Growth for Managed Security Service Providers (MSSPs) often leads to inconsistent service delivery, a paradox that undermines the very confidence scale is meant to inspire. As security operations centres (SOCs) expand across shifts, geographies and increasingly varied customer environments, the methods analysts use to investigate alerts begin to diverge. These differences are subtle at first, becoming visible only when trust or performance is questioned. The challenge, industry practitioners say, is not technological but human.
The human factor behind SOC inconsistency
Human judgment does not scale the way technology does. When investigations depend on interpretation and experience, small variations quickly compound. Three analysts can start with the same alert and the same procedure yet reach different conclusions. None are wrong; their decisions simply reflect different investigation paths, different instincts or different weight placed on certain pieces of evidence. For the client, such variation feels unpredictable. When outcomes depend on who is on shift at any given time, inconsistency shifts from an isolated occurrence to an operational concern.
The staffing realities of SOCs make the problem worse. Research indicates that it can take up to a year to replace and train an experienced security analyst. The average tenure for a Tier 1 analyst is only two years, meaning organisations may not see a return on their training investment before the analyst leaves. High turnover, coupled with the inherent stress and tedium of manual security alert management, contributes to burnout. One study found a 64% annual turnover rate for SOC analysts. This churn means that even well-documented procedures are constantly being re-learned, and the institutional knowledge that underpins consistent service is easily lost.
The limits of automation and the real onboarding challenge
Automation can deliver a level of uniformity for familiar patterns and routine tasks. Tools can enforce process. But meaningful investigations require more than rule-following. Analysts must recognise nuance, interpret intent and understand the business impact of what they are seeing. As threats evolve and environments become more complex, the limitations of rigid automation become clear.
Dropzone AI, where the original article’s author Dan Bridges serves as Technical Director, offers an AI SOC Analyst platform that aims for a “software-only” approach to alert triage and investigation, promising improved consistency and scalability by reducing reliance on human analysts. Yet even advanced AI systems can struggle with ambiguity and “unknown unknowns,” where human intervention remains crucial. The effectiveness of AI in SOC operations depends heavily on the quality of data it receives, with context being paramount. A false positive or a missed nuance in the data can cascade into an incorrect conclusion.
This is why the onboarding phase often highlights the deepest challenges – and they are rarely about the technology itself. The real difficulty lies in understanding how an organisation functions: its critical processes, essential systems and decision flows. Analysts can interpret logs and alerts, but without understanding the operational context behind them, even accurate assessments risk missing the broader business impact. For MSSPs working across multiple industries, asking analysts to internalise every customer’s operational reality simply does not realistically scale.
How context is lost and regained in SOC operations
The loss of context begins the moment an alert arrives in a SOC. Bespoke internal systems are common among clients, and these often provide essential context for interpreting alerts. Yet analysts may only see fragmented data – a log entry here, a network flow there – without the business layer that explains what the affected system does, who depends on it and what the financial or operational impact of an incident would be. Two identical alerts can carry very different levels of risk depending on the systems involved. A login anomaly on a development sandbox is not the same as one on a production finance server, but without context, both may be treated identically.
The problem deepens as analysts work across multiple customers. Even with strong procedures, remembering which rules apply where is difficult. Pod-based models that assign teams to specific clients create familiarity, but they also create dependencies. When experienced team members leave, critical knowledge often leaves with them. The future of SOC operations, experts argue, depends on making this knowledge transferable and embedded in systems rather than reliant on individuals.
Regaining context requires deliberate effort. Companies are increasingly looking to MSSPs to provide strategic guidance and business-level advice, not just tool management. This means analysts must be trained to ask the right questions: what systems are critical to the client’s operations? What does a zero-tolerance alert look like versus a benign anomaly? Transparent communication – showing the reasoning behind a decision – helps bridge the gap between raw data and business impact. In some cases, taking more time to investigate a low-priority alert is the right call if it leads to a more informed and confident outcome. Quality is shaped by depth, clarity and reasoning, not simply the speed at which tickets are closed.
Why trust depends on consistency beyond the tools
Trust is shaped by the same dynamics. Customers are often more comfortable with a false positive than a missed threat, especially early in the relationship. Clear reasoning and transparent communication build confidence; inconsistency erodes it quickly. This is where the limits of traditional automation become most apparent. Tools can enforce process, but they cannot replace sound judgment or interpret ambiguous signals.
There is also a noticeable gap between how SOC services are purchased and how they deliver value. Procurement focuses on tooling, service-level agreements and coverage – factors that are easy to compare on paper. Yet the most meaningful differentiator is the quality and consistency of day-to-day investigative work, which is much harder to quantify. Scale may increase capacity, but it does not guarantee better outcomes. In many cases, it amplifies inconsistencies already present.
The UK SOC market is projected for significant growth, with an estimated compound annual growth rate of 7.45% from 2025 to 2035, driven by increasing cyber threats, regulatory compliance demands and advances in AI and automation. But the UK also faces a substantial cybersecurity talent gap, needing thousands of additional professionals. The vendors that succeed will be those that treat consistency as a discipline – one built on clarity, context and the ability to make human judgment as dependable as the systems designed to support it.
