{"id":29280,"date":"2026-03-04T12:15:02","date_gmt":"2026-03-04T11:15:02","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=29280"},"modified":"2026-03-06T11:23:09","modified_gmt":"2026-03-06T10:23:09","slug":"integrating-ai-into-soc-tools-state-of-the-art-technology-and-current-trends-in-the-european-market","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/03\/integrating-ai-into-soc-tools-state-of-the-art-technology-and-current-trends-in-the-european-market\/","title":{"rendered":"Integrating AI into SOC tools:\u00a0Global overview\u00a0and current trends in the European market\u00a0"},"content":{"rendered":"\n

AI for SOC, Where do we stand today ?<\/span>\u00a0<\/span><\/h1>\n

\u00a0<\/p>\n

A\u00a0quiet\u00a0revolution\u00a0is underway in\u00a0European\u00a0SOCs. Faced with ever-growing volumes of\u00a0security\u00a0events\u00a0and a persistent shortage\u00a0of\u00a0skilled\u00a0experts,\u00a0a new generation\u00a0of\u00a0AI-powered\u00a0security\u00a0tools is\u00a0emerging,\u00a0designed to\u00a0identify\u00a0correlations that human teams can no longer\u00a0process alone.\u00a0<\/span>AI is not replacing analysts but<\/span><\/b>\u00a0<\/span>accelerating and enhancing their work<\/span><\/b>. Between ambitions of hyper\u2011automation, challenges around model transparency, and the growing push for European digital sovereignty, the landscape of detection and incident-response solutions is\u00a0rapidly\u00a0evolving.\u00a0<\/span>\u00a0<\/span><\/p>\n

To support this ongoing market transformation, the French National Cybersecurity Agency (ANSSI) and\u00a0the French National Cyber Coordination Center (NCC\u2011FR),<\/strong><\/a>\u00a0hosted by ANSSI,\u00a0have launched an ambitious initiative to\u00a0provide\u00a0a\u00a0detail\u00a0overview of\u00a0how IA is used for SOC\u00a0by conducting a\u00a0thorough\u00a0stud<\/span>y [1]<\/span><\/span>\u00a0<\/span>with major European players specializing in SOC\u2011oriented security solutions.<\/span>\u00a0<\/span><\/p>\n

The study had\u00a0two\u00a0main\u00a0objectives:<\/span>\u00a0<\/span><\/p>\n

    \n
  1. Identify European players developing solutions for SOCs that integrate AI-based features\u00a0<\/span>[2]<\/span>.<\/span>\u00a0<\/span><\/li>\n
  2. Build an overview of the use cases\u00a0available\u00a0on the market, including\u00a0those offered\u00a0by leading US vendors\u00a0operating\u00a0in Europe.<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

    This article\u00a0summarises\u00a0the key insights drawn from our study conducted among 48 detection and response solution vendors.<\/span><\/b>\u00a0<\/span><\/p>\n

    \"\"Geographical<\/span><\/span> distribution of the vendors interviewed<\/span><\/span><\/em><\/p>\n

    \u00a0<\/p>\n

    A booming European market undergoing consolidation<\/span>\u00a0<\/span>\u00a0<\/span><\/h1>\n

    \u00a0<\/p>\n

    The\u00a0study covered 48\u00a0vendors.\u00a0Among them,\u00a034\u00a0are European\u00a0companies\u00a0(out of\u00a0an initial\u00a0pool of 72 European\u00a0actors\u00a0identified), while the remaining 14 are major US\u2011based vendors firmly\u00a0established\u00a0in Europe.\u00a0<\/span>\u00a0<\/span><\/p>\n

    The market\u00a0shows\u00a0clear signs\u00a0of consolidation, marked by\u00a0numerous\u00a0acquisitions, most often involving European companies being\u00a0acquired\u00a0by US firms. These acquisitions primarily\u00a0aim\u00a0at\u00a0reinforcing\u00a0detection and response capabilities,\u00a0expanding\u00a0protection coverage, or, more marginally,\u00a0integrating\u00a0AI components directly dedicated to detection.\u00a0<\/span>Thus,<\/span><\/b>\u00a0v<\/strong>endors are\u00a0converging towards\u00a0a unified platform approach capable of addressing the full spectrum of SOC needs.<\/span><\/b>\u00a0<\/span><\/p>\n

    \u00a0
    Some European initiatives, such as the OPEN XDR alliance, aim\u00a0at\u00a0providing\u00a0a collective response to platform\u2011related challenges without relying on acquisition strategies between\u00a0vendors.<\/span>\u00a0<\/span><\/p>\n

    Meetings\u00a0held with vendors\u00a0revealed several key\u00a0insights.<\/span><\/b>\u00a0<\/span><\/p>\n

    First, GenAI, or Generative AI<\/strong> (AI capable of generating original content from instructions),\u00a0is starting to appear within SOC solutions,<\/strong> primarily through chatbots integrated into analysis interfaces; however, their capabilities\u00a0remain\u00a0highly limited and inconsistent. These chatbots\u00a0almost always\u00a0rely on external technologies, particularly LLMs provided by a small group of major players such as OpenAI, Google, Meta, Anthropic, or Mistral AI, who\u00a0largely dominate\u00a0the market. This reliance on third\u2011party solutions,\u00a0which often involves transferring data to the environments of these\u00a0providers,\u00a0raises significant concerns\u00a0regarding\u00a0the protection of sensitive information handled within SOCs.<\/span>\u00a0
    To reduce this dependency, several vendors are now considering adopting open\u2011source LLMs that can be deployed directly within their own environments, enabling greater control over their data and keeping sensitive flows\u00a0internally.<\/span><\/p>\n

    \u00a0<\/p>\n

    \"\"<\/p>\n

    Overview of the LLMs used by the vendors<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

    \u00a0<\/p>\n

    Besides, the\u00a0use\u00a0of\u00a0<\/span>PredAI,\u00a0or\u00a0Predictive\u00a0AI<\/span><\/b>\u00a0(AI capable of predicting or classifying\u00a0an\u00a0input\u00a0based on\u00a0“knowledge”\u00a0acquired\u00a0during a\u00a0training\u00a0phase),\u00a0is\u00a0considerably more\u00a0mature. Some European vendors have been relying on such approaches for more than\u00a0<\/span>15<\/strong> years to support use cases ranging from behavioral detection to alert prioritization, demonstrating genuine maturity and established expertise. Most of these use cases focus on the detection phase, where predictive models are widely used, well mastered, and most relevant.<\/span>\u00a0<\/span><\/p>\n

    In addition, several vendors are beginning to explore agentic approaches, with the ambition of gradually delegating part of the repetitive or time\u2011consuming tasks, particularly <\/span>t<\/span><\/b>he\u00a0initial\u00a0qualification\u00a0of alerts and\u00a0some\u00a0steps of the investigation process.<\/span><\/b>\u00a0<\/span><\/p>\n

    Finally, these\u00a0findings\u00a0should be interpreted with caution: the vendors\u00a0included\u00a0in the study represent only a\u00a0sample\u00a0of this\u00a0fast-evolving\u00a0market.<\/span> \u00a0<\/span><\/p>\n

    \u00a0<\/p>\n

    \"\"<\/p>\n

    \u00a0<\/p>\n

    Overview of\u00a0<\/span>European<\/span>\u00a0vendors in Detection & Incident Response solutions<\/span>\u00a0using AI<\/span><\/span>\u00a0<\/span><\/em>\u00a0<\/span><\/p>\n

    \u00a0<\/h1>\n

    Overview\u00a0of AI\u00a0use\u00a0cases in\u00a0detection\u00a0and incident\u00a0response tools\u00a0<\/span>\u00a0<\/span><\/h1>\n

    \"\"<\/p>\n

    \u00a0<\/p>\n

    Overview of AI use cases in the SOC operations chain<\/span><\/i>\u00a0<\/span><\/p>\n

    \u00a0<\/p>\n

    The study\u00a0identified\u00a0around\u00a0<\/span>50\u00a0use cases<\/span><\/b>\u00a0that can fall under 2 main\u00a0categories:\u00a0<\/span>\u00a0<\/span><\/p>\n