TandemThe problem is unsolvable with humans. ~3.4M unfilled security jobs isn't a hiring problem you can grind through. The talent doesn't exist. Every CISO on Earth has the same constraint.
The 3.4 million number doesn't shrink, and not because anyone is failing to recruit. We graduate plenty of cybersecurity students. The job eats them. Median tier-1 SOC analyst tenure in 2025 sits at around 11 months, with burnout running well ahead of pay as the dominant exit reason. Every team we've worked with in the last two years is rotating through tier-1 every year or so, training the new cohort against the old runbook, watching them burn out, and starting again. There's no labor market in the world where this looks like a hiring problem. It's a job-design problem.
The tooling didn't fix it either. SIEM ingest volumes grew roughly tenfold between 2015 and 2025, and analyst capacity barely grew at all. SOAR was supposed to close the gap. It didn't, because most playbooks still need a human in the loop. MDR helped, but MDR providers run the same labor model and pass the same constraint along under a different invoice line. Every layer added since 2018 has produced more alerts than it has removed.
Why this becomes inevitable in 2026, not 2030
The reason the 2030 view feels inevitable now, and didn't feel inevitable in 2022, is that two curves crossed in 2024.
The first is model reliability. LLMs got dependable enough to make narrow, well-bounded decisions sometime around 2024. That doesn't mean every SOC task. It means the ones where the evidence is structured, the question is local, and the cost of escalation is low. Tier-1 triage on EDR and identity alerts fits that profile. So does most of what people call alert enrichment. So does correlation across two or three telemetry streams. These are exactly the things an analyst spends 80% of their hours on.
The second curve is data accessibility. EDR vendors finally opened their telemetry. Identity providers shipped real APIs. The integrations that took six months to build in 2020 take six days to build in 2026. An autonomous layer can now read the SOC's full picture in near real time, which it couldn't even three years ago.
The curves crossed in 2024. The shipping products arrive in 2025 and 2026. Serious deployments land between 2026 and 2028. By 2030 the question isn't whether you have an autonomous SOC. It's whose.
Every CISO we've spoken to this year has stopped asking whether AI can help their SOC. They're asking when AI will run it.
Five budget lines collapse into one
There's a second thing happening underneath the talent and tooling story. The category boundaries are dissolving.
In 2020 a typical enterprise stack had distinct budget lines for SIEM, SOAR, EDR/XDR, MDR, and analyst headcount. Five RFPs, five vendors, five quarterly reviews, with total spend rising about 18% year over year and producing roughly the same number of incidents per dollar each cycle.
cost-per-protected-asset, autonomous.
By 2026 those five lines are visibly merging. The CISOs we work with have stopped asking "what's our SOAR budget" and started asking "what does protecting an asset cost us per year, end to end." The five-vendor stack is starting to look like a financial relic rather than an architectural choice. The only thing that absorbs the five together is a layer that does the analyst-tier work the rest of the stack used to feed.
The vendors who win 2030 are the ones absorbing all five categories. The ones adding a sixth are bargaining with a market that has already moved on.
The new vendor strategy
Which is also why the strategy of the agentic-AI security vendors looks fundamentally different from the strategy of the previous SaaS generation. The previous generation sold tools that made analysts more productive. The current generation is selling something else entirely.
Agentic AI doesn't just augment the SOC — it becomes the SOC. This is the key move. They're not pitching "AI tool that helps analysts." They're pitching "autonomous platform that replaces most of the analyst tier and absorbs spend from SIEM, SOAR, MDR, and headcount budgets simultaneously."
If you're trying to figure out what your 2027 SOC budget should look like, or how to stage the transition from the five-vendor stack to something smaller, we'd be glad to talk.