As AI models grow more capable by an order of magnitude each year, a new category of SOC automation vendors is replacing manual alert triage with autonomous, around-the-clock detection and response -- and the numbers suggest adoption is already well underway. In this conversation, Richard Stiennon, Chief Research Analyst at IT-Harvest, shares what his research reveals about the pace of change and what security leaders need to consider before the window for competitive advantage closes.
⬥EPISODE NOTES⬥
The security operations center has always been a battleground of volume, velocity, and human endurance. Analysts have long faced the impossible math of too many alerts, too few hours, and too much at stake. For years, the industry promised automation would change that equation -- but the technology was never quite ready to deliver. That moment, according to Richard Stiennon, has now arrived.
Stiennon, Chief Research Analyst at IT-Harvest, has spent two decades tracking every corner of the cybersecurity vendor landscape. His data now shows more than 61 net-new SOC automation vendors -- companies that did not exist a few years ago -- built from the ground up to replace the work of tier-one, tier-two, and tier-three analysts. Some of these vendors launched in January 2024 and reached $1 million in ARR by April. By the end of 2025, several were reporting $3 million ARR. These are not incremental improvements. They represent a structural shift in how security operations can be run.
What makes this generation of SOC automation different from earlier SIEM and SOAR tooling is scope and autonomy. The value proposition is blunt: 100% alert triage, 24 hours a day, 7 days a week -- with automated case building, threat investigation, and response actions including machine isolation and reimaging. Stiennon points to a CISO he met, speaking under Chatham House rules, who disclosed that a large enterprise had already eliminated its entire human SOC team. He predicts that disclosure will go public before long.
The conversation also explores the business context question that security leaders frequently wrestle with: are these AI-driven SOC tools operating with a narrow cyber mandate, potentially optimizing for security metrics at the expense of business continuity? Stiennon pushes back on that concern, arguing that large language models are already trained on the full breadth of human knowledge -- they understand business context at a level that exceeds most organizations' internal documentation. The more pressing risk, he suggests, is not that AI will act outside business intent, but that organizations will move too slowly to benefit. Waiting six months for a proof-of-concept report while spending a million dollars on human SOC operations is not due diligence -- it is opportunity cost.
The conversation also touches on data privacy in AI-driven security, the role of federated learning and fully homomorphic encryption for compliance-sensitive environments, and what security leaders can do today to evaluate and accelerate their own adoption timeline. Stiennon will be at RSA Conference 2026 with his new book, Guardians of the Machine Age: Why AI Security Will Define Digital Defense, continuing to make the case for a field that is moving faster than most organizations are prepared to acknowledge.
⬥GUEST⬥
Richard Stiennon, Chief Research Analyst at IT-Harvest | Website: https://it-harvest.com/
On LinkedIn: https://www.linkedin.com/in/stiennon/
⬥HOST⬥
Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/
⬥RESOURCES⬥
IT-Harvest | https://it-harvest.com/
Richard Stiennon on LinkedIn | https://www.linkedin.com/in/stiennon/
Guardians of the Machine Age: Why AI Security Will Define Digital Defense (Richard Stiennon) | Available via IT-Harvest and major booksellers
RSAC Conference 2026 Coverage on ITSPmagazine | https://www.itspmagazine.com/rsac-2026-conference-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/
More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
⬥ADDITIONAL INFORMATION⬥
On Podcast: https://www.seanmartin.com/redefining-cybersecurity-podcast
On YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
Newsletter: https://itspm.ag/future-of-cybersecurity
Contact Sean: https://www.seanmartin.com/
⬥KEYWORDS⬥
richard stiennon, it-harvest, sean martin, soc automation, ai security, security operations center, threat detection, autonomous response, alert triage, security operations, cybersecurity vendors, ai agents, large language models, federated learning, siem, soar, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
SOC Automation and the AI-Driven Future of Cybersecurity Defense | A Redefining CyberSecurity Podcast Conversation with Richard Stiennon, Chief Research Analyst of IT-Harvest
[00:00:36]
Sean Martin: And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity. I'm Sean Martin, your host, where I get to have some great conversations with some really cool people about the topics that I think matter for security programs that are hopefully aiming to help the business operate safely and securely and protect the revenue and growth that it generates.
Sean Martin: I like to pretend I'm an analyst. I often dream of having an analyst job. I've never had one, but I like to have friends that are, and Richard Stiennon -- so good to see you there, friend.
[00:01:13]
Richard Stiennon: Hey Sean, good to see you too. And I'm not sure I'd recommend being an analyst, but yeah.
[00:01:19]
Sean Martin: People who have different jobs say, I don't know that you really want that job.
[00:01:23]
Richard Stiennon: Yeah.
[00:01:23]
Sean Martin: There's some that I know, and I've said it on the show before -- I admire the people in the role, and I don't think I could muster up the energy and the shoulders to hold a CISO role. I'll say that I like to talk to CISOs. I admire the work they do. It's a lot of hard work.
[00:01:41]
Richard Stiennon: I'm with you there.
[00:01:42]
Sean Martin: Yep. And we're gonna touch on some of why that is today, I think. So before we get into all the cool work you've done over the years and are working on now and all the things you track and analyze -- and how all that comes together in support of what we talk about here on the show -- maybe a few words about some of the things you have done in the past, your journey to IT-Harvest and what you're working on now. Richard, you have a couple of books and something new coming out too, so give us an overview of what's happening.
[00:02:10]
Richard Stiennon: If we went all the way back -- I was a hand tester at PricewaterhouseCoopers, got sucked into Gartner in 2000, became a VP of research for network security, left and eventually started my own firm IT-Harvest -- because it truly is a good life to be an industry analyst. The trouble is, just like anybody who hangs up their shingle, you've gotta do all the sales yourself. At Gartner they just funneled customers at you all the time.
[00:02:45]
Sean Martin: To eat, you have to.
[00:02:47]
Richard Stiennon: Yeah, you have fun if you're on your own. But you still get to do what I love to do, which is write, speak, do podcasts and public speaking, and interact with really smart people, which of course our industry is totally made up of. I've been publishing a book called the Security Yearbook for several years and four years ago all the data that went into it to create the directory, we turned into an application. So now I've got a SaaS app for tracking the cybersecurity industry, and we've got a bunch of customers that subscribe to that who are interested in having data. But I can't shake the bug about writing. I produced the Security Yearbook six years consecutively. And then my publisher, Wiley, told me they'd printed too many of the 2025 editions. So they didn't want to publish in 2026, because that would stop the sales of 2025 immediately. As disappointing as that was, I still have a lot to say and AI is taking over our industry rapidly. It's more than 10% of all vendors -- AI security vendors -- startups since 2022. So that's pretty remarkable.
[00:04:00]
Richard Stiennon: In tracking that closely, last April there was some scenario study out of California talking about the intelligence explosion. These folks took a scenario to its logical extension with the main theme being that by 2026, AI research and model training would be done by AI. Once that happens, iterations and cycles will accelerate dramatically and we'll have superintelligence by 2027. I said it's my duty as an industry analyst covering cybersecurity to translate that scenario into our world. And I started realizing that this is going to be extremely disruptive.
[00:05:20]
Richard Stiennon: In particular I was hearing from SOC automation startups. They're basically using agents to do the job of a tier-one SOC analyst and beyond. I predicted that by the end of last year there would be real revenue for these companies. As soon as I published that on my Substack, I started getting messages from people saying I was off base. But as I talked to them, the off-base part wasn't that I was early -- I was way late. These vendors had launched their SOC automation tools in January and by April they were up to a million in ARR. For something that hadn't existed before. And by the end of 2025 they were telling me they were at 3 million ARR. In less than 12 months. There are 61 SOC automation solutions out there.
[00:06:24]
Sean Martin: For clarity -- these are new vendors specifically focused on SOC automation, not SIEM and SOAR vendors adding new capabilities?
[00:06:33]
Richard Stiennon: Right. The established players are all doing it too -- I give them a nod in an appendix. Here are 150 companies that have introduced AI tools. But these are net-new vendors. Well over half of them are funded. Some don't even need funding because they just get customers. The value proposition is: we are going to 24/7 look at every single alert that your SIEM captures and decide if it's something you should do something about. In other words, 100% triage. You're not going to end the day, go home, and ignore half the alerts because nothing happened. So you're doing 100% triage, case building and investigation, the threat hunting that happens after -- what the tier-two analyst might do. And ultimately tier three as well. For 99% of what happens, you're going to sequester and isolate a machine, re-image it, do all the things you would do normally -- except it all happens automatically. That's where we're moving.
[00:07:56]
Sean Martin: I want to ask you this quickly because you've been in this space for a while. Some people know I was in early-day SIEM, pre-source stuff, building SIEM platforms and products. And the goal was always to automate -- to reduce the noise, reduce the data, take action on behalf of the team where possible. Not a very favorable idea back then.
[00:08:26]
Richard Stiennon: Yeah, yeah.
[00:08:27]
Sean Martin: People didn't want machines doing the work. Have we reached a point where we accept the magic?
[00:08:33]
Richard Stiennon: Not everybody has, obviously. And it's still -- as you can see, I posted all this to LinkedIn last week and half the reactions were, yeah but you've got to have all these controls and human in the loop and all these very conservative security things. Security people are conservative. But there are some things you've got to understand. AI models since they've been introduced have grown in intelligence by a factor of 10 every year. So every year they're 10 times more intelligent, more powerful. They test better. If you're still thinking in terms of hallucination destroying us -- we're past hallucinations with these models. They've got their own thinking processes that go back and check and verify things.
[00:09:30]
Richard Stiennon: If you feel it's not as smart as you -- a 10x every year means a doubling in intelligence every two and a half months. The last time your intelligence doubled was between the time you were two months old and four months old. So yeah, just wait. If something is moving that fast, we as humans don't normally think in terms of exponential growth and we can't plan for it. We can't imagine something that goes 2, 4, 8, 16, 32 in a short time. So you just have to adjust your thinking to be ready. Because no matter what, 12 months from now, all the things that you think of as fantasy will be reality and everybody will be doing it. It's an opportunity to see it, think about it, absorb it, and do your own internal scenario planning.
[00:10:45]
Richard Stiennon: If I'm right, you are going to invest in SOC automation and you will not have humans doing the SOC job anymore. So you've got to think about what you're going to do with the great humans you employ. There's plenty of work for them -- we're understaffed. But it's a dramatic change. All this was sparked by me meeting a CSO who said they had eliminated their entire SOC team for a very large company. I'm not allowed to say who it was -- Chatham House rules. But I wouldn't be surprised if he starts saying that publicly soon. It'll shake up the world when people realize it.
[00:11:45]
Richard Stiennon: This changes the security equation. Detect and respond is required because our proactive defenses, the way we architect things, are not perfect. So you've got to be monitoring, looking for weird things going on, and reacting. And the trouble is that's a losing game -- the attackers can just throw more at you until they get through. But we're turning the tables. We can detect everything and respond to everything at scale. Come at it, hackers. You invest in a $200 license to ChatGPT to come up with a better methodology. I think that, at least for now, puts us ahead of the game a little bit for a while.
[00:12:46]
Sean Martin: Security leaders I've been chatting with, alongside the vendors we connect with -- a lot of conversations the last few weeks have been around: we say we want to connect this stuff to the business, but we really don't have that context or that knowledge as a security infrastructure organization. And I'm wondering -- it's kind of the garbage-in, garbage-out question. If we as security leaders are taking what we know and feeding the LLMs and building that intelligence and letting it build itself, are we doing it in a way that really understands the business? Marco, my co-founder, posted something about AI coming to the conclusion that a nuclear strike is the best option because it was given the directive to achieve a goal -- and the fastest, most successful way to achieve that goal was nuclear response. I take that scenario to cybersecurity. If the directive is purely cyber-focused, are we feeding a model that continues to miss the real business goal?
[00:14:14]
Richard Stiennon: The equivalent of what you're saying is -- if AI worked that way, it would just shut off access to the internet. Shut everything down. No more hacks.
[00:14:26]
Sean Martin: Yeah. Which detection or protection tools used to do that, right.
[00:14:30]
Richard Stiennon: Exactly. But that's not how these models work. First, the models are not trained on security topics alone. The models are trained on human knowledge and thinking. So the models already understand your business better than you do -- better than your CEO, better than your CFO. They already know everything about every business that's ever been written about in human history. So if you wanted business context, you could have it. It comes with every large language model. And it turns out we magically created something that can handle very small, specific tasks it's never seen before. Nobody has ever seen this particular log in a SIEM before. But the model has the capability to figure out what caused that log, it has access to the tools that will show it what caused that log, and can debug faster than a human can. For very small, repetitive tasks -- even though they're all unique -- large language models are perfect.
[00:16:58]
Sean Martin: Yeah, tons of use cases for very specific things. You said the models are driven by a lifetime of business understanding, which to me says these SOC automation, security-aware, business-driven models are public -- so are we. Which raises the question: are we relying on public models and putting our private data out into public models to help us achieve the goal? To me that's like handing over my penetration test report and saying, tell me what to do.
[00:17:57]
Richard Stiennon: There is a trust element to that. If you follow how models are trained -- it's a big process, big corpuses of data. They are not training in real time against your data. Anything you ask about, that information is not being used for training -- but that's their claim. What if they're actually capturing it? Most of these vendors are very cognizant of that and making sure the models stay either on-premises or in their own clouds. There's Llama or one of the open-source models. Or there's federated learning -- models where the data is encrypted using fully homomorphic encryption. I completely lose it at this point in the encryption world. How in the world can you operate on encrypted data? But they do. They've overcome the slowness that is the complaint about FHE. So for privacy-minded organizations and a lot of compliance requirements, you can actually encrypt your data and work on it with a model. But I think it's easier to just have the model locally. You don't need super-smart models to do log analysis and threat hunting. And for a large data set, you wouldn't want the full ChatGPT anyway -- it would be horrendously expensive. Tokens are very, very expensive, even though they're a thousandth of the cost they were three years ago.
[00:19:58]
Sean Martin: Presenting your research and findings -- I presume a lot of your clients are organizations trying to navigate this new world of building out a program, staffing a team, balancing that against budget and business goals. I can look at vendors and see what they're doing. But how do security leaders take what you do and the information you have and operationalize it in a way that they can be successful in planning and implementing a program?
[00:20:46]
Richard Stiennon: Luckily, I'm not the only one talking and writing about this. What has to happen is security leaders develop this -- they're the ones making it work. I can help them look at all the vendors, find them, know which ones are growing, which ones are funded, which ones I've pre-vetted. But once they talk to them, they've got to do the proof of concept. And if you think about the opportunity costs -- it's a little like testing a new drug that cures cancer. You wouldn't want to do a double-blind study with placebos because all those people die. You had the cure and didn't give it to them.
[00:21:30]
Richard Stiennon: You're going to do some testing, you'll have a little team working at the lightning speed your team is used to. Six months from now, the team puts together a big report. They go: yeah, we caught 98% of everything that happened, at a cost of $15,000 over 90 days. And you're going to say: what? My budget for SOC operations was a million over that 90 days. You just wasted a million dollars. If you had worked faster, you would have realized. So you're not going to get that million back, but you have to think ahead to implementing as fast as you possibly can. For the next three quarters you save $3 million. The calculus will be exactly like that.
[00:22:34]
Sean Martin: Super interesting times. It's fun to watch what you do and to see how you've evolved over time looking at these things.
[00:22:46]
Richard Stiennon: We've only recently discovered Claude Code internally. We knew we had to look at it, but oh my God -- we are rewriting everything. We're getting off of no-code, rewriting in Rust. We'll be able to do anything in days. It's going to be amazing.
[00:23:08]
Sean Martin: Yeah, it's a powerful world we live in. We actually landed on my Music Evolves podcast by mistake -- I was chatting with a guy who was building a system to manage live performances, all the connections between promoters and bands and venues and sound systems and ticketing. He basically builds new apps every day based on feedback, all through Claude Code. So there you go. That's the world we live in. This is not an RSA Conference episode, but this will come out before the conference. And I know you're going to be there, Richard, with some book signing stuff. If you've not met Richard, I would encourage you to say hello and have a chat. RSA is a great place to do that. Give us a word as we wrap here -- how folks can find you in San Francisco.
[00:24:08]
Richard Stiennon: Yeah, if you follow me on LinkedIn, you'll know where I'm at. I usually hang out at either the W lobby or the Ritz Carlton lobby. There'll be a book signing of Guardians of the Machine Age on Tuesday at 1 PM at a to-be-disclosed company -- coming out of it on the 17th, March. They'll talk about it. I'll be at several other venues too, just wandering around and getting that book out there and signing it.
[00:24:41]
Sean Martin: I love it. I love it. Well, I'm looking forward to seeing you in person. Richard, it's always good to see you, my friend. Good to connect with you and thanks for sharing some insights here and hopefully getting some security leaders to open their mind a bit.
[00:25:01]
Richard Stiennon: Yeah, just look at it. Don't dismiss it. That's all I'm saying.
[00:25:04]
Sean Martin: Yeah. And you want to save three quarters of your SOC budget -- so there you go, everybody. Thanks for joining me here on Redefining Cybersecurity. Please stay tuned for more. I love having these conversations and hopefully you enjoy listening to them. Please do share with your friends and enemies and subscribe and all the other fun stuff, and we'll see everybody in San Francisco or on the next episode here. Stay tuned.