Preparing the cyber workforce for AI-enabled operations

Three Points to Remember

1. Building an AI-ready cyber workforce demands apprenticeships focused on real-world skills and decision making.
2. AI automation of Tier 1 tasks is reshaping security operations center (SOC) roles and shaping analyst development paths. 
3. Human analysts remain essential to validate AI outputs, apply context and make critical decisions. 

As AI becomes more integrated into cyber operations, humans must remain in the loop. This is a very important principle. AI can accelerate detection, reduce noise, and handle routine tasks at a scale no human team can match.  However, it raises a question that is worth asking. Are we preparing our analysts to be effective in an AI-enhanced security operations center (SOC)?

How AI is already reshaping SOC work

The reality is that AI is already reshaping how work gets done in security operation centers. Tools are increasingly capable of handling the kinds of tasks that are used to define entry-level analyst work (triage, enrichment, and sometimes initial investigation).  This is fantastic because it frees up human analysts to focus on more complex problems.

But it also changes how analysts develop their skills.

Traditionally, analysts build experience over time via structured processes, learning patterns, and gradually developing the judgement needed to handle ambiguous situations. As AI takes on more of the Tier 1 analyst work, that progression is getting compressed. Analysts are being asked to apply higher level thinking earlier in their careers, often without the same depth of hands-on experience. At the same time, many parts of the cyber workforce pipeline (education, certifications, operational environments) are designed to emphasize consistency, repeatability, and adherence to process. These are essential qualities, especially in mission-critical environments, but they don’t always create space to develop essential analytical judgement. Do not forget the pre-AI days of a security “Paper Tiger”: an analyst who holds numerous certifications but lacks practical “outside the box” skills. The practical skill of analytical judgement is exactly what is required when situations don’t fit neatly into a predefined workflow.

This is exactly where AI changes the equation.

AI can generate insights, correlations, and recommendations but have yet to be proven infallible. Out of the box, and during continued operations, they can misclassify, miss context, or surface patterns that don’t fully align with what is happening. The role of the human analyst now is not to merely execute the workflow but to validate it. The analyst needs to determine when the output is right or if it needs to be questioned. 

New core competencies for analysts in an AI-powered SOC

This is where the idea of human-in-the-loop either succeeds or falls short. If the human role is treated as a procedural checkpoint, then the value is limited. If the human is equipped and expected to apply judgement through interpreting, challenging, and refining the outcome, then the teaming of human analyst and AI becomes more powerful. This doesn’t mean moving away from structure. Cyber operations will always depend on standardized processes, auditability, and repeatable workflows. As AI becomes more embedded there is an opportunity to evolve those evolve our environments for not only consistency but for actively developing and reinforcing analytical thinking.

In practice, this can be as simple as creating space for analysts to explain why a decision was made, not just what action was taken. It can also ensure that validating automated outputs is treated as a core skill for an analyst, not an afterthought. Over time these small shifts can make a meaningful difference in how analysts engage with the tools and the mission.

The integration of AI into cyber operations isn’t a future concept, it is happening now. As it continues, the effectiveness of that integration will depend not just on the technology but on the people working alongside. We have built systems that ensure analysts follow processes correctly. The next step is making sure they are equally prepared to recognize when those processes, or the AI systems supporting them, need to be questioned.

Enhance the pipeline with apprenticeship

You may be wondering, “If the AI-enabled SOC is going to take over the triage normally performed by Tier 1 and 2 SOC analysts, how will entry-level analysts gain the skills and enculturation necessary for higher level SOC work?” 

The answer is not to wait for external workforce pipelines to improve. The answer is to build the pipeline internally.  

Organizations should treat the SOC as a finishing school for entry-level analysts. The industry must rewrite SOC analyst hiring requirements from certifications and degrees to aptitude and judgement. Leidos currently looks for candidates who meet 80% of the must-have requirements and addresses the remaining 20% through training. This helps attract talent from pools of people who have the skills and experience, but who didn’t follow the prescriptive educational path. The industry should also widen the practice of hiring out of high school computer science programs. With tuition reimbursement programs, the novice cyber workforce can have an affordable option for obtaining or furthering their education while being employed. Even with retention agreements, it is a very attractive offer.

The Department of War (DoW) is already leading the way with paid 12-month apprenticeships as part of their Cyber Registered Apprenticeship Program (Cyber RAP). According to the DoW’s article, their program will feature structured career pathways, industry-recognized certifications and direct placement. This is an important first step toward, and a critical investment in, building the AI-ready cyber workforce of tomorrow. 

Building internal mobility pathways is another way to help grow the internal pipeline. Helping interested employees to grow into increasingly advanced cyber and AI-enabled roles over time is an investment in human capital and the future. High-performing cyber operations treat workforce development as a continuous operational capability rather than a periodic training event. This includes establishing rotational assignments, cross-functional apprenticeships, structured mentoring and skills-based progression models that allow analysts to move between disciplines such as threat intelligence, incident response, automation engineering, data analytics and AI operations. Internal talent marketplaces and competency frameworks can help employees identify adjacent career opportunities while enabling leaders to align workforce capabilities with emerging mission requirements. By creating visible pathways for advancement and reskilling, organizations improve retention, preserve institutional knowledge and cultivate a workforce that can adapt alongside rapidly evolving technologies and threat environments. 

For external pipeline development, organizations should widen the practice of establishing deliberate partnerships with colleges and universities to create a steady pipeline of talent prepared for AI-enabled cyber operations. Traditional cybersecurity curricula often lag behind operational reality, particularly in areas such as AI-assisted threat detection, human-machine teaming, prompt engineering for cyber tools and the governance of AI-enabled systems. Employers can help close this gap by collaborating with academic institutions on curriculum development, guest instruction, internships, capstone projects and cooperative education programs tied directly to mission needs. These partnerships are especially valuable when they extend beyond four-year universities to include community colleges, technical programs and veterans’ transition programs, broadening access to the profession while increasing workforce resilience.

In an AI enabled SOC, the entry-level analyst is no longer just a procedural actor. The analyst is part of the control function. Their job is to determine when an AI recommendation is correct, when it is incomplete, and when it should be questioned. That capability will not be produced consistently by the market alone. It must be developed intentionally inside the organization.