Panther pounces on push to position agents as primary workers in the SOC
CEO and founder of closed-loop AI security architecture Panther Jack Naglieri thinks that security teams should be reorganising themselves around AI agents in the security operations centre (SOC).
The Computer Weekly Developer Network (CWDN) spoke to him to find out how that suggestion breaks down, how it manifests itself in the real world… and what happens next for in terms of how this shift changes where chief information securuity officers (CISOs) in terms of where they decide to invest next.
First, the basics…
Most security operations programs run on a tax most software engineering leaders have learned to accept.
New analysts spend weeks learning a Security Information and Event Management (SIEM) process, a company’s Endpoint Detection and Response (EDR) stance, its identity stack, ticketing system and the runbooks that have been accumulated over the years.
Naglieri says that this reality is what happens in most cases… and so once teams are up to speed, the majority of their day goes toward manual alert triage and the context reconstruction that surrounds it. Threat hunting is reserved for the most senior people on the team, the ones you can least afford to pull off everything else.
But we need to look deeper.
“Cloud posture, compliance verification and continuous monitoring sit on the wishlist, perpetually deprioritised because there is no one to assign to them. The work that improves the program competes for time with the work that keeps it running, and the work that keeps it running almost always wins,” said Naglieri .
The cost of this tax is invisible on most balance sheets. It surfaces as long ramp times, analyst attrition, knowledge that walks out the door when someone changes jobs, and gaps in coverage that no one is responsible for closing.
Naglieri says that security teams have spent the last decade trying to engineer around the tax with better runbooks, tighter integrations and security orchestration, automation, and response. (SOAR) automations. Each one helped at the margin.
None of them changed the underlying constraint.
Agents as primary workers
“What is changing now is the role agents play in the workflow,” Naglieri says. “Most early AI deployments treated agents as assistants. The analyst remained the worker. The agent generated suggestions, drafted summaries and accelerated specific steps. The work itself still belonged to the human.”
He reminds us that the teams getting real leverage from agents have inverted that model. Agents are becoming the primary workers across the SOC’s operational surface. They run the alert queue and hand off only what requires human judgment.
They run continuous investigations against the data lake without waiting for a rule to fire. They read identity context, query asset inventory, and assemble a complete analysis before an analyst sees the alert. The analyst confirms, redirects, or escalates.
They no longer reconstruct.
“This is a fundamentally different operating model from “AI-assisted.” It moves the analyst from production to oversight, and from individual contributor to systems builder. The output of the team scales with the agent platform’s capacity, rather than with how many analysts you have on shift,” said Naglieri.
The leverage in this shift comes from a property most point tools cannot offer. A strong agent platform extends the same foundation, the data lake, the tool access, the learned context across multiple programs that have historically required separate teams or separate budgets.
Hunting for unknown unknowns
Naglieri suggests that the same agents triaging alerts can hunt continuously for unknown unknowns. The same infrastructure can run cloud posture evaluations against policy on a rolling basis, surfacing drift before it becomes an exposure.
It can verify that compliance controls are operating as required, not just that they are configured. It can serve as the always-on investigative layer that continuous monitoring frameworks expect but that most teams can only approximate today.
Each of these used to live in its own tool, with its own onboarding cost and its own context boundary. Run them on a shared agent platform, and the baselines, identity context, and historical data each program needs are already there for the next one.
“This is what compounding looks like at the program level. Investments in detection feed hunting. Investments in hunting feed posture management. Investments in posture management feed compliance verification. A security leader is no longer buying five tools that solve five problems independently,” said Naglieri.
They are buying a foundation that gets stronger every time a new program is layered onto it.
What should CISOs think?
The decision in front of most security leaders right now is not whether to deploy AI in the SOC. That deployment is happening across the industry, with or without an explicit strategy. The decision is whether to deploy it as a series of point integrations bolted onto existing tools, or as a platform that becomes the operational center of gravity for the program.
“The point-tool path is easier in the short term and produces measurable wins quickly. The platform path requires more upfront investment in the data layer and agent infrastructure, but the leverage compounds. Every new use case extends the same foundation, costs less to onboard than the last one, and contributes context that strengthens the others. Over a two-to-three-year horizon, the gap between the two approaches becomes the gap between a security program that scales with attacker pressure and one that scales only with headcount,” concluded Naglieri.
The shift is not a replacement of analysts.
Naglieri has positioned these thoughts and further stated that the shift moves work agents do well to agents… it also frees analysts to operate at the level the role was always supposed to occupy.
The teams making that shift now are the ones building leverage that compounds. The teams waiting are accumulating more of the same tax.