AI for SOC, Where do we stand today ? 

 

A quiet revolution is underway in European SOCs. Faced with ever-growing volumes of security events and a persistent shortage of skilled experts, a new generation of AI-powered security tools is emerging, designed to identify correlations that human teams can no longer process alone. AI is not replacing analysts but accelerating and enhancing their work. Between ambitions of hyper‑automation, challenges around model transparency, and the growing push for European digital sovereignty, the landscape of detection and incident-response solutions is rapidly evolving.  

To support this ongoing market transformation, the French National Cybersecurity Agency (ANSSI) and the French National Cyber Coordination Center (NCC‑FR), hosted by ANSSI, have launched an ambitious initiative to provide a detail overview of how IA is used for SOC by conducting a thorough study [1] with major European players specializing in SOC‑oriented security solutions. 

The study had two main objectives: 

1. Identify European players developing solutions for SOCs that integrate AI-based features [2]. 
2. Build an overview of the use cases available on the market, including those offered by leading US vendors operating in Europe. 

This article summarises the key insights drawn from our study conducted among 48 detection and response solution vendors. 

Geographical distribution of the vendors interviewed

 

A booming European market undergoing consolidation  

 

The study covered 48 vendors. Among them, 34 are European companies (out of an initial pool of 72 European actors identified), while the remaining 14 are major US‑based vendors firmly established in Europe.  

The market shows clear signs of consolidation, marked by numerous acquisitions, most often involving European companies being acquired by US firms. These acquisitions primarily aim at reinforcing detection and response capabilities, expanding protection coverage, or, more marginally, integrating AI components directly dedicated to detection. Thus, vendors are converging towards a unified platform approach capable of addressing the full spectrum of SOC needs. 

 
Some European initiatives, such as the OPEN XDR alliance, aim at providing a collective response to platform‑related challenges without relying on acquisition strategies between vendors. 

Meetings held with vendors revealed several key insights. 

First, GenAI, or Generative AI (AI capable of generating original content from instructions), is starting to appear within SOC solutions, primarily through chatbots integrated into analysis interfaces; however, their capabilities remain highly limited and inconsistent. These chatbots almost always rely on external technologies, particularly LLMs provided by a small group of major players such as OpenAI, Google, Meta, Anthropic, or Mistral AI, who largely dominate the market. This reliance on third‑party solutions, which often involves transferring data to the environments of these providers, raises significant concerns regarding the protection of sensitive information handled within SOCs. 
To reduce this dependency, several vendors are now considering adopting open‑source LLMs that can be deployed directly within their own environments, enabling greater control over their data and keeping sensitive flows internally.

 

Overview of the LLMs used by the vendors 

 

Besides, the use of PredAI, or Predictive AI (AI capable of predicting or classifying an input based on “knowledge” acquired during a training phase), is considerably more mature. Some European vendors have been relying on such approaches for more than 15 years to support use cases ranging from behavioral detection to alert prioritization, demonstrating genuine maturity and established expertise. Most of these use cases focus on the detection phase, where predictive models are widely used, well mastered, and most relevant. 

In addition, several vendors are beginning to explore agentic approaches, with the ambition of gradually delegating part of the repetitive or time‑consuming tasks, particularly the initial qualification of alerts and some steps of the investigation process. 

Finally, these findings should be interpreted with caution: the vendors included in the study represent only a sample of this fast-evolving market.  

 

 

Overview of European vendors in Detection & Incident Response solutions using AI  

 

Overview of AI use cases in detection and incident response tools  

 

Overview of AI use cases in the SOC operations chain 

 

The study identified around 50 use cases that can fall under 2 main categories:  

• Use cases based on Predictive AI models, primarily designed for incident detection; 
• Use cases relying on Generative AI, which focus mainly on investigation and incident response tasks. 

Even though the use cases are diverse and hard to list exhaustively, several major categories can nonetheless be identified. Each of these categories is designed to address similar challenges and support the same objective.  

For incident detection, the following AI use case categories can be identified: 

• Detection of abnormal behaviour from users or assets; 
• Detection of anomalies in network traffic; 
• Detection of events suggesting a possible attack; 
• detectionof phishing attempts; 
• and detection of malicious files. 

A new category, regrouping usecases fully addressed by Generative AI, is currently emerging and often addressed by chatbot assistant. Vendors are currently concentrating most of their efforts on these analyst‑oriented assistants, into which they are progressively integrating a wide range of use cases. Their priority is to simplify access to documentation and provide answers to operational questions, as well as extend these capabilities towards more advanced qualification or investigation tasks. 

To achieve this, nearly all vendors follow the same approach by: 

• leveraging a third-party foundation model; 
• applying prompt engineering to make the best use of the model’s capabilities by guiding it towards specific topics; 
• and using RAG (Retrieval‑Augmented Generation), which customizes and enriches the model’s output by supplying it with an authoritative documentation base to create its responses. 

Last, some agentic use cases, based on autonomous agents, are beginning to appear even if they still remain limited. They are currently being addressed by the most advanced and mature vendors in the sector, as well as by start-ups seeking to disrupt the market. 

Unlike most vendors, who are gradually integrating AI use cases into an existing cybersecurity platform, these newcomers are betting on specialized AI-driven solutions designed to address a specific cybersecurity task. Among these use cases are agents dedicated to threat hunting, advanced malware analysis (including automated reverse engineering), as well as the initial qualification of alerts.  

Agentic use cases, however, remain only marginally deployed to date.  

 

To go deeper… 

 

ANSSI has published a comprehensive report detailing all the results of the study: https://cyber.gouv.fr/enjeux-technologiques/intelligence-artificielle/etude-de-marche-lia-au-service-de-la-detection-et-de-la-reponse-a-incident/ 

This document now serves as a key reference for understanding current trends and the future evolution of AI’s role in detection and incident response.  

Ultimately, the study highlights a European cybersecurity market that is undergoing rapid restructuring, driven by the rise of AI but also marked by a strong consolidation dynamic. Within this shifting landscape, AI continues to gain maturity across SOC tooling: from Predictive‑AI‑based detection use cases, to GenAI‑powered analytical assistants, all the way to early but promising agentic approaches. This trajectory confirms that intelligent automation will become a major lever for increasing operational efficiency and strengthening organizations’ ability to defend against tomorrow’s threats. 

 

References

[1] Study conducted from October 2024 to July 2025 – https://cyber.gouv.fr/enjeux-technologiques/intelligence-artificielle/etude-de-marche-lia-au-service-de-la-detection-et-de-la-reponse-a-incident/ 

[2] Artificial intelligence-based features : Set of features using machine learning models (ML, deep learning, LLM) capable of learning from data and producing new analyses, predictions or content.