The visibility gap holding back the agentic SOC

Date:
Mon, 23 Mar 2026 09:48:18 +0000

Description:
AI is the security industry's favorite promise, so why are many agents failing?

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter Sign up for
breaking news, reviews, opinion, top tech deals, and more. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
now subscribed Your newsletter sign-up was successful An account already exists for this email address, please log in. Subscribe to our newsletter AI agents are quickly becoming the cybersecurity industrys favorite promise.

In theory, they can triage alerts, investigate incidents, and respond to threats - acting as force multipliers for overstretched SOC teams. In practice, many security leaders are discovering that agents are failing. Article continues below You may like Agentic attacks demand agentic defenses Shadow AI 'double agents' are outpacing security visibility and that's a serious concern for UK businesses AI agents are about to make access control obsolete Jamie Moles Social Links Navigation

Senior Technical Manager at ExtraHop. Not because these agents are incapable, but because they lack the data and context to understand activity across the network and respond appropriately.

Autonomy is compelling, but without the right data, its less useful
automation and more hopeful guesswork that is quietly creating a visibility gap at the heart of the agentic SOC. The context problem Most AI agents rely on the same fragmented telemetry stacks that analysts have struggled with for years. Endpoint logs in one tool, cloud signals in another, identity data elsewhere, and network traffic often underused or ignored. Each source tells part of the story, but none provide the full picture no matter what dashboard you favor.

When context is missing, agents struggle to reason about whats normal and whats malicious. False positives can multiply, investigations can stall, and automated responses can disrupt legitimate business activity. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get
all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Practical AI use cases illustrate both the promise and the challenge: agents can automatically isolate compromised endpoints after detecting unusual login patterns, or flag anomalous lateral movement that would take analysts hours
to investigate manually.

Yet these same agents can misfire if the underlying telemetry is incomplete, triggering unnecessary quarantines or failing to detect stealthy
sophisticated threats.

At its core, this isnt a problem with the AI, but with the information available to it. AI can only act on what it knows. And in many SOCs, it
simply doesnt know enough. What to read next Trust and judgement: the challenge facing the AI-driven SOC How a mature API management strategy can help eliminate agentic blind spots How businesses can stop their AI agents from running amok Building a foundation for autonomy Before organizations
push further into automation , they need to address a more fundamental issue: the quality and completeness of their telemetry. Autonomous decision-making requires a constant stream of high-fidelity, trustworthy data - the kind that can be correlated across users, devices, applications, and workloads.

Many practitioners are returning to the foundational principle that the network remains one of the most reliable sources of truth in modern environments. While endpoints can be tampered with and logs siloed, network activity is unavoidable to attackers. It captures what actually happened -
who talked to what, when, and how.

Modern environments demand even more context. Security teams also need visibility into identities behind actions and the behavior of cloud-native
and Kubernetes workloads that now power critical business applications . How context enables effective AI When these layers - network, identity, and cloud - are unified, agents can operate with clarity. Instead of guessing, they can query rich telemetry directly, enrich alerts automatically, and make deterministic decisions about whether something truly represents risk.

In an effective agentic SOC, AI doesnt replace analysts or blindly trigger responses. It does, though, handle the heavy lifting, correlating signals, surfacing the most relevant evidence, and resolving straightforward incidents so humans can focus on complex threats.

But this only works if the underlying data is complete, structured, and accessible. Put simply, better algorithms cant compensate for poor
visibility. The path forward As enterprises race to adopt AI-driven defenses, its tempting to treat agents as a shortcut to cybersecurity maturity. In reality, they amplify whatever foundation already exists - good or bad.

Organizations with strong telemetry and contextual insights see meaningful gains. Those without it simply automate their blind spots.

The future SOC will absolutely include AI agents. But autonomy needs to start with making sure the system has something trustworthy to see.

AI or not, in cybersecurity, your intelligence is only as powerful as the context behind it. Check out our list of the best identity management solutions .



======================================================================
Link to news story: https://www.techradar.com/pro/the-visibility-gap-holding-back-the-agentic-soc


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)