Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots
Article proposes combining autonomous AI with human analysts for SOC alert triage.
Summary
The article argues that current AI designs for Security Operations Centers (SOCs) often fail by not mirroring human cognitive processes. Drawing parallels with Daniel Kahneman's 'Thinking, Fast and Slow,' it suggests that autonomous AI should handle the 98% of alerts that don't require deep human judgment, reserving human analysts for the critical 2% that truly need complex analysis. This approach aims to prevent analyst burnout and improve the detection of genuine threats.
Full text
Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots The Hacker NewsJul 13, 2026Artificial Intelligence / Security Operations A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building was going to work beautifully for a tiny percentage of alerts that genuinely needed deep human judgment. It was going to completely ignore the rest. On the flight home, I picked up a book I had not touched in a few years. Daniel Kahneman's Thinking, Fast and Slow. Kahneman is one of the rare people who genuinely changed how we understand human decision-making. He spent his career as a psychologist studying how people actually think, as opposed to how economists assumed they did. In 2002, he won the Nobel Prize in Economics, which tells you something about how far his work traveled beyond its starting point. The book's central argument is that the human mind is not one thing. It is two systems operating in parallel, often in tension. System 1 is the brain that runs automatically. It recognizes patterns instantly, reads a room in seconds, and keeps you alive without conscious effort. It is fast, associative, and unconscious. According to Kahneman's research, 95% of all human cognition happens here, running quietly in the background like an operating system you never see. System 2 is the brain you engage with for hard things. Evaluating a contract, working through a problem with no obvious answer, and making a judgment call under pressure. It is slow, logical, effortful, and it accounts for the remaining 5% of our thinking. It can override System 1 when System 1 is wrong. But it has limited capacity. You cannot run it at full power all day. When it gets exhausted, System 1 takes over regardless. Kahneman's core insight is not that one system is better. It is that the errors humans make are almost always the result of applying the wrong system to the wrong job. Deliberate thinking applied to things that should be automatic burns people out and still misses things. Automatic thinking applied to things that genuinely need deliberation produces confident mistakes. I landed, opened my laptop, and wrote one sentence to myself. “This is exactly what is wrong with how most security teams are designing their AI architecture right now.” The numbers are not a coincidence Kahneman says humans run System 1 for 95% of their cognition and System 2 for 5%. Research based on analysis of more than 25 million enterprise alerts found that 98% of alerts can be resolved autonomously with less than 2% actually warranting human review. This is almost identical to Kahneman’s ratio. The SOC that performs well is not some new invention. It is the architecture that mirrors how the best decision-making minds actually operate. Fast, automatic processing for the overwhelming majority of inputs, and deliberate human judgment reserved for the small fraction that genuinely needs it. The CISO I was sitting with was building a SOC with one brain. His team was asking System 2 to do System 1 work, and then asking System 2 again to do what it is actually good at, on whatever energy was left over. No wonder they were covering only a fraction of their alerts. No wonder the analysts were exhausted. No wonder the real threats hiding in the low-severity pile were never found. According to research on over 25 million alerts, an enterprise with 450K alerts per year can expect 54 real threats to be hidden in exactly those alerts, the ones that look like noise, the ones that never make it to the front of the queue. The fast SOC brain for the 98% of alerts The bulk of SOC alert triage is a System 1 problem. Is this file known to be malicious? Does this login match historical behavior? Has this IP ever appeared in a case we already closed? These are not questions that need lengthy deliberation. They need answers, at machine speed, for every alert, around the clock. When human analysts are forced to do this work, the same thing happens that happens when you make people perform System 2 tasks all day. They slow down, they simplify, and eventually they start skipping. They triage only what looks urgent. The 54 threats hiding in the low-severity pile stay hidden, not because anyone chose to ignore them, but because there are 4,000 alerts behind them and the team's cognitive capacity ran out. The autonomous brain of the SOC needs to work the way System 1 works. Continuously, without prompting, below the threshold of human attention. It applies deep, forensic-grade investigation to 100% of signals. Memory scans, file analysis, cross-signal correlation across endpoint, identity, network, and cloud. It closes the cases that are clearly noise and surfaces the cases that genuinely need a human, with all the evidence already assembled. It does not ask for permission. It produces verdicts. This is what an AI SOC does. It investigates everything, reaches verdicts at 98% accuracy in under two minutes, and hands the human team the 2% that actually warrants their attention. The slow SOC brain for 2% of alerts System 2 is where Claude, Codex, and Cursor belong in a SOC. Not because they are slow, but because the work they are best suited for is genuinely deliberate. Complex case analysis. Detection rule engineering. Incident reporting. Threat hunting based on an industry briefing. Work that requires synthesis, judgment, and the ability to combine forensic findings with the business context that only the analyst has. This is where the AI co-pilot framing makes sense, but only when the co-pilot is not also being asked to manage the runway. When a Claude agent picks up an escalated case, it should not start from a raw alert. It should start from a fully assembled investigation with all the forensic analysis completed, the related signals correlated, and the recommended response drafted. The analyst applies judgment to a curated, evidence-backed case. They are not validating whether the alert was worth looking at. They are doing the work that actually needs a human mind. When System 2 gets that kind of input, something changes. What used to be an afternoon of pivoting between consoles becomes a short, focused exchange. The analyst stops grinding the queue and starts doing the work they were actually hired to do. And here is the part that I think the market has not fully appreciated yet. Every judgment the slow brain makes, feeds back into the fast brain. Every tuning rule written in Claude, every case closed with a new context, makes the autonomous layer more accurate the following month. The two systems are compound. They make each other better over time. The two failure modes playing out right now Kahneman spent a career documenting what happens when humans use the wrong cognitive system for a problem. The security industry is running both failure modes simultaneously, at scale. The first is the classic one. Keeping human analysts in the System 1 role. Manual triage of hundreds of alerts a day, burning cognitive capacity on work that should be automated. The team's System 2 is exhausted before it ever gets to the cases that actually need it. Coverage suffers. Threats are missed. The team adds headcount and the problem scales linearly rather than being solved. The second failure mode is the one the current AI wave is producing. Deploying a frontier AI platform directly against raw detection data and calling it an AI SOC. This is also System 2 doing System 1 work, just faster and more expensively. The agent still needs a human to initiate each investigation. At real alert volumes, the economics do not hold. Running a frontier model against every alert at current to