Tim Leehealey is the Co-founder and VP of Strategy at Strike48
Agentic AI is starting to show up in security operations in a very specific place, and it’s not in detection. It’s appearing in the part of the workflow where analysts are working out what an alert actually means, and deciding what to do next. That’s the part that doesn’t always follow a clean path, even in well-structured SOCs, and it’s also where most of the variation tends to sit.
If you look at how performance is usually measured, speed still dominates. Time to detect, time to triage, time to respond. Those metrics are easy to track, and they give a sense that the system is working as intended. What they don’t capture particularly well is how consistent those responses are. In practice, two alerts can move through the workflow at roughly the same speed and still be handled differently. One might be escalated earlier, another investigated more deeply, or handled with a different level of confidence depending on who is reviewing it.
None of those differences are necessarily wrong, but they introduce variation and are more noticeable as operations scale. That variation tends to sit in the same place every time. It shows up in the decision layer, where analysts are interpreting signals and applying judgement based on the context in front of them. Even with strong processes and playbooks, that step isn’t fully defined. It depends on experience, familiarity with the environment, and how closely a situation matches something that’s been seen before.
As environments grow and MSSPs take on more clients, the number of these decision points increases, and so does the challenge of keeping them aligned. Processes can guide what should happen, but they can’t fully standardise how decisions are made. This is where agentic AI begins to change how that layer operates. Instead of leaving context gathering and interpretation entirely to the analyst, agentic systems build that into the workflow itself. As alerts move through triage, the system is already correlating signals, pulling in relevant history, and structuring the context in a consistent way.
By the time a decision needs to be made, the starting point is much more aligned across the team. That doesn’t remove judgement, but it changes how that judgement is applied. Analysts are no longer approaching each alert from scratch. They are working from a shared foundation, where the key signals and relevant context have already been surfaced in a way that reflects how similar situations have been handled before. Over time, that reduces the variation between analysts and makes outcomes more predictable.
“Consistency in security operations is often treated as an operational objective, but in practice it has governance implications. When similar situations are handled in materially different ways, it becomes difficult to demonstrate control over risk, particularly at an executive level. What boards increasingly require is confidence that decisions will hold up under scrutiny, regardless of where they occur. Supporting that level of consistency is not simply about process, it is about ensuring that decision-making aligns with how risk is understood across the organization,” says Keven Knight, CEO of Talion Cyber Security.
You start to see the impact of this in how the workflow behaves over time. Decisions begin to follow more consistent patterns, not because the process has become rigid, but because the inputs to those decisions are more aligned. The need to revalidate or escalate simply to confirm interpretation reduces, and analysts are able to move through triage with greater confidence.
For MSSPs, that shift is particularly important. Operating across multiple clients introduces constant variation, and maintaining consistency across those environments is one of the harder parts of scaling. By supporting the decision layer directly, agentic AI allows that consistency to be built into how the workflow operates, rather than relying on individual experience to hold it together. That’s what begins to change how performance is measured.
This shift becomes harder to ignore. Consistency stops being something teams hope to maintain and becomes something that is actively built into how the workflow operates. That changes how performance is understood, and more importantly, how it holds up as environments become more complex. In that sense, agentic AI is not just improving decision-making, it is redefining how consistency is achieved in security operations.
