Importantly, if a SOC’s detection engineering team operates in isolation from its threat intelligence cell, and its threat intelligence cell operates in isolation from its incident response unit, and none of them share a common operating picture, then layering AI on top does nothing to fix that fundamental disconnect. AI amplifies whatever structure it is placed within. A bad structure, amplified by AI, remains a bad structure. Only a unified, interconnected detection, investigation, and response framework—one supported by a unified data layer—will actually generate significant efficiency gains and allow AI to fulfill its promise of scaling security operations.
If AI operates in one tool but the investigation team works in a different tool, it speeds up only that part of the workflow while doing nothing about the handoff between those tools. If a SOC’s threat hunters are unable to easily test hypotheses using the same data the investigation team relies on, AI in either workflow advances just that workflow alone. If a SOC’s remediation playbooks sit in a SOAR tool without visibility into what the investigation tool determined, AI-driven remediation acts on outdated context.
The fix is to connect these stages. Piling more AI onto an already fragmented architecture only amplifies the underlying problem. That unifying connective layer is what the “second wave” refers to. The first wave brought AI to individual stages. The second wave brings AI that spans across all stages.
What the second wave must look like
The five stages of the SOC must function as a single, integrated agentic fabric rooted in the customer’s own environment. Every closed investigation sharpens the next detection. Every threat-hunting finding refines the next intelligence cycle. Every remediation action informs the playbook the next agent draws from. The SOC builds on itself.
In practice, a platform constructed this way sits atop the SIEM, EDR, identity, cloud, ticketing, and threat-intel stack an organization already owns, supplementing it rather than replacing it. This connective layer is what enables each stage to feed the next instead of functioning in isolation. Where this architecture exists, SOCs report tighter investigations completed more quickly, detections that get surfaced and fine-tuned rather than left silent or generating noise, threat hunts that operate continuously rather than in periodic bursts, and remediation carried out within defined guardrails with full reasoning logs and audit-ready decision records.
The second wave of AI in the SOC must be defined by architecture, not by feature lists. The vendors and platforms that figure that out will be the ones whose customers move from “some value” to “excellent value” in next year’s benchmarks.
Spotlight: End-to-End Agentic AI for Security Operations
One platform built around this architecture is Conifers’ end-to-end agentic SOC, introduced in May 2026 on its CognitiveSOC™ platform. Instead of layering AI onto a single stage, it weaves threat intelligence, threat hunting, detection engineering, investigation, and remediation into one unified operating fabric rooted in each customer’s institutional knowledge. These five functions pass context to one another, so hunts shape detections, investigations sharpen future detections, and remediation executes within customer-defined guardrails rather than rigid, static playbooks.
Governance is embedded from the ground up. Every agent action carries a reasoning chain and an evidence trail, and customers define the scope and level of authority each agent operates under, gradually expanding autonomy as trust grows. That is the shift from human-in-the-loop oversight to human-on-the-loop oversight. The system operates on top of the stack a SOC already owns, with over 60 integrations across EDR, identity, cloud, email, and ITSM, and no rip-and-replace migration required.
The window is closing faster than most SOCs think
Adversaries are not waiting for the second wave to arrive. Google’s Threat Intelligence Group disclosed the first confirmed AI-developed zero-day exploit earlier this year. Anthropic’s Claude Mythos preview is identifying critical vulnerabilities at machine speed. JPMorgan’s CISO published an open letter in April 2025 warning that the economics of cyber risk are shifting and that security buyers should demand secure-by-default products rather than accept the current pace of rushed feature rollouts.
Defenders running first-wave AI inside a fragmented SOC will be the ones explaining what went wrong the morning after a breach. Defenders running second-wave AI as a connected fabric, with institutional knowledge built into the loop and governance embedded from the start, will be the ones who saw it coming. The 10% figure in the SOC-CMM 2026 report is a signal about the architecture most SOCs currently run. It is also a signal about which side of the next breach narrative each SOC will find itself on.
Visit Conifers.ai to request a demo and experience the power of a full-lifecycle agentic SOC.
Frequently Asked Questions
Why are most SOCs reporting limited value from AI in 2026?
The SOC-CMM 2026 Maturity Report found that roughly 71% of SOCs see only partial value or no value at all from their AI deployments. The root cause is architectural, not technological. Most SOCs deployed AI as features embedded in individual products such as SIEMs, EDRs, and ticketing systems. Each feature sped up its own piece of the workflow. None of them shared context across stages. The transitions between threat intelligence, detection engineering, investigation, and remediation—where most SOC time is spent—did not improve. AI accelerated the silos without linking them. That is what generates “some value” instead of excellent value.
What does “second wave AI” in the SOC mean?
Second wave AI in the SOC refers to agentic AI that operates across the entire SOC lifecycle rather than being confined to a single stage. The five stages of the SOC—threat intelligence, threat hunting, detection engineering, investigation, and remediation—run as one interconnected fabric. Agents share context freely. Closed investigations sharpen future detections. Threat-hunting findings update intelligence cycles. Remediation actions feed back into the playbook the next agent draws from. The SOC builds on itself. This is the architectural pattern shared by the roughly 10% of SOCs reporting excellent value from AI in the SOC-CMM 2026 data.
Is the problem that SOCs are not buying enough AI?
No. The SOC-CMM 2026 data shows AI adoption surging across every category, with off-the-shelf LLMs up 55%, AI co-pilots up 145%, and AI agents up 118% year over year. SOCs are investing heavily. The problem is that adoption is outpacing operational maturity. Two-thirds of SOCs are deploying off-the-shelf AI within an existing security stack without changing anything else around it. That group reports the least value. Buying more AI without rethinking the architecture it operates within compounds the original problem rather than solving it.
How does institutional knowledge change AI SOC outcomes?
Generic AI produces generic investigations. A detection rule that catches real threats in one environment may flag routine activity in another. An investigation that escalates correctly in one organization may miss the right answer in another. AI systems that continuously absorb and retain dynamic institutional knowledge—the assets that matter, the analysts whose judgment shaped past incidents, the sanctioned actions, the escalation criteria, the historical incident outcomes—produce investigation results that align with how a specific SOC operates. AI without that grounding produces the average of the internet, which is the wrong answer in most environments. Institutional knowledge is the difference between AI that generates noise and AI that generates decisions.
What should CISOs ask before buying their next AI SOC tool?
Three questions matter most. Does this AI operate across the full SOC lifecycle, or only within one stage of it? How does the AI learn and retain the institutional knowledge of the organization’s specific environment, and what happens to that knowledge when analysts leave? Can the team audit every agent action with a defensible reasoning trace, and can it govern agent autonomy in stages as trust builds? A vendor that cannot give clear answers to all three is selling first-wave AI, regardless of what the marketing claims.
What is the agentic SOC, and how is it different from a SOAR or AI co-pilot?
The agentic SOC is the category of security operations platform where AI agents act as decision-makers across the SOC lifecycle, not as assistants confined to a single product. A SOAR automates predefined workflows using static playbooks. An AI co-pilot accelerates an analyst’s individual tasks. An agentic SOC runs agents that reason through investigations, surface and tune detections, threat hunt continuously, and remediate within customer-defined guardrails—all while sharing context across stages. Analysts shift from being “in the loop” on every step to being “on the loop” overseeing the system.
How quickly can a SOC move from first-wave AI to second-wave AI?
Faster than most teams expect. The shift is architectural, not a rip-and-replace. The connective layer that transforms point AI into agentic fabric does not require purchasing new tools or replacing existing ones. It requires linking what the SOC already owns into a system that compounds. Most SOCs underestimate how quickly the shift can happen once the architecture is in place.
