Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
The SOC of the future: transforming the Cybersecurity operating model in the age of AI
During the session The future of SOCs: cyber defense in the age of AI, at Telefónica Tech we addressed a question that is now top of mind for many security leaders: how should a SOC evolve in an environment where AI is redefining the way Cybersecurity teams operate?
The answer was not technological in the traditional sense. We did not present a closed tool or a specific feature. What Alejandro Ramos, Cybersecurity Director at Telefónica Tech, outlined was something more structural: the SOC of the future is not a product ready to be activated, but a transformation of the operating model.
The SOC of the future is not a product, it is a continuous evolution of the Cybersecurity operating model.
An environment that demands evolution
The conversation started from a reality that any CISO knows first hand: incidents are increasing in number and sophistication, their economic impact is becoming more visible and recovery times remain decisive for business continuity. Added to this is the pressure on security teams, which operate in increasingly complex, distributed and interconnected environments.
In this context, AI is a factor that alters the very dynamics of the SOC. However, reducing the debate to “adding AI to the SOC” would be an oversimplification. The challenge is to integrate this capability into an environment where IT and OT already coexist, along with multiple platforms, hybrid architectures and different levels of technological maturity.
AI does not simplify SOC complexity, it forces it to be managed differently.
During the session, we emphasized that the convergence between IT and OT, although conceptually assumed for years, remains a real operational challenge. The arrival of AI does not eliminate this complexity: it intensifies it. That is why the focus cannot rest solely on technology, but on the redesign of the operating model.
AI as an exoskeleton, not a replacement
One of the clearest messages was that the SOC of the future is not built to replace people. Alejandro described AI applied to Cybersecurity operations as an “exoskeleton” for analysts and security teams.
The metaphor refers to the idea that human effort does not disappear but is instead enhanced and amplified. Repetitive, manual or mechanical tasks can be automated more intelligently, freeing up time for contextual analysis and decision making.
AI does not replace the analyst: it amplifies their decision making capacity.
This nuance is essential. It is not about reducing headcount or promising impossible efficiencies. It is about improving quality, consistency and response speed without losing human judgment. The goal is to operate better with the same talent, supported by new technological capabilities integrated into the operating model.
From procedure manuals to contextual response
Traditionally, automation in SOCs has been based on scripts and manually defined procedure manuals (playbooks). Each use case required constant design, maintenance and updates. AI introduces a significant shift: the ability to generate responses tailored to the specific context of each alert, reducing dependence on rigid predefined rules.
Alejandro summarized this shift as the move toward a security driven by AI model. In this model, automation no longer depends exclusively on static rules. It also relies on the system’s ability to interpret data, correlate it and propose actions based on risk and the specific situation.
This does not mean eliminating human control. On the contrary, the human-in-the-loop principle remains key. Decisions that may affect critical infrastructures or sensitive environments must be validated by people. Autonomy has defined limits, especially in scenarios where an incorrect action can have significant consequences for operations, the business and even people.
With the SOC of the future, we move from automating rules to automating contextualized decisions without giving up human judgment.
Data, risk and context return to the center
Another key axis of the discussion was data management, but not from a purely technical perspective. AI requires structured, classified and contextualized information to be effective, but above all, it must be aligned with real business risk and operational impact.
During the session, we stressed that the SOC of the future cannot be organized around tools or technological silos. It must be threat centric, risk oriented, capable of prioritizing based on operational and strategic impact. Without this approach, automation risks amplifying noise instead of delivering clarity and effective prioritization.
Without context, automation generates noise; with context, it generates sound judgment.
This implies revisiting how different sources of information are integrated, how alerts are enriched and how processes, policies and escalation levels are aligned with analytical models. Beyond the technological dimension, it is a matter of governance, operational architecture and decision making models.
■ The SOC of the future is structured around risk and context, not around the tool that generates the alert. This shift in focus is structural.
A tool oriented SOC reacts; a risk oriented SOC prioritizes with sound judgment.
New metrics for real, not cosmetic, change
As Alejandro explained, when the way of operating changes, the indicators must also change. Traditional frameworks, such as NIST, remain valid for structuring strategy. The “what” remains constant: identify, protect, detect, respond and recover.
However, the “how” introduces new nuances that require SLAs, KPIs and operational metrics to be reconsidered. It is no longer enough to measure traditional response times. New questions arise: how long does it take to deploy a new AI based use case? How do we evaluate the quality of context generated automation? How do we measure the consistency of an agent assisted model in real operational scenarios?
At this point, a legitimate question emerges: are we facing a real transformation or just a simple “fresh coat of paint” on the traditional SOC?
The difference lies precisely in the indicators. If processes change, if automation is dynamic, if context is integrated into decision making and if teams operate with new capabilities, metrics must reflect this. Otherwise, the model remains the same, even if the technology is more sophisticated and the narrative appears more innovative.
If SLAs do not evolve, it is because the model has not evolved either.
The SOC of the future is built step by step together with the client
As we said at the beginning, the SOC of the future is not a standard solution ready to be deployed. There is no single model that is valid for every company. Each client operates with different technologies, processes and levels of maturity. That is why this transformation must be built jointly.
At Telefónica Tech, we are driving this evolution within our own SOCs, integrating AI into daily operations, while at the same time supporting our clients in their transformation journey. It is therefore about adapting principles, capabilities and architectures to each specific environment, respecting its operational reality and business priorities.
The approach is modular and progressive. Processes are reviewed, dynamics are adjusted, data is integrated and security governance is strengthened. It is a shared journey that combines accumulated experience with operational specificity, guided by a vision focused on sustainable results over time.
The SOC of the future is the necessary roadmap for Cybersecurity to remain effective in the age of AI.
