Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots
A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building was going to work beautifully for a tiny percentage of alerts that genuinely needed deep human judgment. It was going to completely ignore the rest.
On the flight home, I picked up a book I had not touched in a few years. Daniel Kahneman's Thinking, Fast and Slow. Kahneman is one of the rare people who genuinely changed how we understand human decision-making. He spent his career as a psychologist studying how people actually think, as opposed to how economists assumed they did. In 2002, he won the Nobel Prize in Economics, which tells you something about how far his work traveled beyond its starting point.
The book's central argument is that the human mind is not one thing. It is two systems operating in parallel, often in tension.
System 1 is the brain that runs automatically. It recognizes patterns instantly, reads a room in seconds, and keeps you alive without conscious effort. It is fast, associative, and unconscious. According to Kahneman's research, 95% of all human cognition happens here, running quietly in the background like an operating system you never see.
System 2 is the brain you engage with for hard things. Evaluating a contract, working through a problem with no obvious answer, and making a judgment call under pressure. It is slow, logical, effortful, and it accounts for the remaining 5% of our thinking. It can override System 1 when System 1 is wrong. But it has limited capacity. You cannot run it at full power all day. When it gets exhausted, System 1 takes over regardless.
Kahneman's core insight is not that one system is better. It is that the errors humans make are almost always the result of applying the wrong system to the wrong job. Deliberate thinking applied to things that should be automatic burns people out and still misses things. Automatic thinking applied to things that genuinely need deliberation produces confident mistakes.
I landed, opened my laptop, and wrote one sentence to myself. “This is exactly what is wrong with how most security teams are designing their AI architecture right now.”
The numbers are not a coincidence
Kahneman says humans run System 1 for 95% of their cognition and System 2 for 5%. Research based on analysis of more than 25 million enterprise alerts found that 98% of alerts can be resolved autonomously with less than 2% actually warranting human review.
This is almost identical to Kahneman’s ratio. The SOC that performs well is not some new invention. It is the architecture that mirrors how the best decision-making minds actually operate. Fast, automatic processing for the overwhelming majority of inputs, and deliberate human judgment reserved for the small fraction that genuinely needs it.
The CISO I was sitting with was building a SOC with one brain. His team was asking System 2 to do System 1 work, and then asking System 2 again to do what it is actually good at, on whatever energy was left over. No wonder they were covering only a fraction of their alerts. No wonder the analysts were exhausted. No wonder the real threats hiding in the low-severity pile were never found. According to research on over 25 million alerts, an enterprise with 450K alerts per year can expect 54 real threats to be hidden in exactly those alerts, the ones that look like noise, the ones that never make it to the front of the queue.
The fast SOC brain for the 98% of alerts
The bulk of SOC alert triage is a System 1 problem. Is this file known to be malicious? Does this login match historical behavior? Has this IP ever appeared in a case we already closed? These are not questions that need lengthy deliberation. They need answers, at machine speed, for every alert, around the clock.
When human analysts are forced to do this work, the same thing happens that happens when you make people perform System 2 tasks all day. They slow down, they simplify, and eventually they start skipping. They triage only what looks urgent. The 54 threats hiding in the low-severity pile stay hidden, not because anyone chose to ignore them, but because there are 4,000 alerts behind them and the team's cognitive capacity ran out.
The autonomous brain of the SOC needs to work the way System 1 works. Continuously, without prompting, below the threshold of human attention. It applies deep, forensic-grade investigation to 100% of signals. Memory scans, file analysis, cross-signal correlation across endpoint, identity, network, and cloud. It closes the cases that are clearly noise and surfaces the cases that genuinely need a human, with all the evidence already assembled. It does not ask for permission. It produces verdicts.
This is what an AI SOC does. It investigates everything, reaches verdicts at 98% accuracy in under two minutes, and hands the human team the 2% that actually warrants their attention.
The slow SOC brain for 2% of alerts
System 2 is where Claude, Codex, and Cursor belong in a SOC. Not because they are slow, but because the work they are best suited for is genuinely deliberate. Complex case analysis. Detection rule engineering. Incident reporting. Threat hunting based on an industry briefing. Work that requires synthesis, judgment, and the ability to combine forensic findings with the business context that only the analyst has.
This is where the AI co-pilot framing makes sense, but only when the co-pilot is not also being asked to manage the runway. When a Claude agent picks up an escalated case, it should not start from a raw alert. It should start from a fully assembled investigation with all the forensic analysis completed, the related signals correlated, and the recommended response drafted. The analyst applies judgment to a curated, evidence-backed case. They are not validating whether the alert was worth looking at. They are doing the work that actually needs a human mind.
When System 2 gets that kind of input, something changes. What used to be an afternoon of pivoting between consoles becomes a short, focused exchange. The analyst stops grinding the queue and starts doing the work they were actually hired to do. And here is the part that I think the market has not fully appreciated yet. Every judgment the slow brain makes, feeds back into the fast brain. Every tuning rule written in Claude, every case closed with a new context, makes the autonomous layer more accurate the following month. The two systems are compound. They make each other better over time.
The two failure modes playing out right now
Kahneman spent a career documenting what happens when humans use the wrong cognitive system for a problem. The security industry is running both failure modes simultaneously, at scale.
The first is the classic one. Keeping human analysts in the System 1 role. Manual triage of hundreds of alerts a day, burning cognitive capacity on work that should be automated. The team's System 2 is exhausted before it ever gets to the cases that actually need it. Coverage suffers. Threats are missed. The team adds headcount and the problem scales linearly rather than being solved.
The second failure mode is the one the current AI wave is producing. Deploying a frontier AI platform directly against raw detection data and calling it an AI SOC. This is also System 2 doing System 1 work, just faster and more expensively. The agent still needs a human to initiate each investigation. At real alert volumes, the economics do not hold. Running a frontier model against every alert at current token costs is not viable in production. Teams quietly start skipping the low-priority ones. The 54 missed threats remain missed. The problem is not solved. It is rebranded.
The SOC architecture that actually mirrors the brain
The SOC that succeeds in 2026 runs both systems correctly.
The fast brain covers everything automatically. It is purpose-built for forensic investigation at scale, not a general-purpose language model. It does not wait for prompts. It does not skip low-severity alerts because the queue is long. It produces verdicts across 100% of signals and feeds the slow brain with fully assembled cases.
The slow brain runs on top of that foundation. Claude, Cursor, Codex, etc. receive escalated cases with all the context attached. Analysts supervise rather than triage. And because both brains share the same knowledge base, every decision made in the AI workspace makes the autonomous layer smarter.
There is also a strategic implication here that I think the market has not fully processed. Enterprises that outsource alert investigation to an MDR provider do not own the knowledge layer that builds up from that investigation. The detection rules, case history, triage logic, and organizational context all accumulate inside the vendor's platform. When you want to connect Claude or Codex to your security operations, you are trying to run System 2 on a foundation you do not own. The slow brain has nothing to work from.
Bringing investigation in-house is not just a cost or coverage decision. It is the prerequisite for making an analyst copilot actually useful. Every alert investigated, every case resolved, every rule tuned accumulates inside your own instance. The faster System 1 builds that foundation, the more powerful System 2 becomes.
Kahneman's insight was that the best decision-makers are not those who think faster or think harder. They are those who know which mode the moment calls for, and have designed their lives so that each system is applied to the right problems.
Security teams that get this right in 2026 will not be the ones with the most analysts or the most powerful language model. They will be the ones who designed a SOC where the fast brain handles everything it should, and the slow brain is freed to do what it is meant to.
AI executes. Humans supervise. And when the architecture is right, supervising is the best part of the job.
Found this article interesting? Learn more here.
Note: This article has been expertly written and contributed by Lital Asher-Dotan, CMO at Intezer.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Wow
0
Sad
0
Angry
0

Comments (0)