a major lever for increasing operational efficiency and strengthening organizations’ ability to defend against tomorrow’s threats.