It sure is a hard time to be a SOC analyst.
Every day, they are expected to solve high-consequence problems with half the data and twice the pressure. Analysts are overwhelmed—not just by threats, but by the systems and processes in place that are meant to help them respond. Tooling is fragmented. Workflows are heavy. Context lives in five places, and alerts never slow down. What started as a fast-paced, high-impact role has, for many analysts, become a repetitive loop of alert triage and data wrangling that offers little room for strategy or growth.
Most SOC teams also run lean. Last year, our annual SANS SOC Survey found that a majority of SOCs only consist of just 2–10 full-time analysts, a number unchanged since the survey began tracking in 2017. Meanwhile, the scope of coverage has exploded, ranging from on-prem infrastructure to cloud environments, remote endpoints, SaaS platforms, and beyond. Compounded at scale, this has led to systemic burnout across SOC environments—a legitimate business risk that hinders your organization’s ability to defend itself.
Addressing the issue isn’t a matter of simply increasing headcount. The longer we treat burnout as a people problem, the longer we ignore what’s really going wrong inside the SOC. The challenge at hand demands a shift in how SOC work is designed and executed, as well as how analysts are positioned for success.
Enter artificial intelligence (AI). AI implementation at scale offers a practical path forward here by optimizing parts of the job that push analysts toward the door: the repetitive steps, the cognitive overhead, and the lack of visible progress. From streamlining inefficient workflows and supporting skill development to facilitating more impactful team-wide oversight, AI can open wider avenues for making SOC work more sustainable.
Reducing Alert Fatigue and Repetitive Load with Smarter Automation
A constant stream of low-context alerts is one of the fastest ways to drain a SOC team. In the SANS SOC Survey, 38% of organizations reported ingesting all available data into their SIEM. While that may expand visibility, it also floods analysts with low-priority noise. And without strong correlation logic or cross-platform integration, assembling a full picture still falls on the analyst. They’re left chasing indicators across disjointed systems, piecing together context manually, and deciding whether escalation is even necessary. It’s inefficient, exhausting, and unsustainable.
SOC teams have been automating tasks for years, but most of that automation has relied on brittle logic like rigid playbooks and static SOAR flows that break down as soon as the scenario deviates from the expected. AI changes that. AI-powered automation can relieve that pressure by acting as a uniquely powerful contextual aggregator and investigative assistant. When paired with capabilities like those enabled by the new Model Context Protocol (MCP), language models can integrate telemetry, threat intelligence, asset metadata, and user history into a single view, tailoring it to each unique situation the analyst faces. This gives analysts enriched, case-specific summaries instead of raw events. Clarity replaces guesswork. Response decisions happen faster and with greater confidence—two things that directly reduce burnout.
The key here is that, unlike SOAR, AI enables adaptive automation and even makes it easily accessible via an LLM interface. With AI agents and new standards like MCP and Agent2Agent protocol, a future is now here where analysts can describe what needs to happen in plain language, and the system can dynamically build the automation, deciding which tasks need to be performed and the best way to complete them. Whether it’s retrieving data, correlating signals, or coordinating a response, AI can adjust in real time based on context. That flexibility matters, especially when investigation paths aren’t always clear or linear.
Building Analyst Confidence Through Smarter Feedback
Burnout doesn’t only come from long hours. Sometimes it stems from stagnation—doing the same work without growing or getting meaningful feedback. If an analyst doesn’t see progress, frustration takes root quickly. This is an area where AI can offer real support. It allows analysts to refine their own work on the fly—tuning detection logic, troubleshooting false positives, and generating better queries with fast, targeted suggestions. Real-time feedback like this is especially valuable for newer analysts, but even experienced team members benefit from the ability to pressure-test their approach without waiting for peer review.
These interactions support what researchers call deliberate practice: focused repetition paired with immediate, actionable feedback. That is worth its weight in gold when it comes to retention. According to the SANS SOC Survey, “meaningful work” and “career progression” were ranked as the top two factors in analyst retention—above compensation. Teams that embed growth into the day-to-day workflow are more likely to keep their people. AI can’t replace human mentorship, but it can help replicate some of its most meaningful effects at scale.
Helping SOC Leaders Manage and Strengthen Their Teams
SOC leaders have a direct influence on reducing burnout. However, a lack of time and visibility is often their biggest obstacle for making a positive impact. Performance data such as case load, note quality, investigation depth, and response times is scattered across platforms and investigations. Without a way to synthesize it, managers are left guessing who’s struggling and why.
AI makes that analysis possible. With access to case management and workflow data, models can surface performance trends: which analysts consistently handle certain threat types well, where errors cluster, or when quality is starting to dip. That insight allows managers to coach more effectively and assign work based on capability, not just availability. It also gives them the chance to intervene early. Burnout doesn’t announce itself. It builds slowly, often out of sight. But with the right signals—flagging overload, spotting skill gaps, noticing drop-offs in case quality—leaders can take action before problems become exits.
Over time, that kind of targeted support reshapes team culture. Performance improves, retention stabilizes, and analysts are more likely to stay and grow in roles where they feel seen, supported, and set up to succeed.
Let’s Continue the Conversation at SANS Network Security 2025
SOC burnout rarely shows up all at once. It builds through repetition without learning, pressure without progress, and effort without impact. AI won’t remove every stressor in the SOC, but it can help alleviate friction where it matters most.
If this topic resonates, join me at SANS Network Security 2025 this September in Las Vegas. I’ll be leading sessions on building healthier, more effective SOCs—including how to apply AI to reduce burnout, streamline workflows, and support analyst growth in real-world environments.
Register for SANS Network Security 2025 (Sept. 22-27, 2025) here.
Note: This article was expertly written and contributed by John Hubbard, SANS Senior Instructor. Learn more about his background and courses here.
Note: This article was written and contributed by John Hubbard, Senior Instructor at the SANS Institute.
About The Author
Original post here
