Two cybersecurity leaders tested out AI in their respective SOCs for six months and here's what they learned.
RSAC 2026 CONFERENCE – San Francisco – External, internal, and operational pressures to deploy AI to unlock its promise of increased speed and efficiency has left enterprise cybersecurity professionals in a tough spot — finding they need to enable innovation, while trying to foresee the risks it might introduce.
Two enterprise cybersecurity leaders decided to take on the AI challenge and share at this year's RSAC 2026 Conference what they determined it can do well, and what it isn’t ready to take on.
Both of their enterprise environments carry big risk when it comes to cybersecurity attacks. One cybersecurity leader, Ankit Gupta, oversees a Fortune 500 food manufacturing company, and the other, Shilpi Mittal, is charged with protecting a financial company. Both decided to run a six-month trial period to find out how AI could work for them in their security operations centers (SOCs).
Gupta and Mittal shared their findings at this year's RSAC 2026 Conference during a session entitled "We Put AI in Our SOC — Here’s What Worked and What Didn't."
Related:AI Dominates RSAC Innovation Sandbox
Over the SOC AI pilot period, Mittal’s team measured improvements in key metrics: "Mean time to discovery (MTD) improved by 26% to 36%, mean time to response (MTTR) improved by 22%, and false positives were reduced by 16 points," Mittal says, adding that the security team "maintained strict guardrails, including enforced citations, human approval gates, tool allow lists, and full audit logging."
In one instance, "AI detected a suspicious .git file at an endpoint," Mittal explains. "The AI determined it contained potential malware and automatically quarantined the file and shut down the software on the endpoint, demonstrating proactive threat prevention."
Along with the gains in the various metrics though, AI did introduce additional false positive alerts for teams to manage. And going forward, Mittal adds that layering additional AI tools on top of her manufacturing organization's sprawling operational technology (OT) and legacy systems will present its own set of challenges.
Mittal found that placing AI inside a SOC in manufacturing requires different thinking; in her organization, operational downtime directly impacts revenues, production lines, and worker safety.
Related:Clear Communication: The Missing Link in Cybersecurity Success
"This reality shaped every architectural and governance decision," she notes. For instance, during her trial period, AI was intentionally not positioned as a control mechanism over industrial systems.
"Instead, we embedded it strictly inside security case management workflow as a read-only triage assistant that synthesizes alerts from endpoint detection and response (EDR), network telemetry, cloud systems, applications, and OT monitoring feeds," she says. "AI was never allowed to directly interact with programmable logic controllers (PLCs), SCADA systems, or any production equipment."
Gupta’s six-month trial period found AI was very useful with speeding up tasks like fraud detection, automated underwriting, algorithmic trading, customer service automation, and risk modeling.
Related:Why Stryker's Outage Is a Disaster Recovery Wake-Up Call
He also found that AI was able to improve existing playbooks, which Gupta has found to be "deterministic and rigid, working well only when patterns are predictable."
Implementing AI in the SOC though was a less compelling use case. Gupta shares that his organization conducted a two-week test on a non-production system where AI was given full control. The results were bad.
"SOC reality is messy — alerts arrive with incomplete fields, inconsistent identifiers, and ambiguous signals," Gupta explains, adding, "AI incorrectly removed users from the system."
All of this led him to conclude AI can assist in the SOC, but final action calls would always remain with humans. Rather than replacing security analysts or taking full control of alert management, it helps by connecting dots: "LLMs are particularly strong at summarizing important information, correlating context, and generating structured narratives from inputs from various security tools," he says.
On the positive side, Gupta did see measurable reductions in analyst fatigue during the pilot period in his financial organization.
"The biggest shift was reducing context switching and repetitive documentation," Gupta says. "Analysts were spending 10-15 hours per week creating documentation and gathering information for business — this work has been transferred to AI with excellent results."
The trial runs are timely, given that leaders across almost every sector are facing pressure to roll out AI tools.
"Boards and executives hear constant messaging about AI-driven efficiency, not just in security but in productivity tools like Copilot and ChatGPT," Gupta says. "Pressure in finance is amplified because the industry is data-rich, innovation-sensitive, and heavily regulated."
It's critical that cybersecurity teams stay engaged with adoption across the organization and not get into the trap of being a roadblock to innovation, Mittal and Gupta advise.
"Business drives security," Mittal adds. "Security doesn't drive the business."
RSAC 2026 CONFERENCE – San Francisco – External, internal, and operational pressures to deploy AI to unlock its promise of increased speed and efficiency has left enterprise cybersecurity professionals in a tough spot — finding they need to enable innovation, while trying to foresee the risks it might introduce.
Two enterprise cybersecurity leaders decided to take on the AI challenge and share at this year's RSAC 2026 Conference what they determined it can do well, and what it isn’t ready to take on.
Both of their enterprise environments carry big risk when it comes to cybersecurity attacks. One cybersecurity leader, Ankit Gupta, oversees a Fortune 500 food manufacturing company, and the other, Shilpi Mittal, is charged with protecting a financial company. Both decided to run a six-month trial period to find out how AI could work for them in their security operations centers (SOCs).
Gupta and Mittal shared their findings at this year's RSAC 2026 Conference during a session entitled "We Put AI in Our SOC — Here’s What Worked and What Didn't."
Related:AI Dominates RSAC Innovation Sandbox
AI in the Fortune 500 Food Manufacturing SOC
Mittal reports that she found success using a large language model (LLM) inside her food manufacturing company's (SOC) case workflow as a "read-only triage assistant," she explains in an interview with Dark Reading. In general, Mittal found the AI-powered SOC tool to be able to evaluate data from multiple sources and perform analysis based on created rules.Over the SOC AI pilot period, Mittal’s team measured improvements in key metrics: "Mean time to discovery (MTD) improved by 26% to 36%, mean time to response (MTTR) improved by 22%, and false positives were reduced by 16 points," Mittal says, adding that the security team "maintained strict guardrails, including enforced citations, human approval gates, tool allow lists, and full audit logging."
In one instance, "AI detected a suspicious .git file at an endpoint," Mittal explains. "The AI determined it contained potential malware and automatically quarantined the file and shut down the software on the endpoint, demonstrating proactive threat prevention."
Along with the gains in the various metrics though, AI did introduce additional false positive alerts for teams to manage. And going forward, Mittal adds that layering additional AI tools on top of her manufacturing organization's sprawling operational technology (OT) and legacy systems will present its own set of challenges.
Mittal found that placing AI inside a SOC in manufacturing requires different thinking; in her organization, operational downtime directly impacts revenues, production lines, and worker safety.
Related:Clear Communication: The Missing Link in Cybersecurity Success
"This reality shaped every architectural and governance decision," she notes. For instance, during her trial period, AI was intentionally not positioned as a control mechanism over industrial systems.
"Instead, we embedded it strictly inside security case management workflow as a read-only triage assistant that synthesizes alerts from endpoint detection and response (EDR), network telemetry, cloud systems, applications, and OT monitoring feeds," she says. "AI was never allowed to directly interact with programmable logic controllers (PLCs), SCADA systems, or any production equipment."
AI in the Financial Institution's SOC
Financial institutions face a separate set of challenges, making deploying AI in the SOC tricky. Ankit Gupta's organization deals with huge amounts of structured and unstructured data that are "tightly regulated, economically sensitive, and directly tied to consumer trust. They are constantly monitored by regulators, including state-level regulations from (states like) California and Texas," he said.Gupta’s six-month trial period found AI was very useful with speeding up tasks like fraud detection, automated underwriting, algorithmic trading, customer service automation, and risk modeling.
Related:Why Stryker's Outage Is a Disaster Recovery Wake-Up Call
He also found that AI was able to improve existing playbooks, which Gupta has found to be "deterministic and rigid, working well only when patterns are predictable."
Implementing AI in the SOC though was a less compelling use case. Gupta shares that his organization conducted a two-week test on a non-production system where AI was given full control. The results were bad.
"SOC reality is messy — alerts arrive with incomplete fields, inconsistent identifiers, and ambiguous signals," Gupta explains, adding, "AI incorrectly removed users from the system."
All of this led him to conclude AI can assist in the SOC, but final action calls would always remain with humans. Rather than replacing security analysts or taking full control of alert management, it helps by connecting dots: "LLMs are particularly strong at summarizing important information, correlating context, and generating structured narratives from inputs from various security tools," he says.
On the positive side, Gupta did see measurable reductions in analyst fatigue during the pilot period in his financial organization.
"The biggest shift was reducing context switching and repetitive documentation," Gupta says. "Analysts were spending 10-15 hours per week creating documentation and gathering information for business — this work has been transferred to AI with excellent results."
The trial runs are timely, given that leaders across almost every sector are facing pressure to roll out AI tools.
"Boards and executives hear constant messaging about AI-driven efficiency, not just in security but in productivity tools like Copilot and ChatGPT," Gupta says. "Pressure in finance is amplified because the industry is data-rich, innovation-sensitive, and heavily regulated."
It's critical that cybersecurity teams stay engaged with adoption across the organization and not get into the trap of being a roadblock to innovation, Mittal and Gupta advise.
"Business drives security," Mittal adds. "Security doesn't drive the business."