It’s certainly difficult to become an SOC analyst.
Every day, they are expected to solve high sensitivity problems with half the data and twice the pressure. Analysts are overwhelmed. You are overwhelmed by not only threats but systems and processes that help you respond. Touring is fragmented. The workflow is heavy. The context lives in five locations, and alerts never slow. For many analysts, what began as a fast-paced, impactful role has become a recurring loop of alert triage and data relaunch that offers little room for strategy or growth.
Most SOC teams also run leans. Last year, an annual survey of SANS SOC found that the majority of SOCs consisted of only 2-10 full-time analysts, and that they had not changed since the survey began tracking in 2017. Meanwhile, coverage areas have exploded, becoming more complex at scale, from on-plain infrastructure to cloud environments, remote endpoints and SaaS platforms, leading to systematic burnout across SOC environments. This is a legitimate business risk that hinders the organization’s ability to protect itself.
Addressing this issue is not merely increasing staffing. The longer we treat burnout as a problem for people, the more we ignore what is actually a problem within the SOC. The challenges at hand require a change in how SOC work is designed and executed, and how analysts are positioned for success.
Enter your AI (AI). Large AI implementations offer a practical path here by optimizing some of the jobs that direct analysts towards the door: repetitive steps, cognitive overhead, lack of visible progress. From streamlining inefficient workflows and supporting skill development to promoting more impactful team-wide oversight, AI can pave the wider pathway to making SOC work more sustainable.
Reduce alert fatigue and repetitive loads with smarter automation
A constant stream of low-context alerts is one of the fastest ways to eject SOC teams. The SANS SoC survey reported that 38% of organizations consumed all available data into SIEM. It could expand visibility, but it’s flooded with low-cost noise for analysts. And without strong correlation logic and cross-platform integration, analysts still need to assemble the big picture. They leave tracking metrics throughout the disjointed system, stitching together contexts manually to determine whether escalation is required. It is inefficient, exhausting and unsustainable.
SOC teams have been automating tasks for years, and most of that automation relies on fragile logic like rigid playbooks and static surge flows that break as soon as the scenario deviates from expectations. AI will change that. AI-driven automation can ease that pressure by acting as a unique and powerful context aggregator and research assistant. When paired with features like those enabled by the new Model Context Protocol (MCP), the language model can integrate telemetry, threat intelligence, asset metadata, and user history into a single view, tailoring it to each unique situation faced by analysts. This gives you a wealth of enriched case-specific summary rather than raw events. Transparency replaces guesswork. Response decisions occur faster and more confidently. It can directly reduce burnout.
The key here is that unlike SOAR, AI enables adaptive automation and makes it easy to access through the LLM interface. With AI agents and new standards like MCP and Agent2Agent protocols, there is a future where analysts can explain what is needed in plain languages, allowing systems to dynamically build automation and decide which tasks they need to perform and the best way to complete them. AI can adjust in real time, context-based, whether it captures data, correlates signals, or adjusts responses. That flexibility is important, especially when the research path is not always clear.
Build analyst confidence with smarter feedback
Burnout isn’t just for a long time. Sometimes it can be caused by stagnation. This means doing the same work without growing or getting meaningful feedback. If analysts don’t see progress, frustration is quickly taking root. This is the area where AI can provide real support. Analysts can improve their own work on the fly. Adjust detection logic, troubleshoot false positives, and generate better queries with fast, targeted suggestions. While this kind of real-time feedback is especially valuable for new analysts, even experienced team members benefit from the ability to pressure test their approach without waiting for peer review.
These interactions support what researchers call intentional practice. Focused repetition is combined with immediate, practical feedback. It is worth its weight in gold when it comes to holding. According to a survey by SANS SoC, “meaning work” and “career advancement” were ranked as the top two factors in analyst retention. Teams that embed growth into their daily workflows are more likely to keep people up. AI can’t replace human instruction, but it can help to replicate some of the most meaningful effects on a large scale.
Help SOC leaders manage and strengthen their teams
SOC leaders have a direct impact on reducing burnout. However, lack of time and vision is often the biggest obstacle to having a positive impact. Performance data such as caseloads, note quality, survey depth, and response times are scattered across the platform and survey. Without a way to integrate it, managers are guessing who is struggling and why.
AI enables that analysis. Access to case management and workflow data allows models to represent performance trends. Analysts handle certain threat types consistently and well. If the error is clustered or if the quality is beginning to deteriorate. That insight allows managers to coach and assign work more effectively based on availability as well as functionality. It also gives you the opportunity to intervene earlier. Burnout doesn’t announce itself. It slowly becomes invisible in many cases. However, if there is a proper signal (i.e., flag overload, skill gaps, and drop-offs in quality), the leader can take action before the problem arises.
Over time, such targeted support rebuilds team culture. Performance improves, holds and stabilizes, and analysts are more likely to grow, stay in roles that they feel are seen, supported and set up to succeed.
Continue the conversation with SANS Network Security 2025
SOC burnouts rarely appear at once. It is built with repeated, unlearning, no progress, and no impact effort. AI doesn’t remove all the stressors in SOC, but it can help reduce friction when it matters most.
If this topic resonates, please join SANS Network Security 2025 in Las Vegas this September. I will lead sessions on building healthier and more effective SOCs, including how to reduce burnout, streamline workflows, and apply AI to support analyst growth in real-world environments.
Please register for SANS Network Security 2025 (September 22-27, 2025).
Note: This article was skillfully written and contributed by SANS Senior Instructor John Hubbard. Find out more about his background and course here.
Note: This article was written and contributed by John Hubbard, Senior Instructor at SANS Institute.
Source link
