Morten Kjaersgaard expects fewer than 500 of three million monthly alerts to need a human analyst in the year ahead.
Heimdal’s managed SOC processes three million alerts a month. In the year ahead, fewer than 500 of those, less than 0.02%, are expected to need a human analyst.
High-volume, low-complexity work will be automated by AI, while sophisticated cases remain with SOC responders where human judgment still matters.”
— Morten Kjaersgaard, Chairman & Founder of Heimdal
That’s the forecast from Heimdal founder Morten Kjaersgaard, based on the trajectory of AI Wingman SOC as it absorbs the bulk of routine triage work.
New research commissioned by Heimdal suggests the wider market is heading the same way.
A Heimdal survey of 1,000 IT and security pros across the US and UK found 79% expect AI to reduce manual workload. 38% expect a shift to higher-value work within three years.
“The SOC analyst job is being rebuilt around the cases that matter,” said Kjaersgaard.
“Their work shifts from operating the SOC to improving the platform and training the AI sitting on top of it. We’re not scaling the team down. We’re scaling customer load up while the role shifts underneath them.”
A volume problem on both sides
Attackers are using AI to scale, not to innovate. The bulk of what’s being accelerated is high-volume, low-complexity work. More phishing. Slightly better phishing. Still phishing.
Also Read: CIO Influence Interview with Kyle Wickert, Field CTO at AlgoSec
Defenders need AI for the same reason. Triage volume that humans were never meant to process at scale.
“Anything that requires vast volumes of data to be analyzed manually is going to be automated,” Kjaersgaard said.
“Low complexity, high volume work goes to AI. The sophisticated cases stay on the table for the SOC responders. That’s where human judgment still earns its place.”
The survey data points the same direction. Sensitive data being uploaded to AI tools is the top AI-related concern for 61% of IT professionals.
Only 40% feel their current security tools are fully equipped for AI-driven risk. The work the industry has been asking humans to do at volume is the work it now expects AI to absorb.
Where Heimdal’s position differs
Heimdal isn’t planning to reduce its SOC team.
As AI absorbs more triage, headcount stays stable and the work changes. Analysts focus on the cases that warrant real investigation, and on improving the AI that handles the rest.
Across the wider market, the picture is different. Providers built around high-volume human triage face a structural problem. The work they bill for is the work AI handles first, fastest, and at a fraction of the cost.
The forecast extends the position Heimdal set out in April with the launch of AI Wingman and Third-Party AI Containment.
AI Wingman SOC is the third tier, rolling out across 2026 alongside Assist and Triage. The initial release covers 15 SOC-relevant protection features and is expected to reduce L1 triage time by around 25% as it matures.
Compliance keeps humans in the loop
Compliance is what keeps humans in the SOC. Regulated environments require an accountable person behind security decisions, and that requirement isn’t moving.
What changes is the work. Less time in tickets. More time on the cases that warrant real investigation, and on improving the systems that handle the rest.
Catch more CIO Insights: The CIO as a Value Creator: Moving Beyond Cost Centers to Revenue Drivers
[To share your insights with us, please write to psen@itechseries.com ]
