
Guest Author:
Dennis Chow, Director, Detection Engineering at UKG
There are many with mixed feelings within the global security community regarding the value of typical SOC operations in a modern enterprise with the advancements in AI. What typically comes from people leaders is the standard “use AI to augment, not replace” type of message. Hiring managers globally are simultaneously struggling to find or retain talent in complex enterprise environments. Whether you choose to believe AI, in its present maturity, is ready to replace talent or not is not the debate we should be having. Instead, we should focus on what are the new value proposition of security operations to meet demand.
Industry Changes
Looking back 15+ years ago, the in demand needs and skills were largely still an administration level understanding of endpoints, networks and general system knowledge. Fast forward to 2025+ the breadth of technologies have exploded and the depth of knowledge has also increased exponentially. Unfortunately in many cases, traditional certification providers and formal education paths have not caught up.
One example of the disconnect is that many enterprises today utilize cloud, yet many analysts struggle with cloud native technology concepts besides a VM instance. Even as early as 2021 Google identified that many respondents in the industry have more than one cloud platform. Multiple industry voices have noted similar skill issues including: Brian Krebs, ISC2, and SANS.
The upskilling problem began forming in the 2010s when cloud providers popularized among developers and enterprises. The problem then was compounded in the 2020s when “bootcamps” were then popularized and funded, often creating curricula that essentially copied the same syllabus content as certification providers. In 2022, OpenAI’s ChatGPT becomes popularized and further raises questions on effective skilling, academic integrity, and cost optimizations.
Upskilling Transformation
So what do analysts need to know now? As it stands, no single certification or course is sufficient. As people leaders, we need to help build and scaffold a combination of curated learning and specific experiences to help close the gap for the modern SOC analyst. Having
built many SOC and Detection Engineering teams over the years, here are the foundational hands on skills that you cannot afford to negotiate on as a minimum baseline to have a capable, and effective analyst:
- Windows, Linux, and, IAM System Administration (Scaling deployment, applying technical governance, and hardening)
- Enterprise-like networks (Routing, Extending VLANs, Encryption in Flight, Logging, High Availability)
- Web applications (REST, HTTP methods, Microservices)
- Cloud native platform landing zones and workloads (design, implement, and centralize monitoring via CI/CD)
- Big Data and Data Science Foundations (MLOps, applied statistics, ETLW build out)
- AI Engineering (Using GenAI and ML to build, secure, and monitor agentic solutions)
If these skills look familiar to someone that resembles a multi-faucet senior detection engineer. You would be correct. In security operations, we can no longer afford to let analysts stay within a general conceptual awareness of technologies. Analysts must learn how to build. Being able
to build, configure and implement these solutions forces a new level of understanding, muscle memory, and new level of awareness on how threat vectors work.
Bridging to Detection Engineering
Globally, teams are racing to build agentic AI solutions, including viable SOC analyst replacements for entry to mid level talent. The only constant in technology adoption and employment over the years has been automating the next lowest repeatable function. My team, for example, is deploying a SOC AI agent in production that can scale and perform triage, investigations, and limited containment.
In tandem, we are actively upskilling analysts to master technical baselines, digital forensics, hunting, and other areas as senior analysts and lighter automations. In the long term, the plan is to upskill analysts to detection engineering so that their time is utilized with higher ROI. Meanwhile, detection engineers should be learning deeper threat intelligence, and security research skills to further automate critical needs in a larger fusion center environment.
Call to Action
The industry is in a critical skill deficit. It’s not the number of heads, but the depth and breadth of skills missing. Don’t rely only on certifications as indicators. Raise the bar, insist, and reinforce candidates who come with a technical portfolio that has not been vibe coded. Examine their ability to communicate value to applicable audiences at the same time as demonstrating the technical skills needed for your organization upfront. Retroactively upskill existing staff to meet the same standard and empower analysts to take back control of their careers to build their own
future.