The Hacker News21%
Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots24%
By The Hacker News35%
7/13/2026, 1:28:05 PM
BS Summary: This article contains 0 faulty reasoning types, including no named faulty reasoning patterns yet, with no single egregious example has been isolated yet. Analysis detected 0 faulty-reasoning hits from 2,149 analyzed words, generating a BS Score of 36.6% and a BS Rank of 24% (11,945 of 15,531 articles). This article is better (less manipulative) than 76.90% of the article peer group.
Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots
The Hacker News Jul 13, 2026 Artificial Intelligence / Security Operations
A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building was going to work beautifully for a tiny percentage of alerts that genuinely needed deep human judgment. It was going to completely ignore the rest.
On the flight home, I picked up a book I had not touched in a few years. Daniel Kahneman's Thinking, Fast and Slow. Kahneman is one of the rare people who genuinely changed how we understand human decision-making. He spent his career as a psychologist studying how people actually think, as opposed to how economists assumed they did. In 2002, he won the Nobel Prize in Economics, which tells you something about how far his work traveled beyond its starting point.
The book's central argument is that the human mind is not one thing. It is two systems operating in parallel, often in tension.
System 1 is the brain that runs automatically. It recognizes patterns instantly, reads a room in seconds, and keeps you alive without conscious effort. It is fast, associative, and unconscious. According to Kahneman's research, 95% of all human cognition happens here, running quietly in the background like an operating system you never see.
System 2 is the brain you engage with for hard things. Evaluating a contract, working through a problem with no obvious answer, and making a judgment call under pressure. It is slow, logical, effortful, and it accounts for the remaining 5% of our thinking. It can override System 1 when System 1 is wrong. But it has limited capacity. You cannot run it at full power all day. When it gets exhausted, System 1 takes over regardless.
Kahneman's core insight is not that one system is better. It is that the errors humans make are almost always the result of applying the wrong system to the wrong job. Deliberate thinking applied to things that should be automatic burns people out and still misses things. Automatic thinking applied to things that genuinely need deliberation produces confident mistakes.
I landed, opened my laptop, and wrote one sentence to myself. “This is exactly what is wrong with how most security teams are designing their AI architecture right now.”
The numbers are not a coincidence
Kahneman says humans run System 1 for 95% of their cognition and System 2 for 5%. Research based on analysis of more than 25 million enterprise alerts found that 98% of alerts can be resolved autonomously with less than 2% actually warranting human review.
This is almost identical to Kahneman’s ratio. The SOC that performs well is not some new invention. It is the architecture that mirrors how the best decision-making minds actually operate. Fast, automatic processing for the overwhelming majority of inputs, and deliberate human judgment reserved for the small fraction that genuinely needs it.
The CISO I was sitting with was building a SOC with one brain. His team was asking System 2 to do System 1 work, and then asking System 2 again to do what it is actually good at, on whatever energy was left over. No wonder they were covering only a fraction of their alerts. No wonder the analysts were exhausted. No wonder the real threats hiding in the low-severity pile were never found. According to research on over 25 million alerts , an enterprise with 450K alerts per year can expect 54 real threats to be hidden in exactly those alerts, the ones that look like noise, the ones that never make it to the front of the queue.
The fast SOC brain for the 98% of alerts
The bulk of SOC alert triage is a System 1 problem. Is this file known to be malicious? Does this login match historical behavior? Has this IP ever appeared in a case we already closed? These are not questions that need lengthy deliberation. They need answers, at machine speed, for every alert, around the clock.
When human analysts are forced to do this work, the same thing happens that happens when you make people perform System 2 tasks all day. They slow down, they simplify, and eventually they start skipping. They triage only what looks urgent. The 54 threats hiding in the low-severity pile stay hidden, not because anyone chose to ignore them, but because there are 4,000 alerts behind them and the team's cognitive capacity ran out.
The autonomous brain of the SOC needs to work the way System 1 works. Continuously, without prompting, below the threshold of human attention. It applies deep, forensic-grade investigation to 100% of signals. Memory scans, file analysis, cross-signal correlation across endpoint, identity, network, and cloud. It closes the cases that are clearly noise and surfaces the cases that genuinely need a human, with all the evidence already assembled. It does not ask for permission. It produces verdicts.
This is what an AI SOC does. It investigates everything, reaches verdicts at 98% accuracy in under two minutes, and hands the human team the 2% that actually warrants their attention.
The slow SOC brain for 2% of alerts
System 2 is where Claude, Codex, and Cursor belong in a SOC. Not because they are slow, but because the work they are best suited for is genuinely deliberate. Complex case analysis. Detection rule engineering. Incident reporting. Threat hunting based on an industry briefing. Work that requires synthesis, judgment, and the ability to combine forensic findings with the business context that only the analyst has.
This is where the AI co-pilot framing makes sense, but only when the co-pilot is not also being asked to manage the runway. When a Claude agent picks up an escalated case, it should not start from a raw alert. It should start from a fully assembled investigation with all the forensic analysis completed, the related signals correlated, and the recommended response drafted. The analyst applies judgment to a curated, evidence-backed case. They are not validating whether the alert was worth looking at. They are doing the work that actually needs a human mind.
When System 2 gets that kind of input, something changes. What used to be an afternoon of pivoting between consoles becomes a short, focused exchange. The analyst stops grinding the queue and starts doing the work they were actually hired to do. And here is the part that I think the market has not fully appreciated yet. Every judgment the slow brain makes, feeds back into the fast brain. Every tuning rule written in Claude, every case closed with a new context, makes the autonomous layer more accurate the following month. The two systems are compound. They make each other better over time.
The two failure modes playing out right now
Kahneman spent a career documenting what happens when humans use the wrong cognitive system for a problem. The security industry is running both failure modes simultaneously, at scale.
The first is the classic one. Keeping human analysts in the System 1 role. Manual triage of hundreds of alerts a day, burning cognitive capacity on work that should be automated. The team's System 2 is exhausted before it ever gets to the cases that actually need it. Coverage suffers. Threats are missed. The team adds headcount and the problem scales linearly rather than being solved.
The second failure mode is the one the current AI wave is producing. Deploying a frontier AI platform directly against raw detection data and calling it an AI SOC. This is also System 2 doing System 1 work, just faster and more expensively. The agent still needs a human to initiate each investigation. At real alert volumes, the economics do not hold. Running a frontier model against every alert at current token costs is not viable in production. Teams quietly start skipping the low-priority ones. The 54 missed threats remain missed. The problem is not solved. It is rebranded.
The SOC architecture that actually mirrors the brain
The SOC that succeeds in 2026 runs both systems correctly.
The fast brain covers everything automatically. It is purpose-built for forensic investigation at scale, not a general-purpose language model. It does not wait for prompts. It does not skip low-severity alerts because the queue is long. It produces verdicts across 100% of signals and feeds the slow brain with fully assembled cases.
The slow brain runs on top of that foundation. Claude, Cursor, Codex, etc. receive escalated cases with all the context attached. Analysts supervise rather than triage. And because both brains share the same knowledge base, every decision made in the AI workspace makes the autonomous layer smarter.
There is also a strategic implication here that I think the market has not fully processed. Enterprises that outsource alert investigation to an MDR provider do not own the knowledge layer that builds up from that investigation. The detection rules, case history, triage logic, and organizational context all accumulate inside the vendor's platform. When you want to connect Claude or Codex to your security operations, you are trying to run System 2 on a foundation you do not own. The slow brain has nothing to work from.
Bringing investigation in-house is not just a cost or coverage decision. It is the prerequisite for making an analyst copilot actually useful. Every alert investigated, every case resolved, every rule tuned accumulates inside your own instance. The faster System 1 builds that foundation, the more powerful System 2 becomes.
Kahneman's insight was that the best decision-makers are not those who think faster or think harder. They are those who know which mode the moment calls for, and have designed their lives so that each system is applied to the right problems.
Security teams that get this right in 2026 will not be the ones with the most analysts or the most powerful language model. They will be the ones who designed a SOC where the fast brain handles everything it should, and the slow brain is freed to do what it is meant to.
AI executes. Humans supervise. And when the architecture is right, supervising is the best part of the job.
Found this article interesting? Learn more here.
Note: This article has been expertly written and contributed by Lital Asher-Dotan, CMO at Intezer.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
artificial intelligence , cybersecurity , enterprise security , Incident response , Managed Detection and Response , Security Automation , Security Operations , Threat Detection , Threat Hunting
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems
BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA
Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker
Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots
RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service
15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code
New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware
GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents
Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It
Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images
ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories
Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs
Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets
Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers
Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws
New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions
Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices
European Parliament Member Investigating Spyware Was Hacked With Pegasus
⭐ Featured Resources
What 200+ Security Teams Reveal About Using IP Intelligence in 2026
Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges
See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets
Get Gartner’s Guide to AI Agent Supervision and Runtime Controls
Analysis
Hover over highlighted words in the article to view the associated bias or fallacy analysis.