The Co-evolution of Human-AI Teaming in Security Operations Centres (SOCs): Progress, Challenges, and Future Paradigms as of March 2025

1. Introduction

1.1 The Evolving Threat Landscape and the Demand for Advanced SOC Capabilities (as of early 2025)

As of early 2025, the cybersecurity domain confronts escalating challenges, with the volume and sophistication of cyber threats continually rising, significantly propelled by Artificial Intelligence (AI)-driven attack tools. Adversaries are leveraging AI for automated reconnaissance, the generation of polymorphic malware, the execution of complex social engineering attacks (including deepfakes), and the deployment of adaptive attack strategies. This landscape necessitates a paradigm shift within Security Operations Centres (SOCs), moving from traditional, often manually intensive, defence mechanisms towards more agile, intelligent, and scalable solutions. The velocity and complexity of modern threats have surpassed the processing capacity of purely human SOC teams, underscoring the urgent requirement for AI-augmented capabilities.  

The “cyber poverty line” is ascending, signifying an increasing investment required for effective cybersecurity, thereby disadvantaging Small and Medium-sized Businesses (SMBs). This further accentuates the need for efficient, AI-enhanced SOC solutions capable of scaling capabilities to address the burgeoning threats. The rapid weaponisation of AI by attackers not only amplifies the volume of threats but also fundamentally alters attack methodologies, compelling a reactive evolution of defensive AI strategies within SOCs. This creates an “AI arms race” dynamic, wherein offensive AI drives the development of defensive AI, and vice versa. This is not merely a matter of increased alert volume but the emergence of qualitatively different, more adaptive threats that demand equally adaptive, AI-augmented defensive measures.  

1.2 The Emergence of Human-AI Teaming as a Critical Cybersecurity Paradigm (as of early 2025)

Human-AI Teaming is evolving from a stage where AI merely serves as a tool to one where AI functions as an active collaborator within the SOC. This paradigm shift aims to combine the strengths of human analysts (e.g., critical thinking, contextual understanding, ethical judgement, creativity) with the capabilities of AI (e.g., data processing speed, pattern recognition, automation).  

The objective is to create a symbiotic relationship that enhances the overall effectiveness, efficiency, and resilience of the SOC in addressing advanced threats. This is not about entirely replacing humans with automation but augmenting human capabilities. The impetus for Human-AI Teaming stems from a recognition of the limitations of purely human and purely AI approaches, indicating a maturing understanding of AI’s role in complex, high-stakes environments like cybersecurity. The focus on “synergy” and “capability enhancement” signifies a deliberate strategy to combine the best of both, moving beyond a simplistic “AI will solve everything” or “humans are irreplaceable” dichotomy. However, the “cyber poverty line” may exacerbate the disparity between organisations that can afford sophisticated Human-AI Teaming SOCs and those that cannot, potentially concentrating cyber risk amongst SMBs and under-resourced entities. This has broader economic and national security implications, as these vulnerable entities can become entry points for supply chain attacks.  

1.3 Thesis of the Paper

This report will conduct an in-depth academic analysis of the state of Human-AI Teaming within SOCs as of March 2025. It will meticulously examine the technological advancements underpinning this synergy, the operational models being adopted, the multifaceted challenges inherent in such collaboration (including human factors and ethical dilemmas), and the future paradigms shaping the co-evolution of human and AI capabilities in cybersecurity defence.

2. The Architecture of Human-AI Teaming in Modern SOCs (as of early 2025)

2.1 Defining Human-AI Teaming: From Automation to True Collaboration

Human-AI Teaming distinguishes itself from traditional automation by involving AI agents as active collaborators capable of learning, adapting, and even operating semi-autonomously, rather than merely executing pre-programmed scripts. At its core are partnership and shared goals. The focus of this synergy is on the combined output of the human-AI team being greater than the sum of its individual parts. This involves leveraging AI’s speed, scale, and data processing capabilities alongside human strategic oversight, complex problem-solving, and ethical judgement. The evolution from augmentation to agentic SOCs represents a significant shift in control points and decision-making, demanding new trust models, oversight mechanisms, and skill sets from human analysts.  

2.2 Key Components: AI Agents, Human Analysts, and Interaction Interfaces

The architecture of Human-AI Teaming in modern SOCs comprises three core components:

• AI Agents: These are specialised AI systems designed for tasks such as alert triage, malware analysis, threat hunting, detection rule engineering, and even response orchestration. These agents can be powered by various machine learning models, including deep learning and reinforcement learning.  
• Human Analysts: Their role evolves from primarily manual alert investigation to strategic oversight, AI system tuning, complex investigations, ethical guidance, and managing AI agents.  
• Interaction Interfaces: Crucial for efficient collaboration. These include advanced dashboards, natural language interfaces, visualisation tools, and the outputs of Explainable AI (XAI), enabling analysts to understand AI reasoning, provide feedback, and direct AI actions. The design of these interfaces must be human-centric. The design of human-AI interaction interfaces becomes a critical bottleneck and enabler for successful teaming. Poorly designed interfaces can hinder collaboration, reduce trust, and negate the benefits of advanced AI. Thus, Human-Centred AI (HCAI) principles are not merely desirable but essential for realising the potential of Human-AI Teaming, with explainability embedded within interface design.  

2.3 Collaboration Models: From Augmentation to Agentic SOCs

Collaboration models are evolving from simple AI assistance to more sophisticated agentic systems:

• Augmentation Model: AI assists human analysts by automating repetitive tasks (e.g., alert triage, data enrichment), providing contextual information, and offering recommendations, but humans retain primary decision-making authority. This is the foundational stage.  
• Agentic Assistance: AI agents take on more autonomy in specific tasks, working semi-autonomously under human supervision. For instance, an AI agent might independently investigate low-to-medium severity alerts and propose response actions for human approval.  
• Agentic SOC Vision (anticipated Q2 2025): A more advanced model where multiple specialised AI agents collaborate with each other and with human analysts to execute complex workflows, potentially handling significant portions of SOC processes autonomously, whilst humans focus on strategic oversight, exception handling, and complex threats. Google’s vision of an “agentic SOC,” featuring multiple connected, use-case driven agents performing semi-autonomous and autonomous workflows, serves as a key example. The concept of an agentic SOC implies an ecosystem of modular and potentially interoperable AI agents. This raises questions about standardisation (e.g., the Agent2Agent protocol proposed by Google in ), integration challenges, and the potential for systemic risks if individual agents fail or are compromised.  

The table below summarises a comparative analysis of Human-AI Teaming models in SOCs as of early 2025:

Table 1: Comparative Analysis of Human-AI Teaming Models in SOCs (as of early 2025)

Feature	Augmentation Model	Agentic Assistance	Agentic SOC Vision
AI Role	Task automation, decision support	Semi-autonomous investigation, action proposal	Collaborative workflow execution, partial autonomous decision-making
Human Role	Primary decision-maker, validator	Supervisor, verifier, final decision-maker	Strategic orchestrator, exception handler, ethical overseer
Key Enabling Technologies	Basic Machine Learning, Rule Engines	Explainable AI (XAI), Task-specific AI Agents	Advanced Agent Platforms, LLMs, Inter-AI Collaboration Protocols
Advantages	Increased efficiency, reduced repetitive work	Scaled analyst capacity, handling more alerts	Large-scale automation, proactive threat hunting, continuous learning
Limitations/Challenges	Humans remain a bottleneck, limited AI capabilities	Trust establishment, AI decision validation, integration complexity	Managing complexity, AI ethics, systemic risks, skill transformation
Primary SOC Use Cases	Alert triage, data enrichment	Automated initial investigation, vulnerability assessment support	Proactive threat hunting, automated response, security posture awareness

Export to Sheets

3. Advanced AI Capabilities Driving Human-AI SOC Teams (as of early 2025)

3.1 Explainable AI (XAI) as the Foundation for Team Trust and Transparency

Traditional complex AI models, particularly deep learning models, often lack transparency due to their “black-box” nature, which impedes analyst understanding and trust. Explainable AI (XAI) techniques, such as LIME (Local Interpretable Model-agnostic Explanations) and SHAP (SHapley Additive exPlanations), are crucial for making AI decision-making processes interpretable. LIME provides local explanations for individual predictions, aiding in the audit of specific Intrusion Detection System (IDS) detections. SHAP assigns feature attribution scores by quantifying the importance of input variables (e.g., packet size, protocol) in threat classification.  

The benefits of XAI in team collaboration include: enhancing understanding of AI reasoning, building trust, aiding in alert validation, reducing false positives, facilitating human feedback for model improvement, and supporting compliance. XAI acts as a “cognitive translator”. However, the computational overhead of XAI techniques (especially SHAP) can hinder their real-time application in high-speed environments. Furthermore, the trade-off between interpretability and accuracy, and potential privacy concerns from exposing sensitive data patterns, are ongoing challenges. The effectiveness of advanced AI techniques (Deep Learning, Reinforcement Learning, Large Language Models) in human-AI SOC teams is fundamentally dependent on XAI. Without explainability, the “black-box” nature of these powerful tools limits analyst trust and adoption, thereby constraining potential synergies.  

3.2 Deep Learning for Enhanced Threat Detection and Anomaly Analysis

Deep Learning (DL) models, such as GANs (Generative Adversarial Networks), AEs (Autoencoders), and diffusion models for reconstruction, and RNNs (Recurrent Neural Networks), attention mechanisms, and GNNs (Graph Neural Networks) for prediction, excel at processing high-dimensional, unstructured cybersecurity data (e.g., logs, network traffic, binary files) to identify complex, non-linear patterns indicative of novel threats and anomalies.  

As of early 2025, specific DL architectures and their applications include:

• Reconstruction-based models (AEs, GANs, Diffusion Models): These models learn normal data patterns and identify deviations with high reconstruction errors as anomalies. They are highly effective in handling high-dimensional data.  
• Prediction-based models (RNNs, Attention Mechanisms, GNNs): These model sequential or relational data to predict future states or identify anomalous sequences/connections. GNNs are particularly promising for attack path prediction. Physics-Informed GNNs (PIGNNs) integrate graph theory knowledge to improve the accuracy of attack path prediction, featuring an architecture with a graph convolution block (using modified GraphSAGE and BMM SAGEConv layers for adjacency and node feature tensors) and a path prediction block (using an MLP with ReLU activation and logistic normalisation), incorporating physics-informed constraints via a custom loss function (L=ΦLdata​+ΨLpinn​) that includes degree, period, and connectivity components, achieving F1-scores of 0.9308 and ROC-AUC of 0.9533 in early tests.  
• Transformers (including Binary Transformers): These models show significant potential in malware classification, operating directly on byte-level data and, in some cases, outperforming traditional models. Binary Transformers employ token-free techniques, processing file bytes directly as input, learning embeddings for byte values via strided convolutional layers, and utilising shifted window attention mechanisms for long sequences. In malware classification tests, their performance significantly surpassed standard tree-based models, with ROC curves showing orders-of-magnitude improvement, despite a larger memory footprint (tens of MBs) compared to tree-based models (under 10MB). BERT has also been used for vulnerability report classification.  

Despite their high accuracy, DL models often suffer from the “black-box” problem, thus requiring XAI. Handling concept/data drift and ensuring robustness against adversarial attacks are persistent challenges. The computational cost of training and inference can also be a factor. The specialisation of AI models (e.g., PIGNNs for attack paths, Binary Transformers for malware, LLMs for language tasks) suggests that future SOC architectures will comprise an integration of diverse AI agents, each contributing unique expertise, orchestrated by human analysts.  

3.3 Reinforcement Learning for Adaptive Defence Strategies

Reinforcement Learning (RL) enables security systems to dynamically learn, adapt, and optimise defence strategies by interacting with the environment and receiving rewards or penalties for their actions. This shifts cybersecurity from reactive responses to proactive defence. As of early 2025, RL applications in SOCs include automated incident response, adaptive network security (dynamic firewall reconfiguration), intrusion prevention, and optimising defences against multi-stage attacks.  

Frameworks such as ARCS (Adaptive Reinforcement Learning for Cybersecurity Strategies) and CHT-DQN (Cognitive Hierarchy Theory-driven Deep Q-Network) are illustrative examples:

• ARCS Framework: Utilises deep RL to optimise automated incident response, combining state representation learning with hierarchical decision-making and employing a custom reward mechanism to balance resolution time, system stability, and defence effectiveness. It has shown strong performance in handling multi-stage attacks, reducing incident resolution time by 27.3%, improving defence effectiveness by 31.2%, and lowering false positive rates by 42.8%.  
• CHT-DQN Framework: Models interactive decision-making between SOC analysts (defenders at cognitive level-1) and AI-driven APT bots (attackers at level-0) using attack graphs. It enhances adaptive SOC defence by enabling analysts to anticipate attacker behaviour and dynamically adjust countermeasures.  

Common RL algorithms include Deep Q-Networks (DQN), policy gradient methods (e.g., PPO, A3C), and actor-critic methods (e.g., SAC, TD3). However, RL faces challenges such as computational overhead, training data quality requirements, susceptibility to adversarial manipulation, and ensuring AI decisions are transparent and accountable. Whilst RL offers adaptive defence, its susceptibility to adversarial manipulation and the need for high-quality training data pose significant risks. RL agents that learn incorrect behaviours or are actively misled could automate detrimental security actions.  

3.4 Large Language Models (LLMs) as Collaborative Partners: Bridging Expertise Gaps

Large Language Models (LLMs) are emerging as intelligent collaborators capable of bridging expertise gaps in cybersecurity decision-making, particularly for non-expert users or complex tasks. Human-AI collaboration with LLMs can improve performance in tasks like phishing detection (reducing false positives) and intrusion detection (reducing false negatives) , and can also support long-term skill development.  

Interaction dynamics with LLMs, such as their assertiveness, explanation style, and tone, influence user trust, questioning strategies, and decision revision. In highly complex environments, users are more inclined to rely on LLM feedback. LLMs, through Natural Language Processing (NLP), can process and analyse vast amounts of unstructured security data (threat intelligence reports, security logs, incident narratives, dark web forums) to extract relevant information, identify relationships, and provide context. This enhances threat intelligence processing and log analysis capabilities. Transformer models (the foundation of LLMs) are used for automated security report generation, vulnerability classification, and summarising complex security data into easily understandable language. Designing explainable, adaptive, and trustworthy human-AI collaboration systems is crucial, where calibrated confidence and actionable explanations are key. The ability of LLMs to bridge expertise gaps can democratise certain cybersecurity skills, but it could also lead to over-reliance if not managed properly, creating new vulnerabilities if LLM advice is flawed or misinterpreted.  

The table below summarises the applications of core AI technologies in Human-AI SOC teams as of early 2025:

Table 2: Applications of Core AI Technologies in Human-AI SOC Teams (as of early 2025)

AI Technology	Primary Function in SOC	Impact on Human-AI Teaming	Key Challenges for Teaming
XAI (LIME/SHAP)	Explaining AI decisions	Builds trust, enhances transparency, facilitates validation	Computational cost, interpretability vs. accuracy trade-off, potential privacy exposure
Deep Learning (GAN/AE/RNN/GNN/Transformer)	Anomaly/malware detection, attack path prediction, vulnerability report classification	Improves detection accuracy and coverage, handles complex data	“Black-box” problem, data drift, adversarial attack vulnerability, computational resource demand
Reinforcement Learning (DQN/PPO/ARCS/CHT-DQN)	Adaptive response, dynamic defence adjustment, automated incident response	Enables proactive defence, optimises response strategies, handles multi-stage attacks	Data quality and quantity requirements, adversarial manipulation risk, reward mechanism design complexity
Large Language Models (LLM)	Threat intelligence analysis, report generation, bridging expertise gaps, decision support	Enhances analyst understanding, improves communication efficiency, supports non-expert users	Calibrated confidence, explanation quality, over-reliance risk, potential bias and “hallucinations”

Export to Sheets

4. Human Factors in the Era of AI-Driven SOCs (as of early 2025)

4.1 Cognitive Offloading, Skill Atrophy, and Analyst Engagement

In the context of increasing AI integration into SOC operations, human factors become critical determinants of Human-AI Teaming effectiveness. Reliance on AI tools for tasks like information retrieval and decision-making can lead analysts to “offload” cognitive tasks to AI, thereby reducing deep, reflective thinking. Whilst this can free up cognitive resources, it may also lead to a decline in engagement and skill development.  

Over-reliance on AI and automation could lead to “skill atrophy” in fundamental analytical capabilities amongst SOC analysts. Gartner predicts that by 2030, 75% of SOC teams may lose these capabilities due to over-reliance on automation. This is a significant long-term risk. The shift of routine tasks to AI can improve job satisfaction by allowing analysts to focus on more strategic and complex work. However, if mismanaged, it could also lead to reduced self-efficacy or sense of value.  

Mitigation strategies include adopting “augmentation models” where AI handles repetitive tasks whilst analysts focus on high-impact work; continuous upskilling programmes; and adapting job descriptions to include AI oversight and guidance. There is an inherent tension between the drive for AI autonomy (agentic SOCs) and the risks of analyst skill atrophy and over-reliance. Successful Human-AI Teaming requires a carefully managed balance, with continuous calibration in training and adaptive system design.  

4.2 Trust Calibration in Human-AI Systems: Mechanisms and Challenges

Trust is the cornerstone of effective Human-AI Teaming. Analysts need to trust AI outputs to act upon them, and AI systems may also need calibration based on human feedback. A “calibration gap” exists in trust calibration, where there is a discrepancy between human confidence in LLM-generated answers and the model’s actual confidence. The length of explanations influences user trust, sometimes irrespective of accuracy.  

Factors influencing trust include transparency (XAI), reliability, perceived accuracy, the system’s ability to communicate uncertainty, and interaction dynamics (e.g., assertiveness and tone of LLMs). Both over-trust and under-trust can be detrimental. The “black-box” nature of AI hinders trust. Adversarial attacks against AI trust, such as manipulating AI outputs or making them unreliable, are another challenge. The erosion of trust in digital content due to deepfakes also plays a role. Trust calibration is not a one-time setup but an ongoing, dynamic process. It will be continually challenged by evolving AI capabilities, novel adversarial tactics against AI trust , and the psychological factors of human-AI interaction.  

4.3 Human Oversight and AI Decision Validation, Especially for Novel Attacks

Despite AI advancements, human oversight remains crucial, particularly for strategic judgement, exception management, and validating AI decisions in complex or novel situations. AI systems may not have been trained on entirely new attack vectors. Analysts must be able to scrutinise AI-generated alerts and insights, especially when AI confidence is low or situations are ambiguous. XAI tools are vital for this validation. AI excels at known patterns; humans are better at reasoning about novel, unknown threats. Teaming should leverage AI to filter the known and flag the unknown for human expert review.  

4.4 The Evolving Role of the Analyst: Strategic AI Orchestrator and Mentor

The analyst’s role is transforming from a manual task executor to one who strategically orchestrates AI agents, tunes AI systems, validates the quality of AI decisions, and aligns security outcomes with business priorities. Analysts may need to “mentor” or provide feedback to AI systems, helping them learn and improve, akin to managing junior team members. New skills in programming, data analysis, AI model understanding, and ethical reasoning are becoming more important for SOC analysts. This shift in the analyst’s role necessitates a fundamental change in SOC talent management, including recruitment criteria, training curricula (integrating AI management and ethics), and career development pathways.  

4.5 Human-Centred AI (HCAI) Design Principles for SOC Tools

Core HCAI principles include: empathy for user needs (analysts), ethical considerations (bias mitigation, fairness), active user involvement in the design process, accessibility, transparency/explainability (XAI), continuous feedback loops, and balancing automation with human control. These principles ensure that AI tools genuinely augment analyst capabilities, are intuitive to use, trustworthy, and aligned with SOC workflows and ethical standards. For example, designing XAI dashboards that clearly communicate AI reasoning and uncertainty. Establishing clear interaction protocols that govern how analysts interact with AI, assign tasks, provide feedback, and override decisions is essential for effective and safe teaming. HCAI principles, if genuinely implemented, can effectively combat skill atrophy and disengagement by ensuring AI tools are designed to empower and collaborate with analysts, rather than replace or marginalise them.  

5. Measuring Success: Metrics for Human-AI Team Performance in SOCs (as of early 2025)

5.1 Traditional SOC Metrics in an AI-Augmented Environment

Standard metrics such as Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), Mean Time to Contain (MTTC), incident reduction rates, and patch compliance remain relevant. AI is expected to significantly improve these metrics, for instance, AI tools shortening SOC analysis time , AI automating 70% of investigations , and AI reducing incident response times.  

5.2 AI Contribution and Efficiency Metrics

• Escalation Rate: The percentage of alerts escalated by AI to human analysts. A low escalation rate indicates effective AI filtering but should not miss true threats. For example, Intezer’s AI SOC achieved an escalation rate of 3.81%.  
• AI Accuracy: True Positive (TP) accuracy (correctly identifying threats) and False Positive (FP) accuracy (correctly dismissing benign alerts). Intezer’s AI SOC achieved 93.45% TP accuracy and 97.7% FP accuracy. AI-augmented SOCs have seen false positive reductions of up to 90%.  
• Mean Time to Investigate (AI-executed): The time taken by AI to analyse an alert and make a decision. Intezer’s AI SOC had an average investigation time of 2 minutes 21 seconds, with a median of 15 seconds.  
• Automation Rate: The percentage of tasks/investigations fully automated by AI (e.g., 70% of incident investigations ).  

5.3 Evaluating Human-AI Synergy: Qualitative and Quantitative Approaches

Evaluating Human-AI synergy requires moving beyond traditional SOC metrics and standalone AI performance indicators. New composite metrics are needed to capture the collaborative effectiveness of the team.

• Quantitative Synergy Metrics:
  • Improvement in overall SOC metrics (MTTD, MTTR) by human-AI teams compared to human-only or AI-only baselines.  
  • Reduction in human analyst workload/burnout (e.g., AI handling 85% of routine tasks, 67% reduction in analyst burnout ).  
  • Increase in security incident handling capacity (e.g., by 245% ).  
  • Analyst time spent on strategic activities versus routine tasks (e.g., 78% on strategic activities ).  
• Qualitative Synergy Metrics (difficult to quantify but crucial):
  • Shared Situational Awareness: The extent to which human analysts and AI systems maintain a consistent and accurate understanding of the threat landscape and operational status (implicit in – shared mental models).  
  • Trust Levels and Calibration: Analyst trust in AI assessed via surveys, feedback sessions, and objective measures of trust calibration.  
  • Quality of AI Explanations and Analyst Comprehension: Assessing whether XAI outputs are genuinely understood and actionable by analysts.
  • Adaptability and Co-learning: How effectively the human-AI team adapts to new threats or environmental changes; evidence of mutual learning.  
  • Decision Quality in Complex Scenarios: Evaluating the effectiveness of joint human-AI decisions in novel or ambiguous threat scenarios.
• Evaluation Frameworks: Frameworks are needed that can blend human intuition with AI precision, considering context switching, adaptive problem-solving, and editorial judgement.  

The offloading of high-volume false positives and routine tasks to AI fundamentally changes the nature of work for human analysts, concentrating their efforts on a smaller number of potentially more complex and critical incidents. This has implications for the training and skills required to handle these events. The “mean time to investigate” for AI-handled alerts being mere seconds/minutes creates an expectation for rapid human analyst validation or follow-up. This could increase pressure on human analysts if hand-off processes and AI explanations are inefficient.  

The table below summarises metrics for evaluating performance and synergy in Human-AI SOC teams as of early 2025:

Table 3: Metrics for Evaluating Performance and Synergy in Human-AI SOC Teams (as of early 2025)

Metric Category	Specific Metrics	Description & Collection Method	Relevance to Human-AI Dynamics
Overall SOC Performance	Team MTTD/MTTR improvement, False Positive Rate reduction	System logs, incident records, comparison against baselines	Measures overall team effectiveness, AI contribution to filtering and speeding up response
AI Contribution	AI Escalation Rate, AI Accuracy (TP/FP), AI Mean Time to Investigate, Percentage of Automated Tasks	AI system logs, manual audits, performance benchmarks	Measures AI efficiency in screening alerts, accurately identifying threats, and completing tasks independently
Human Analyst Performance	Analyst time on strategic tasks, Cognitive Load/Burnout reduction, Complex Incident Resolution Rate	Time tracking, surveys, performance reviews, case studies	Measures analyst capacity to handle complex threats and AI impact on their efficiency and job satisfaction
Human-AI Synergy	Shared Situational Awareness Score, Trust Calibration Index, Co-learning Rate, Joint Decision Quality in Complex Scenarios, Task Handover Efficiency	Simulation exercises, surveys, interaction analysis, expert evaluations, workflow analysis	Measures the quality of collaboration, mutual understanding, adaptability, and overall performance of humans and AI as a unified team

Export to Sheets

6. Ethical Dilemmas and Governance in Human-AI SOCs (as of early 2025)

6.1 Accountability in Automated and Co-Created Responses

Determining who is responsible when AI-driven or human-AI co-created decisions lead to errors, impactful false positives, or missed critical threats is a significant challenge. Does liability rest with the AI developers, the deploying organisation, or the human analyst who supervised/acted on AI recommendations? The lack of clear accountability frameworks is a major concern. AI governance principles such as accountability, transparency, and explainability are crucial. Maintaining human oversight, particularly for critical actions, is often cited as a way to ensure accountability. The accountability issue in AI-driven SOCs is exacerbated by the “many hands” dilemma, where multiple actors (developers, vendors, data providers, human analysts, the AI itself) contribute to an outcome, making it difficult to assign singular responsibility.  

6.2 Bias in AI-Driven Threat Intelligence and Decision Support

AI algorithms can inherit biases from their training data, leading to unfair or discriminatory outcomes. For example, AI might disproportionately flag activity from specific demographics or regions if the training data reflects historical biases. In SOCs, biased AI could lead to user profiling, unfairly targeting certain groups, missing actual threats in underrepresented patterns in data, or generating excessive false positives for particular user segments. Mitigation requires careful data governance, diverse training datasets, ongoing bias audits, and leveraging XAI to identify and understand biased decision-making. Fairness is one of the core ethical principles.  

6.3 Privacy Implications of AI Monitoring and Data Processing

AI systems in SOCs process vast amounts of data, including potentially sensitive user activity and communications, to detect threats. Excessive monitoring, unintentional collection of personal information, and the exposure of sensitive patterns through XAI techniques are significant privacy risks. Adherence to data privacy regulations like GDPR and HIPAA is essential. Ethical data handling principles such as data minimisation, purpose limitation, and robust security for collected data are crucial. XAI techniques, intended to improve transparency and trust, could paradoxically create new privacy risks if they expose sensitive data patterns during explanation. This creates a “transparency-privacy paradox” that requires careful navigation.  

6.4 Ethical AI Frameworks in Cybersecurity Operations (as of early 2025)

Robust AI governance frameworks are needed to manage risks and ensure the ethical development and adoption of AI in cybersecurity. This includes security policies for AI and oversight committees. Key ethical principles include transparency, fairness, accountability, privacy, security, non-maleficence/beneficence, autonomy, and explainability. Existing frameworks like the NIST AI Risk Management Framework, OECD AI Principles, and the European Commission’s Ethics Guidelines for Trustworthy AI can inform cybersecurity-specific frameworks. Responsible AI development requires integrating ethical considerations throughout the AI lifecycle, from design to deployment and monitoring. Ethical AI principles, whilst crucial, face significant practical challenges in the high-pressure, time-sensitive environment of a SOC. The trade-off between rapid response (to protect organisational interests) and meticulous bias checks or privacy considerations can present acute dilemmas for analysts and AI systems. Effective AI governance in SOCs cannot be a static, policy-only approach. It must be dynamic and adaptive, involving continuous monitoring of AI behaviour, regular ethical audits, and mechanisms for human intervention and oversight, especially as AI models evolve and encounter novel scenarios.  

The table below outlines an ethical framework for Human-AI Teaming in SOCs as of early 2025:

Table 4: Ethical Framework for Human-AI Teaming in SOCs (as of early 2025)

Ethical Principle	Relevance in Human-AI SOC	Potential Dilemmas in SOC Context	Governance/Mitigation Approaches
Accountability	Assigning responsibility for AI-assisted actions	Diffused responsibility in complex incidents, difficulty tracing “black-box” AI	Clear roles & responsibilities, audit trails, post-incident review processes
Transparency/Explainability	Understanding AI decision-making processes	“Black-box” nature of advanced AI vs. need for rapid explanations	Implementation of XAI tools, design of interpretable interfaces, analyst training on XAI
Fairness/Non-Discrimination	Avoiding biased threat prioritisation	Training data biases leading to skewed threat detection, disproportionate impact on certain groups	Regular bias audits, use of diverse and representative datasets, algorithmic fairness testing
Privacy	Protecting sensitive data processed by AI	Conflict between AI monitoring and employee privacy, XAI potentially exposing sensitive data patterns	Data minimisation, anonymisation/pseudonymisation techniques, compliance with GDPR/HIPAA, Privacy Enhancing Technologies (PETs)
Non-Maleficence/Beneficence	Ensuring AI actions do not cause undue harm / maximising security benefits	Automated responses causing unintended damage (e.g., disrupting critical business) vs. failure to act timely causing greater loss	Human-in-the-loop for critical decisions, safety protocols and fail-safes, risk-benefit analysis for AI actions
Human Autonomy/Oversight	Maintaining human control over critical decisions	When and how to override AI recommendations in ambiguous situations vs. when AI should be trusted	Clear override protocols, trust calibration mechanisms, continuous human supervision and validation processes

Export to Sheets

7. The Future of Co-evolution: Anticipatory Defence and Adaptive Learning (Post-March 2025)

7.1 Anticipatory AI: From Prediction to Proactive Threat Neutralisation

As of early 2025, AI is primarily used for predictive analytics (forecasting emerging threats based on historical data and threat intelligence) and proactive defence (e.g., patching vulnerabilities, hardening defences). The future vision is “anticipatory AI,” which not only predicts threats but proactively anticipates attacker Tactics, Techniques, and Procedures (TTPs), simulates potential attack paths, and pre-emptively neutralises threats or adapts defences before attacks materialise or in their nascent stages. This could involve advanced simulations, “what-if” scenario analysis, understanding attacker intent through more sophisticated behavioural modelling, and autonomously reconfiguring defences based on anticipated actions. The concept of “cyber shadows” (hidden threats from advanced AI) highlights the necessity for such foresight. Frameworks for assessing AI’s own offensive cyber capabilities (using attack chain models like Lockheed Martin, MITRE ATT&CK) are emerging to understand how AI can amplify attacks (reconnaissance, evasion, persistence), thereby informing anticipatory defences. True “anticipatory AI” requires a shift from pattern matching on past data to more sophisticated causal reasoning and understanding of attacker intent and strategy, which remains nascent for AI in early 2025.  

7.2 Co-learning and Mutual Adaptation in Human-AI Systems

In Human-AI teams, both humans and AI continuously learn from each other and adapt their behaviours and strategies over time. This is a dynamic, bidirectional process. The “Human-AI Handshake Model” framework emphasises bidirectional, adaptive interaction with attributes including information exchange, mutual learning, validation, feedback, and mutual capability enhancement, fostering co-evolution. AI learns from analyst feedback, observed outcomes, and new threat data. Humans learn from AI insights, better understand AI capabilities and limitations, and refine their interaction strategies. This leads to more resilient, efficient, and effective SOC operations as the team (both human and AI components) becomes better attuned to each other and the evolving threat landscape. Co-learning systems create a complex adaptive system where the behaviours of human and AI components continually influence each other. This can lead to emergent behaviours that are difficult to predict or control, requiring new approaches to system validation and safety.  

7.3 The Trajectory Towards More Autonomous yet Human-Centric SOCs

AI agents are likely to handle a broader range of tasks autonomously or semi-autonomously. The vision of an “agentic SOC” points in this direction. Despite increasing automation, the design and operation of these future SOCs must remain human-centric, ensuring human oversight, ethical alignment, and tools that empower rather than replace analysts. The future lies in finding the optimal balance between AI autonomy and human control, leveraging AI’s strengths whilst ensuring human judgement guides critical decisions and ethical considerations. The trajectory towards more autonomous, even if human-centric, SOCs will inevitably lead to a redefinition of “cybersecurity expertise.” Future expertise may rely less on manual technical skills and more on the ability to design, manage, audit, and ethically guide complex AI security systems. The development of specific incident response playbooks for AI systems is a reactive necessity driven by increasing AI deployment. True anticipatory defence would involve building AI systems that are inherently more resilient and less prone to requiring such specific (and potentially complex) incident responses.  

8. Conclusion and Strategic Recommendations

8.1 Review of the Human-AI Symbiotic Relationship in Advanced SOCs (as of early 2025)

As of early 2025, Human-AI Teaming has become a core strategy for advanced SOCs in addressing increasingly sophisticated cyber threats. This synergistic relationship is evolving from simple AI augmentation models towards more collaborative and agentic paradigms. Advanced AI technologies such as XAI, Deep Learning, Reinforcement Learning, and Large Language Models are endowing SOCs with unprecedented capabilities, including more precise threat detection, faster response times, and deeper insights from vast data volumes. However, this technological empowerment is not without its challenges. The necessity of human oversight, the complexity of ethical considerations, and the principles of human-centric design stand as critical pillars for ensuring the success of Human-AI Teaming. The “black-box” problem of AI, potential biases, privacy risks, and the impact on human analysts’ cognitive load and skill development all demand heightened attention to governance frameworks, human factors, and ethical guidelines alongside technological advancement.

8.2 Key Challenges in Maximising the Potential of Human-AI Teaming

Despite its promising outlook, maximising the potential of Human-AI Teaming still faces multiple challenges:

• Technical Challenges: The conflict between the computational overhead of XAI techniques and real-time requirements, the robustness of AI models versus their vulnerability to adversarial attacks, the acquisition and maintenance of high-quality training data, and the persistent impact of concept drift on model performance.
• Human Factors: Potential skill atrophy amongst analysts due to over-reliance on AI, the difficulty of trust calibration between humans and AI, and how to maintain analyst engagement and critical thinking in highly automated environments.
• Ethical and Governance Challenges: Clear delineation of accountability in automated and co-created responses, identification and elimination of potential biases in AI decisions, and the protection of privacy when utilising AI for monitoring and data processing.
• Organisational Challenges: The talent management changes (recruitment, training, career development) required to adapt to new Human-AI Teaming models, the reshaping of existing SOC processes, and continuous investment in advanced AI technologies and supporting infrastructure.

8.3 Recommendations for Organisations (SOCs, Enterprises)

To successfully navigate the complexities of Human-AI Teaming and fully leverage its potential, organisations should consider the following strategic recommendations:

• Invest in HCAI Design: Deeply integrate human-centric design principles into the development of SOC tools and human-AI interaction protocols, ensuring technology empowers analysts rather than replacing them.
• Develop Comprehensive Training Programmes: Provide analysts with training focused on AI collaboration, AI system oversight, data interpretation, and the ethical use of AI, cultivating the skills needed to adapt to new working models.
• Implement Robust AI Governance Frameworks: Establish clear AI governance structures that define accountability mechanisms in automated and Human-AI Teaming decisions, and conduct regular ethical audits.
• Foster a Culture of Continuous Learning and Adaptation: Encourage bidirectional learning and continuous adaptation between human analysts and AI systems to respond to evolving threats and technologies.
• Prioritise XAI Integration: Make Explainable AI technologies a core component of SOC tools to build analyst trust, enable effective validation of AI decisions, and facilitate feedback loops.
• Proactively Address Skill Atrophy and Cognitive Offloading: Maintain analyst engagement and core skills by redesigning job responsibilities to increase their involvement in strategic planning, complex threat hunting, and AI system optimisation.

8.4 Recommendations for Researchers (Academia, R&D Laboratories)

Academia and R&D laboratories can play a pivotal role in advancing Human-AI Teaming:

• Develop Efficient and Robust XAI Techniques: Focus on researching XAI methods with lower computational overhead, better explanatory power, and greater suitability for real-time SOC operations.
• Advance Trustworthy and Verifiable AI Research: Pay particular attention to ensuring the reliability, security, and auditability of AI systems in high-risk decision-making scenarios like cybersecurity.
• Explore New Human-AI Teaming Evaluation Metrics and Methods: Develop novel quantitative and qualitative metrics capable of comprehensively measuring the synergistic effects, shared situational awareness, and co-learning outcomes of human-AI teams.
• Address AI Bias and Fairness Issues: Conduct in-depth research into mechanisms for identifying, quantifying, and mitigating AI bias in security applications, ensuring fairness and non-discrimination in decisions.
• Investigate Multi-Agent AI System Architectures for SOCs: Explore how to build resilient, secure, and efficiently collaborating systems of multiple specialised AI agents to support complex SOC workflows.
• The Faculty of Computing at the University of Latvia, with its emerging focus on cybersecurity resilience , and existing research base in AI, data management, and potentially even the security implications of quantum computing , is well-positioned to contribute to these research areas. In particular, its work on IoT and smart city data management (e.g., by Anastasija Nikiforova et al. ) could inform secure data handling for AI in broader network environments relevant to SOC data sources. The Faculty could focus on developing human-centric AI solutions and exploring the ethical and societal implications of advanced AI in security.  

8.5 Recommendations for Policymakers and Standards Bodies

Policymakers and standards bodies should provide guidance and support for the healthy development of AI in cybersecurity:

• Develop Ethical and Deployment Guidelines: Formulate clear guidelines and industry standards for the development, deployment, and oversight of AI in cybersecurity, emphasising ethics, transparency, and accountability.
• Promote Cybersecurity Talent Development: Support cybersecurity workforce development programmes aimed at cultivating the skills required for Human-AI Teaming, including AI literacy, data science, and ethical reasoning capabilities.
• Foster Public-Private Partnerships: Encourage collaboration between government, industry, and academia to accelerate research, development, and application of secure and trustworthy AI in cybersecurity.  
• Address the “Cyber Poverty Line” Issue: Support initiatives aimed at making advanced AI-driven security capabilities more accessible to resource-constrained organisations, such as SMBs.
• Strengthen International Cooperation: Promote international dialogue and cooperation on AI security standards, threat intelligence sharing, and best practices to address global cyber threats.

In conclusion, the successful evolution of Human-AI Teaming in SOCs is not merely a technological challenge but a complex socio-technical systems engineering endeavour. It demands holistic changes across organisational culture, operational processes, talent strategies, and governance frameworks. As AI assumes more critical decision-making roles within SOCs, corresponding AI governance and ethical oversight mechanisms must also evolve to become more robust and adaptive. Given the global nature of cyber threats and AI development, isolated or purely national responses will be insufficient to meet the challenges; international collaboration in research, standards, and ethical guidelines is paramount. Only then can the immense potential of Human-AI Teaming be fully realised to build a more secure and resilient digital future.