Join us TOMORROW, Friday [02-20-26], for "Hacking the Future of Log Data"

Join us Friday, February 20, 2026, for “Hacking the Future of Log Data: An hour of critical thinking about why your traditional SIEM is telling only a fraction of the story.”

It all begins at 1 PM ET/10 AM PT tomorrow, with guests Tim Leehealey, vp of corporate strategy and operations, Strike48, and Nick Falzarano, director, information security, TE Connectivity. We'll have fun conversation and games, plus at the end of the hour we'll do our meetup in breakout rooms.

Register for the Super Cyber Friday event series on Airmeet. Join us for just this episode, or choose to register for all of our upcoming episodes in this ongoing event series.

Thanks to our Super Cyber Friday sponsor, Strike48

Defense in Depth
How Much Autonomy Should You Give AI Agents in Your SOC?

Agentic AI was the buzzword of the year in 2025. Everyone wants to figure out how to use agents, but how do you know how much authority to give them in your SOC?

Check out this post for the discussion that is the basis of our conversation on this week’s episode, co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Cliff Crosland, co-founder and CEO, Scanner.dev.

Listen to the full episode here.

Earning autonomy gradually

AI SOC agents need to prove themselves before being granted broader authority. "AI SOC agents should follow the same kind of maturity curve we've used for years with SOAR and network anomaly detection: start read-only, tune, observe, tune again, and only then introduce controlled action," explained Supro Ghose, CISO at Graphene Security. He emphasized being comfortable with agents handling low-risk, high-volume tasks in the early stages, such as flagging VPN access from outside CONUS, checking against approved users' lists, and sending manager notifications. These are deterministic workflows with clear guardrails. Andrew Wilder, CSO at Vetcor, captured the philosophy simply: "It's the crawl, walk, run model with a human in the loop that builds trust and adoption." Asaf Wiener of Mate Security noted that while organizations can gradually reduce human involvement, the approach should align with their specific needs, pace, and risk tolerance, focusing on "principles of adoption, grounded in real needs and requirements, rather than fixed boundaries."

The blast radius question

The debate over AI agent autonomy often centers on read-only versus write access, but that misses the more critical consideration. "I draw the line based on blast radius, not AI capability," said Betha Aris Susanto of DTrust. "If a decision must be explained to an auditor, regulator, or the board, it stays human." Rock Lambros of RockCyber pushed this thinking further, arguing that reversibility matters more than permission levels. "Quarantining a host is a write action I'd let an agent execute unsupervised because I can undo it in seconds. Disabling a production service account? Same permission level, completely different blast radius." Teams are discovering they never built the authorization model to support tiered trust. AI agents often inherit API credentials that grant them greater privileges than any human analyst would be granted. "That's the real risk," he emphasized. "Not over-automation. It's that well-meaning, super burned-out SOC engineers are deploying agents with permanent credentials, some of them wouldn't hold themselves to reduce their cognitive overload."

The reality check

Amid vendor enthusiasm about AI SOC capabilities, the actual adoption picture is far more modest. "DIY AI agents for SOC is a really, really high bar," noted Anton Chuvakin of Google Cloud Podcast. While some organizations are attempting it and a few are succeeding, they are still an exceedingly small minority. Erik Bloch of Illumio offered a blunter assessment: "I don't know anyone building an AI SOC, but people are experimenting with AI and agents to do basic summaries, or using it to shorten dev times for automations or detections. The idea that there is mass adoption around this is a marketing echo chamber."

Today's value, tomorrow's evolution

The immediate opportunity lies in practical applications that deliver speed and efficiency gains without crossing into risky autonomy. "You can automate evidence collection, initial triage, and generation of a curated list of fixes/recommendations," said Anatoly Chikanov of Primary Venture Partners. "This gets you a ton of value in terms of speed/efficiency vs. doing it manually by Tier 1 folks." But the line should be drawn around autonomous action, since over-provisioning an agent creates something an attacker can weaponize. For now, keeping humans in the loop while offloading tedious work makes sense given the current maturity of AI SOC capabilities.

Thanks to Asaf Wiener of Mate Security for being our unwitting contributor.

Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Scanner

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Budget Cuts Don’t Mean Security Cuts

The latest AMA focused on how CISOs and security leaders managed to reduce risk even after their budgets were cut. Read all of the Q&As from the AMA here, and see the full recap article here.

Thanks to our participants:

• Gary Hayslip (u/Shaynei), vp and senior security advisor, Halcyon

• David Cross (u/MrPKI), CISO, Atlassian

• Nick Espinosa (u/NickAEsp), host, The Deep Dive Radio Show

• Will Gregorian (u/wgregorian), former senior director, technology operations and security, Galileo Medical

• Edward Frye (u/krypt0_ed), head of security, Luminary Cloud

   

Next up: “I've been a CISO more than once. Ask me anything about how the job differs between organizations.”

Starting Sunday, February 22 on r/cybersecurity.

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series reporter Sarah Lane, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Jon Collins, field CTO, GigaOm, and Adam Palmer, CISO, First Hawaiian Bank. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Conveyor

Cyber chatter from around the web...
Jump in on these conversations

"OpenClaw is terrifying and the ClawHub ecosystem is already full of malware" (More here)

"Opinion on discord new Age verification update? after a huge data breach" (More here)

"I Signed Up for AI.com After its Super Bowl Ad. Then I Read Its Alarming Privacy Policy" (More here)

Coming up on Super Cyber Friday:

• [02-20-26] “Hacking the Future of Log Data

• [03-06-26] “Hacking Citizen Developers”

Register for the Super Cyber Friday event series on Airmeet. You can register for all upcoming episodes in this ongoing event series. After you register, you can add events to your calendar right on our event series page.

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.