The Analyst's New Job Description

The Tines 2025 Voice of the SOC Analyst report found that 71% of SOC analysts report burnout and 64% are considering leaving within the year. The SANS 2025 SOC Survey found that satisfaction with generative AI tools ranks last among SOC technologies. Those two numbers tell the same story from different angles.

The analyst job is being squeezed between two pressures. The deterministic work is moving to agents, which is good, because that's where most of the burnout was coming from. The judgment work is staying with humans, which is also good, because that's where the value is. But the role description hasn't been updated to match. Most analysts are still being hired, trained, and measured against a 2022 job that doesn't exist anymore.

The fix isn't more queue help. It's a different job description.

What's leaving the analyst's queue

If you walk through a typical Tier 1 day from 2022, most of it is deterministic work. Enrichment lookups. IOC correlation against threat intel feeds. Standard malware triage against known families. First-pass alert prioritization on signature matches. Each of those tasks has a stable answer, a falsifiable output, and a bounded failure mode. Which is exactly the work that post 3 argued belongs to agents.

That work is leaving the queue. In well-instrumented SOCs, it has already left. The remaining tier-1 work in 2027 isn't pre-processing alerts. It's reviewing what the agent layer surfaced and deciding whether the model's verdict matches the evidence.

This is the part of the story that gets framed as "AI is taking analyst jobs" when it actually isn't. The work that's moving is the work analysts were burning out on. The work that's staying, and growing, is the work analysts wanted to do in the first place. The shift is not a contraction of the role. It's a redistribution within it, with the boring 80 percent of the work moving off the human side.

The teams that are struggling with the transition aren't the ones losing the work. They're the ones whose training, hiring, and metrics still treat queue throughput as the primary signal.

Three new responsibilities are landing on the analyst's desk

The work moving onto the analyst's desk has three identifiable shapes.

The first is hypothesis-driven hunting. In the 2022 model, hunting was an aspirational activity that senior analysts did when the queue was clear, which was approximately never. In the 2027 model, hunting is the primary work. The analyst runs queries against a hypothesis, not against a queue. The question shifts from "what does this alert mean?" to "if this threat actor is operating in our environment, what would I expect to see in identity logs, what would be conspicuously absent from DLP outputs, and what would the cross-system pattern look like?" The skill that matters is constructing the hypothesis, not closing the ticket.

The second is AI output triage. When the agent layer surfaces a verdict, the analyst's job is to evaluate whether the verdict matches the evidence. Did the model overweight a low-confidence indicator? Did it miss context from a system it doesn't have access to? Is the suggested response action appropriate to the actual cost asymmetry? This is judgment work, and it requires the analyst to read the agent output critically, not deferentially. An analyst who treats every model verdict as authoritative is a less useful analyst than the agent alone. The value lives in the disagreement.

The third is decision-provenance hygiene. When an analyst makes a judgment call, the system needs to capture the why, not just the what. What evidence did the analyst weigh? What context outside the alert data informed the call? What was the rejected alternative interpretation? That capture is the input to the feedback loop that improves the agent layer over time. It is also the input to the audit trail that matters more every year, which is post 5's subject.

Those three responsibilities don't replace incident response, communication, or technical depth. They sit on top of those. But they are the parts of the role that didn't exist in the 2022 job description, and they are the parts the analyst's day actually fills with in 2027.

Train differently, hire differently, measure differently

The applied version of all of this is a curriculum question. What stops, what starts, and what gets measured.

Stop training analysts to be fast at queue clicking. The throughput metric is going away. An analyst who can close 200 tickets a day is solving a problem the agent layer has already solved better. The training time you are spending on queue speed is training time you are not spending on the new work.

Stop training on individual log interpretation in isolation. Reading a single firewall log and deciding what it means is exactly the deterministic pattern-matching work that agents handle better. The analytical skill that matters isn't reading one log. It is connecting evidence across endpoint, identity, and network into a timeline that resolves to a campaign.

Stop measuring on volume of closed tickets. That metric incentivizes the wrong behavior in a 2027 SOC. If your reviews still anchor on tickets-per-shift, you are training for the old job.

Start training on hypothesis construction. Senior threat hunters know how to build a hunt query from a hypothesis. That skill is teachable. It is also rarely taught because it requires structured curriculum, mentorship time, and a willingness to invest in analyst development before the analyst is producing measurable output. The teams that build this capacity get exponential returns on it. The teams that don't get steady attrition.

Start training on AI output evaluation. Critical reading of model verdicts is its own competence. It requires understanding what the model's confidence score actually means, where the model's training distribution gives out, and what kinds of context the model categorically can't see. This is closer to research-paper reading than to log analysis, and it is not what most SOC training programs cover yet.

Start training on decision-provenance discipline. Capturing the why of a judgment call takes about ninety seconds per call. Without it, the team's institutional knowledge stays in individual analysts' heads and walks out the door when they leave. With it, the agent layer gets better, the audit trail gets stronger, and new analysts ramp faster. That ninety seconds is the highest-leverage time investment in the role.

Start hiring for different traits. The analyst who is going to thrive in the 2027 job is curious, comfortable with ambiguity, willing to challenge a confident-sounding answer, and able to communicate findings clearly to non-security stakeholders. Those traits don't map cleanly to the entry-level cert-and-queue-speed profile that most SOC hiring pipelines screen for. They map to what we used to call senior-analyst potential, but you can find them earlier in careers if you know what to look for.

The bench depth question

That curriculum, hiring, mentorship, and measurement change is a lot of work, and the honest version is that most mid-market security teams don't have the bench depth to do it in-house. Building a real training program requires senior analysts with curriculum-design time, leadership that is willing to invest before payoff, and a hiring pipeline that filters for the right traits rather than the legacy ones. Few mid-market SOCs have all three.

The orgs that solve this in 2027 fall into one of three categories. The ones that built it themselves because they had the bench depth and the leadership runway. The ones that partner with a SOC that already built it and absorb the model. The ones that are still running 2022 playbooks and not yet hearing the cost of it because their attrition hasn't caught up with the market yet.

The third group is the largest, and time isn't on its side. The first group is the strongest. The second group is where most realistic mid-market orgs end up, and there is no shame in it. Post 6 takes on the decision of which path makes sense for which kind of organization.

The role isn't disappearing. It is getting harder.

The framing that AI is going to replace analysts gets the direction wrong. The replacement narrative assumes the work is fungible and the agent does it cheaper. Neither is true. The deterministic work is fungible and the agent does that part cheaper, yes. The judgment work isn't fungible, and the agent doesn't do it at all. What is happening is that the easy half of the job is leaving and the hard half is staying, which means the role is getting more demanding, not less.

That is a harder pitch to make to a new analyst than "we have AI to help you." But it is the accurate one, and it is the one that retains analysts worth keeping. The teams that make this pitch honestly, and then back it up with a real training program, are the ones that build durable SOC capacity. The teams that pretend the job hasn't changed lose their best analysts to the teams that admit it.

The next post picks up where this one stops. If humans are making more judgment calls, the systems that capture and audit those decisions matter more, not less. That is where governance, audit trails, and the board-level question about who-decided-what comes in.