Only 10% of SOCs report ‘excellent’ AI value, report finds

The SOC-CMM 2026 Maturity Report, published in May 2026, found that only about 10% of surveyed security operations centers said AI delivered excellent value. The survey gathered responses from roughly 200 SOCs across regions, sectors and delivery models, with data collected between late January and mid-March 2026. The report documents rising AI adoption alongside persistent gaps in operational benefit.

Respondents reported year-over-year growth across AI categories: off-the-shelf large language models rose 55%, AI co-pilots grew 145%, AI agents grew 118%, supervised machine learning rose 96%, and customized LLMs grew 64%. In the value breakdown, roughly 10% rated AI’s value as excellent, 19% as good, and the remaining 71% reported some value or none.

The report identifies three adoption patterns. About 65% of SOCs classify themselves as “takers,” deploying off-the-shelf AI within existing security products without deep customization. About 20% are “shapers,” customizing purchased tools, and 15% are “builders,” training models on their own data. The taker group reported the lowest levels of perceived value, and the distribution of responses was similar across hybrid SOCs, in-house teams and managed security service providers.

Survey respondents flagged growing internal challenges tied to maturity rather than budget or management support. The share citing lack of best practices increased 17% year over year and the share citing the complexity of increasing maturity rose 11%. Domain scores in the report show technology at an average of 2.7 out of 5, while process and people both scored 2.3, indicating gaps in handoffs and institutional knowledge.

The report attributes limited returns to an architectural issue: many AI capabilities were added as point features inside existing tools. SIEMs added AI triage, endpoint detection tools added AI investigation, SOARs added AI playbook generation and ticketing systems added AI summarization. Each feature can speed a specific task, but the features often do not share context across stages of work, so handoffs between threat intelligence, detection engineering, investigation and remediation remain unchanged.

SOCs that reported excellent AI value tended to deploy AI across the full lifecycle so that closed investigations tune future detections, threat hunt outcomes update threat intelligence, and remediation actions feed back into playbooks. These SOCs also persist institutional knowledge such as which assets matter, past analyst judgments, escalation criteria and incident outcomes so AI behavior reflects each environment rather than generic public data.

Governance differences appear in the survey. The report names governance as a leading SOC improvement challenge for 39% of respondents. High-value SOCs require agent actions to carry audit-grade reasoning traces and limit agent autonomy through staged authorizations so analysts can supervise rather than repeatedly intervene.

The report also notes recent offensive developments that heighten urgency: a security team disclosed an AI-developed zero-day exploit earlier in 2026 and previews of large language models have been shown to surface critical vulnerabilities at speed. In April 2025, a chief information security officer at a major bank advised buyers to demand more secure defaults from vendors.

Before procuring additional AI tools, the report recommends that chief information security officers ask three questions: does the AI operate across the full SOC lifecycle or only within one stage; how does it learn and persist the organization’s institutional knowledge and what happens to that data if staff leave; and can every agent action be audited with a defensible reasoning trace and governed to limit autonomy as trust builds.

The SOC-CMM report notes that connecting stages can be implemented as an architectural layer on top of existing SIEM, endpoint, identity, cloud and ticketing stacks rather than requiring wholesale replacement of tools. The report presents the current deployment patterns and the technical and governance questions organizations raised during the survey.