The SIEM has been the gravitational center of the SOC for twenty years. Detections live inside it, dashboards live on top of it, and the analyst's workday is structured by what fires in its console. Every other tool in the SOC was acquired in relation to it: SOAR runs against the SIEM, MDR is sold against the SIEM, threat intel feeds enrich the SIEM. The budget line item for the SIEM is usually larger than the salaries of the people who operate it.
We think this is going to invert. Not slowly. By 2027 the architecture is upside down, the SIEM is back-office infrastructure, and the gravitational center of the SOC is the autonomous agent layer.
This is the piece arguing why.
What a SIEM is actually doing
Strip out the marketing and a SIEM does four things: it ingests log telemetry from your environment, it stores that telemetry for some retention period, it runs detection rules against it, and it gives an analyst a query interface to investigate.
Three of those four jobs are being eaten right now.
Ingestion is becoming uneconomic. SIEM licensing is priced per gigabyte, the gigabytes have grown roughly tenfold across the last decade, and the budget hasn't. Most teams are already routing only a fraction of their telemetry through their primary SIEM and parking the rest in object storage (S3, ADLS, GCS) that costs two orders of magnitude less per TB.
Detection is moving up the stack. The detection-engineering platforms (Anvilogic, Panther, SOC Prime, Spectrum, the early-stage detection-as-code vendors) are explicitly building their detection layer outside the SIEM, treating the SIEM as one query target among several. Agentic SOC platforms go further: the agent issues queries against source telemetry directly, and the "detection" is whatever pattern the agent decides constitutes a worth-investigating event.
Investigation is the job the agent now does, end to end. The analyst's "go to the SIEM and pivot" workflow gets replaced by the agent's "investigate, pivot, render a verdict, hand off the packet." The query interface is still there for the rare manual investigation, but it's not the daily centre of gravity any more.
The fourth job, retention, is the only one that survives. Compliance still requires you to keep telemetry for some number of months or years. That keeps the SIEM (or its successor) on the org chart. But it doesn't keep it at the centre.
The architecture in 2027
Picture the SOC as four layers, top to bottom.
Agent layer. The autonomous SOC platform. Reads alerts, runs investigations, renders verdicts, hands escalations to humans. This is where the analyst's attention lives.
Source layer. EDR, identity provider, cloud control plane, SaaS audit logs, network telemetry, email security. The agent reads these directly via API; the data does not detour through a central log store before the agent sees it.
Retention layer. A cheap, queryable object store for everything the compliance department needs you to keep. Could be a stripped-down SIEM in "log archive" mode, could be a Snowflake / Databricks setup, could be straight S3 with Athena on top. The team logs in here twice a quarter for a compliance audit and maybe once a year for a deep historical investigation. It is not the centre of gravity. It is back-office infrastructure.
Analyst layer. The humans. Reviewing escalations, validating verdicts, doing hypothesis-driven hunting on the cases the agent flagged, owning the post-incident write-up. The dashboard they look at is the agent's dashboard, not the SIEM's.
The SIEM as we know it gets split. The detection part moves up to the agent. The investigation part moves up to the agent. The ingestion part decouples from the storage part. The storage part collapses into compliance log retention, priced as cold storage. The dashboard part becomes the agent's dashboard. There is no SIEM-shaped object in the middle of the diagram.
What this means for the five-vendor stack
The 2024 SOC budget looked like five line items: SIEM, SOAR, EDR, MDR, threat intel. The 2027 SOC budget looks like three.
Autonomous SOC layer. The agent. Eats SOAR (playbooks become tool calls the agent makes), eats most of the SIEM's job (detection and investigation), and absorbs the daily-operations part of MDR (the agent does the work the L1 humans used to do for MDR).
Source telemetry. EDR, IDP, cloud, email. The endpoints of the agent's API calls. Some of these are now bundled with their own AI features, which the agent treats as one signal among many.
Compliance retention. Whatever holds the logs for legal and regulators. Cheap, slow, queried rarely.
The MDR providers don't disappear; they reposition. The good ones become managed operators of the autonomous layer for customers who don't want to run it themselves. The bad ones get eaten by the buy-side as the cost of human L1 keeps rising while the cost of the agent keeps dropping.
The SIEM vendors don't disappear either; they reposition too, harder. The honest ones move toward "modern data platform for security" — log retention plus query, priced to compete with object stores. The ones still pitching themselves as the centre of the SOC in 2027 are pitching backward.
What still requires a human
Three things, and only three.
Escalations from the agent. When the autonomous layer suspends or escalates, a human owns it. Volumes are way down from 2024 — most teams will be running 1 or 2 humans on a queue that used to need 20 — but the work that's left is the most interesting part of the job. The team is happier; it is also smaller.
Strategic hunting and detection engineering. The novel hypotheses, the threat-model work, the response to a new MITRE technique, the post-incident root-cause. The agent runs the routine hunts; humans set the direction and write the detections for the things the agent doesn't know yet.
Decisions that affect the business. Disclosing a breach, isolating a critical production system, calling law enforcement, briefing the board. These never automate, ever. The agent's job is to make sure the human walks into those decisions with a clean factual picture and not a queue full of noise.
Everything else automates, because everything else should automate. The work was always too expensive to do by hand; the only reason it was done by hand for twenty years is that nothing else could do it.
What CISOs should be doing in 2026
Three concrete moves.
- Stop renewing your SIEM on the assumption that it's the centre. When the renewal comes up, renegotiate as compliance retention, not as a tier-one platform. The leverage is on your side; SIEM vendors know what's happening.
- Decouple ingestion from storage. Route the high-value telemetry to whatever surface your agentic layer reads from. Route the rest to cheap object storage. You should be able to draw your own version of the four-layer diagram by end of year.
- Treat the autonomous SOC vendor selection as a durable decision. It's the layer that's going to compound for the next decade. The other vendor decisions (SIEM retention, EDR, IDP) are commoditising. The agent layer is where the differentiation and the team experience now lives.
The SIEM was the right architecture for the 2005 SOC. It survived through 2020 on inertia and integration depth. By 2027 it's a log retention tool. The centre of gravity is moving up, to the layer that does the actual decision-making, and the SOC budgets are about to follow.
Counter-arguments welcome: [email protected].