Fighting Fire with Fire: The Case for an Agentic SOC

Here is an uncomfortable number for you to start your morning: 4. In a documented intrusion this year, an attacker gained access, moved laterally, and began exfiltrating data in just four minutes. And that is not the extreme: The fastest breakout time CrowdStrike recorded was just 27 seconds. That’s less time than it takes most of us to find a parking spot or buy a coffee.

Your analysts are talented. They are also human. This means they sleep, they go on vacation, and they occasionally need a second cup of coffee before the alerts start making sense in the morning. The threat actors running AI agents doing reconnaissance against your environment require none of those things. They do not get tired at 2 a.m. on a Saturday night and do not wait for your change control approvals to execute their attacks.

This is the heart of the problem we keep raising with security leaders. The threat has accelerated past humans-in-the-loop for every decision and action. CrowdStrike’s 2026 Global Threat Report measured an 89% year-over-year jump in AI-enabled adversary activity. The gap is widening. While you cannot out-click a machine, you can out-think one. This requires giving your people agents of their own, enabling them to fight fire with fire.

Your Adversary Already Put AI on the Payroll. Your SOC Deserves the Same Advantage.

Throughout the history of cybersecurity, attackers held a structural advantage. Nation-state actors built their zero-day war chests and chained them together for years before defenders could respond. By the time they were detected, the attackers had already won.

AI broke that pattern. The same foundational advances powering attacker’s automation became available to defenders to out-automate their opponents. We call this the Cyber AI Parity Window: a rare stretch of time when defenders hold technology equal to their adversaries.

Parity is a gift. It is also temporary. Advantage will go to the team that operationalizes AI fastest and most thoughtfully. While sitting on the sidelines and waiting for technology to mature is an option, it’s a decision that quietly concedes defeat.

What Does an Agentic SOC Actually Do?

When we walk clients through the Agentic SOC, we are careful to differentiate it from the scripted automation SOAR has been promising since it became a tool vendors could monetize. These automations followed rigid playbooks and broke the moment anything changed.

Agentic SOCs deliver intelligent and adaptive reasoning. They plan and take action with human oversight. A modern triage agent investigates an alert the way a seasoned analyst would: building the timeline, working out how far the problem has spread and which systems it touched, pattern and context matching (e.g. connecting the dots across your different tools), and delivering a clear verdict you can trace back to the evidence, all in seconds. Work that used to consume hours to create arrives at your analyst’s desk already structured and ready for them to act. And the best part? These agents don’t need that second cup of coffee or vacations. They deliver constant vigilance.

Architecture matters here. The early assumption was that the alert landing in the SOAR platform could run an entire investigation on its own. Real-world use taught us otherwise. A real investigation pulls clues from many different tools, validates the data against threat intelligence feeds, and checks its work along the way (with or without human-in-the-loop guidance).

A coordinated team of agents is what security organizations require. Each agent has a specialty. Some gather the supporting evidence, some work through what it means, some confirm the findings, and some carry out the response, with the whole team adjusting based on the kind of alert and environment in scope.

The Human/AI Operating Model: Who Does What

This is work In Balance IT helps our clients define. It’s the part that we see most vendors skip yet CISOs and security organizations require. What is the most effective way for my organization to adopt AI and build an agentic SOC?

Buying agents is easy. Governing them is the job that requires focus. The In Balance IT Human/AI Operating Model divides security activities into four quadrants, with each based on how much human judgment an agent’s actions require.

  1. AI runs autonomously – This is where the call is clear and the clock is unforgiving. Confirmed threat actor malware does not need a committee’s sign-off. Kill the session, revoke the access, and quickly isolate the affected machine. In low level non-production environments, this is a great option. Containing the problem in real time keeps the threat from spreading while cutting the appropriate ticket for further investigation and triage.
  2. AI acts with human oversight – This is where context changes the answer. An anomalous behavioral pattern might be a real intrusion, or it might just be a developer doing something creative in a test environment. AI assembles the evidence and recommends the response option. An experienced practitioner makes the call.
  3. Humans lead with AI assistance – Volume is high and judgment is critical. AI narrows 3,000 known security flaws down to the 30 that are actual risks. People approve the remediation windows and certify the actions. The rubber-stamping era is over.
  4. Humans own the decision outright – This is where the consequences of decisions made cascade for years. Risk acceptance, breach disclosure timing, ransom decisions, board reporting, and multi-year strategy belong in the boardroom. No algorithm should be weighing whether to take production offline or how to report risk to your board. A named executive owns accountability for that.

The logic is simple. AI absorbs the repetitive, high-volume, lower-risk, time-sensitive work. Your people move upstream toward oversight, design, and judgment calls that carry real weight.

Hand those repetitive investigations to agents and your analysts shift from overburdened alert triage experts to real SOC analysts. They define the investigation logic, set escalation thresholds, and refine the playbooks the agents run their logic against. When this is done correctly, backlogs shrink, engagement climbs, and your SOC analysts get to work on the problems that drew them into security in the first place.

Where to Start

The first move is honest measurement:

  • Where does your SOC stand today?
  • Which decisions can safely be moved to autonomous response?
  • Where does your operating model still depend on a human?

That is exactly what In Balance IT’s Adaptive Defense Agentic SOC Maturity Assessment is built to answer. We measure whether your defenses can operate at machine speed, where there are gaps and opportunities for improvement, and we map an operating model that keeps humans accountable while machines handle the high-volume work.

The parity window is still open. Let’s make your SOC agentic.

About This Series

This post is the third in the Adaptive Defense series. Each article addresses a specific domain where traditional frameworks fall short of today’s agentic AI threat landscape.

Post 1 — Why NIST, ISO 27001 & COBIT Can’t Keep Up With AI Threats

Post 2 — Agentic Adoption, the New Pattern for Cybersecurity

Post 3 — Non-Human Identity Security: An Attack Surface You Can’t See

Post 4 — Your Coding Agents Have Admin Rights and Trust Issues

Your Coding Agents Have Admin Rights and Trust Issues

Here is an uncomfortable truth about modern software development. The most privileged identity in your engineering organization is no longer a person. It is an AI coding agent that reads your source code, runs commands in your terminal, holds your cloud credentials, and connects to whatever tools a developer wires up on a Tuesday afternoon.

Claude Code, Cursor, GitHub Copilot, OpenAI Codex, and Devin have quietly become production infrastructure. Most security programs are blind to their capability to run amok.

Banning the tools slows innovation. The productivity gains are real. Organizations must secure them the way we secure any other powerful, autonomous, internet-connected system: with a healthy dose of distrust.

The new attack surface is the coding agent, not just the app

Traditional application security asks whether the code you ship is safe. Coding agent security asks a different and newer question:

“Is the agent writing that code being manipulated while it works?”

Those are not the same problem, and the second one has major blind spots.

These exploits are not hypothetical. Security researchers have already documented and catalogued cases where a single piece of injected text, arriving through a connected tool or a repository file, rewrites an agent’s configuration and executes attacker-controlled commands on a developer’s machine. In controlled testing, getting these agents to run malicious instructions succeeds far more often than anyone will admit.

The pattern is consistent: feed the agent poisoned input, and its considerable privileges silently become the attacker’s windfall. Stolen credentials, supply chain injections, dead-man switches. All real, all a threat to your business.

The mechanism behind most of these is indirect prompt injection. A coding agent reads a GitHub readme file, an email or poisoned RAG document, a Teams or Slack message, and buried in that content are instructions the agent dutifully follows. It cannot reliably tell the difference between approved actions and novel attack patterns.

MCP is the connective tissue, and the soft underbelly

The Model Context Protocol, the open standard that lets agents plug into external tools and data, is what makes these agents genuinely useful. It is also where a lot of the risk lives. These connections get set up by developers, not security teams, which means most organizations have not built the practices to inventory, approve, and constantly retest for compromise. Supply chain attacks delivering credential-stealing malware through cloned connectors have already happened.

You cannot apply least privilege to a tool you did not know existed. Discovery and scanning of MCP servers, their privileges, and the systems they connect to is not a nice-to-have. It is a critical requirement for organizations embracing AI-assisted coding regardless of scale.

Zero Trust for AI Agents is the answer

Anthropic’s recent eBook, Zero Trust for AI Agents, makes the case better than any vendor pitch.

Its three principles will sound familiar to anyone who has done network zero trust: never trust and always verify, assume breach has already occurred, and enforce least privilege.

The paper adds a sharp new wrinkle it calls least agency: where least privilege limits what an agent can access, least agency limits what each agent tool can actually do, how often, and where.

Where AI runtime guardrails come in

AI runtime guardrails sit at the coding agent’s boundaries, integrated via hooks or a proxy, and inspect every tool call the agent makes before it executes. The controls that matter run two detection engines in parallel on each call. A rule-based engine matches commands, arguments, and file references against curated patterns to catch known attacks fast and deterministically. An LLM-based engine adds semantic analysis to catch what patterns miss: novel attack techniques, obfuscated payloads, and context-dependent threats where the same command is benign in one session and malicious in another. Together they evaluate every prompt, response, and tool call for injection, credential and data exfiltration, and tool abuse. Just as important, they constrain the overly privileged actions that turn a single compromised call into a breach, blocking the offending tool call rather than killing the session.

  • Granular enforcement that blocks or rewrites the offending tool call rather than killing the whole session, so a single flagged action does not halt legitimate work.
  • Continuous red teaming that attacks your agents the way a real adversary would, in CI/CD before they reach production, mapped to frameworks like the OWASP Top 10 for Agentic Applications.
  • MCP discovery and scanning that inventories every agent and connected server in your environment and flags the poisoned, abandoned, or over-permissioned ones.

Together these controls add up to a zero-trust posture for coding agents. Verify every call continuously with both engines, you assume the agent can be tricked, and you constrain what each tool is allowed to do and how far a single call can reach.

Guardrails supplement good DevSecOps

AI runtime guardrails secure the coding agent and AI Agent Actions. They do not secure the shipped code the agent helps you build. You still need good DevSecOps procedures for your DevOps pipelines, unit tests, code scanning, etc.

Static Application Security Testing (SAST) analyzes your source code and binaries without running them, catching flaws like injection and insecure cryptography early in the development lifecycle. Dynamic Application Security Testing (DAST) tests the running application from the outside, finding the issues that only appear under execution.

Neither one can see what your coding agent is doing in the IDE, and runtime guardrails cannot prove your shipped code is free of SQL injection. Defense in depth is never optional. The coding agents just added a layer.


Let us pressure-test your coding agents together

In Balance IT Solutions is co-presenting a Summer Security Series with Straiker focused on securing AI agents in the enterprise, and coding agent security is front and center. If your developers are running Claude Code, Cursor, Copilot, Codex, or Devin, and your security team does not yet have an inventory of the MCP servers attached to them, that gap is worth a conversation.

Schedule time with In Balance IT Solutions to walk through your current coding agent security plans, and register for the Summer Security Series to see runtime guardrails, agent red teaming, and MCP scanning in action. Reach out to your In Balance account team or visit our site to claim a seat. Bring your hardest questions. We will bring the red team.

About This Series

This post is the third in the Adaptive Defense series. Each article addresses a specific domain where traditional frameworks fall short of today’s agentic AI threat landscape.

Post 1Why NIST, ISO 27001 & COBIT Can’t Keep Up With AI Threats

Post 2Agentic Adoption, the New Pattern for Cybersecurity

Post 3Non-Human Identity Security: An Attack Surface You Can’t See

Post 5Fighting Fire with Fire: The Case for an Agentic SOC