We use third-party cookies in order to personalize your site experience. See our Privacy Policy.

Technology thesis · Cybersecurity

medium conviction emerging

AI-native security operations

Agentic SOC tooling went mainstream at RSAC 2026 as CrowdStrike, Cisco and Palo Alto all shipped it; the unsolved problem is moving agents from pilot to trusted production at scale.

Position maintained continuously · last reviewed Jun 24, 2026

The thesis

State of the art (2026)

By mid-2026 the SOC is agentic. At RSAC 2026 CrowdStrike, Cisco and Palo Alto Networks all shipped autonomous SOC tooling: Charlotte AI Detection Triage now triages detections at 98%-plus accuracy, Palo Alto extended Cortex AgentiX – launched in October 2025 – with new agentic SOC capabilities in February, and Microsoft reframed Security Copilot around an agentic SOC in April. The demand driver is structural – ISC2 put the 2025 workforce gap at a record 4.8 million – but deployment lags the hype. RSAC surveys showed roughly 85% of enterprises running agent pilots and only about 5% in production, because no vendor yet defines a behavioural baseline for what normal agent activity looks like. Enterprises are blocked by trust and accountability, not raw model capability.

The rest of the file

Everything below is live inside CanaryIQ

The full analysis behind the verdict — the structure is real; the content unlocks when you log in.

Signal stack

Evidence stacked leading → lagging

9 signals
talent
research
patent
expert
operational
market

Technology-native KPIs

Metrics that predict trajectory, tracked over time

3 tracked
Mean time to investigate reduction
Global cybersecurity workforce gap
AI SOC alert triage automation rate

Landscape map

Who builds what — and who depends on whom

108 players · 5 layers

Catalyst calendar

Dated events that will move the position

5 ahead

Technology roadmap

Milestones on the path to maturity

8 milestones

Watchlists

Companies, people and papers — each with a remove-by condition

20 · 20
Companies · 20
People · 20

Decision frameworks

The same call, framed for your desk

Locked
Public Equity
PE / VC
Corporate Leader

Thesis changelog

When our view changed, and why

4 updates

Change our mind

3 disconfirming conditions

The rest is inside

You've read the verdict. The file is much deeper.

The full signal stack, technology-native KPIs tracked over time, the landscape of who depends on whom, the dated catalyst calendar, decision frameworks for every desk, live watchlists and the changelog of every time our call on AI-native security operations has changed — all live inside CanaryIQ.

Log in to read the full analysis Create an account