Evolving Security Operations with Continuous Improvement and Intelligence

Security Operations Centres (SOCs) must evolve rapidly to match today’s threat landscape. As threats grow more complex and budgets remain under pressure, CISOs are increasingly looking towards AI-powered SOCs, automation, and managed security services to evolve their defence capabilities. Our Global Head of SOC, who recently shared his experience as part of Telefónica Tech’s CISO Series, challenged the traditional SOC model and highlighted how a reimagined, AI-enhanced SOC can deliver continuous, tangible improvement while staying budget-conscious. This article summarises his insights from that session

1. From Static Managed Security Services to Continuous Improvement with AI

Security Operations Centres (SOCs) are under pressure to do more with less: defend faster, adapt quicker, and deliver consistent outcomes. The problem? Many Managed Security Services (MSS) contracts aren’t built for change. They deliver the same static outputs year after year, often with little meaningful improvement.

 

Traditional Managed Security Services (MSS) contracts prioritise operational stability over evolution focus on consistency rather than adaptability. That creates risk: even as threats evolve, your service doesn’t.

 

“A fixed SLA might give you comfort, but it rarely gives you progress. If you want improvement, your provider needs skin in the game.”

 

The revised approach embeds continuous improvement directly into SOC operations. Adopting an agile model that iterates weekly or even daily. Every incident and missed opportunity feeds back into a system designed to evolve.

 

Our approach embeds continuous improvement directly into SOC operations. These are delivery mechanisms that work in the background to constantly assess performance, develop new playbooks, and track genuine business outcomes beyond just ticket counts or SLA response times.

 

“We don’t just review the service annually, we iterate weekly, or even daily. Every incident, every missed opportunity, feeds back into the system.”

 

Success metrics are co-defined with the customer from day one, not retrofitted later, and monitored in real time. The result is a contract that lives, evolves, and drives measurable security maturity.

2. Budget-Conscious Security Resilience

Security leaders are under pressure to improve security resilience within fixed budgets. The question asked of many security leaders is: how can you improve your security posture without expanding costs?

 

The answer lies in platform convergence. By replacing siloed point solutions with integrated platforms, organisations free up overheads; financial, operational, and analytical. Automation then lets them reinvest that capacity back into higher-value functions, like threat hunting or AI deployment.

 

“We’re not just replacing tools; we’re replacing effort. That’s what gives you budget back.”

 

This shift is why so many customers are streamlining their vendor ecosystems and rethinking their tech stacks through the lens of data integration and automation

3. Rethinking the SOC Operating Model with AI

AI in the modern SOC isn’t a bolt-on. It’s a strategic rethink of the entire operating model.

 

“You can’t bolt AI onto an old operating model and expect magic. You must redesign the way your team works, from detections to delivery.”

 

Our team’s approach: treat the SOC like a DevOps environment. Think of detection rules, response playbooks and AI agents as code. Manage them like infrastructure. Validate, deploy, test and retrain them just like you would with modern software engineering.

 

“It’s not about replacing analysts; it’s about building a team where humans and AI work side by side, each doing what they’re best at.”

 

That requires new skills, data engineering, machine learning lifecycle management and automation design along with a cultural mindset shift in security teams.

4. Practical AI Deployment in Security Operations

An effective AI-powered SOC spans clear workstreams with measurable outcomes:

  • Pure Automation: 90% of Level 1 incidents handled via deterministic playbooks.
  • Deterministic Logic: Rule-based Level 2 incidents escalated intelligently.
  • GenAI-Augmented Playbooks: Support for analysts in complex Level 3 investigations, from query formulation to decision analysis.

 

“The project doesn’t start with a technology roadmap. It starts with one big question: how do we respond faster, with more accuracy, every time?”

 

Key technical components include:

  • Training and governance of AI agents
  • A custom data fabric designed for contextual metadata, (not a CMDB replica)
  • Orchestrated workflows between humans and machines
  • Integration with XDR tooling and threat intelligence feeds

 

Feedback loops are central. Every playbook execution, agent action and human intervention should be logged and labelled to help continually retrain and refine agents. Confidence scoring is built in. Agents only act autonomously when certainty is above 90 percent.

Future of SOC: How AI and Automation Are Transforming Security Operations

  • It’s not about replacing analysts; it’s about building a team where humans and AI work side by side, each doing what they’re best at.

5. Strategy, Architecture and What’s Next

A modern AI-enhanced SOC must be treated as a living, strategic project that will continuously influence cyber security efforts. Telefónica Tech recommends a phased approach to maintain momentum:

 

Phase 1: Integrate telemetry and build foundational data infrastructure
Phase 2: Layer in automated response and GenAI capabilities
Phase 3: Launch a Cyber Hub Dashboard for unified visibility and an AI Assistant to support analysts with tailored queries and case navigation.

 

The above approach is also an answer to the “build vs. buy” question. Off-the-shelf tooling isn’t currently viable due to the fragmented tech landscape. So, our approach is to build custom architectures, not for the sake of complexity, but because custom orchestration is necessary to get real-world results.

Key Takeaways for CISOs

“This isn’t a silver bullet. It’s a framework; one that balances automation with human judgment, budget with ambition, and vision with delivery.

 

To evolve the future SOC, CISOs must move beyond traditional contracts, and:

  1. Demand continuous improvement in MSS contracts.
  2. Push for transparency into AI models, data sources and playbook performance.
  3. Treat the SOC as a product, not a static service.

 

With this approach AI will not only enhance your operations, but it will redefine what your security team can deliver.

A man smiles at the camera while sitting with a laptop

Explore NextDefense

Ready to modernise your SOC?
NextDefense by Telefónica Tech blends automation, AI, and managed security into a framework of continuous improvement.

 

Modernise Your SOC with NextDefense

You might also be interested in...

Cyber Security Trends eBook 2025: Key Insights for a Resilient Future

Stay ahead of cyber threats with our 2025 Cyber Security Trends eBook. Explore AI security, Zero Trust, SOC modernisation, and supply...

Find out more
Article
What Is Cyber Threat Intelligence

Demystifying Cyber Threat Intelligence: What Is Cyber Threat Intelligence (CTI) and How Can It Protect Your Business? Read our essential...

Find out more
Abstract AI illustration
Article
Maximising Cyber Security Management Solutions – Changing the Cyber Narrative with NextDefense Managed Security Services

Explore strategies for thriving in uncertain times by reshaping the cyber narrative. Ed Tucker, CTO of Cyber Security, discusses...

Find out more