Socwise logo
close
Lesku Gergely
04/02/2026

Agentic AI and Fusion SOC: a new era in OT incident management

Lesku Gergely
Agentic AI and Fusion SOC are transforming OT incident management by uniting IT, OT and cyber teams, accelerating investigations, reducing analyst workload and improving resilience across critical infrastructure.

There has always been a convenient misconception in the protection of industrial and critical infrastructure: if an OT system is not directly connected to the internet, its cybersecurity risk is lower. In reality, one of the oldest stories, dating back 20 years, is that of Stuxnet, which targeted a strictly “air-gapped” OT critical infrastructure—this is essentially where we mark the birth of the cybersecurity profession. Closed operation is indeed a fundamental principle, but it does not, by itself, provide sufficient protection. Supplier relationships, remote access, USB usage, maintenance processes, and human error are all areas where risk remains very much present. This is also one of the strongest messages of our article: just because a device does not have an internet connection does not mean that cybersecurity can be ignored.

Another important insight is that OT incident management should not be viewed as a separate realm. It is not that OT cybersecurity does not exist, but rather that incident management cannot be effectively divided into IT and OT components. Understanding a serious incident requires shared processes, a shared information base, and a shared center of expertise. This idea is also reflected in the Fusion SOC approach: risks and threats are shared, and ideally, all relevant events are received by a single system, but the interpretation and handling of the incident must involve experts appropriate to the specific situation.

Why isn't isolated incident handling working?

Even in an OT environment, incident management is not merely a technical analysis. Behind these incidents lie specific production processes, network zones with different operating modes, unique operational logics, and often individually configured systems. No two similar plants are alike; in fact, even two PLCs of the same make can operate according to completely different program logic. Therefore, when the suspicion of OT involvement arises during the analysis of an incident, it is necessary to involve colleagues who truly understand the specific production or maintenance process. Without them, it is difficult to determine whether an anomaly is a cyberattack, a misconfiguration, or a simple operational glitch. At the same time, the reverse is also true: if the IT and cybersecurity teams are not brought in early enough, OT engineers may easily overlook the possibility of a cyberattack.

This coordinated operation is not only a matter of efficiency but also of operational safety. According to traditional IT logic, the obvious response might be to disconnect a machine or quickly shut down certain components. In an industrial environment, however, this can result in business losses and, in extreme cases, even endanger human lives. Therefore, in OT incident management, it is particularly important that decisions are not made in isolation but through shared responsibility.

What does Fusion SOC mean in practice?

The essence of Fusion SOC is not just another buzzword, but an operational model. It represents a shared process framework and information space where events from IT and OT sources can be interpreted together. The goal is for the organization to see not isolated alerts, but the full scope of an incident. This naturally requires different rules, specific OT-side detection systems, and different responses in each zone, but detection, correlation, and coordination are built on a common foundation.

This is also evident in the incident response framework adapted for the OT environment: the phases of preparation, detection and analysis, containment, resolution, recovery, and follow-up are applicable in OT as well, and are based on relevant NIST guidelines. The foundation of OT monitoring is also based on the combined management of logs, network traffic, and EDR-type endpoint data.


Where does agentic AI come into the picture?

Agentic AI is not simply a new interface or a chat tool, but a substantial takeover of part of the SOC’s work. The core of its operational logic is that the AI performs the same steps that an analyst would currently perform manually: it receives the alert, identifies the affected users, servers, and events, expands the investigation in time and space, collects relevant data, reconstructs the timeline, and then provides a summary and recommended actions.

The platform collects data from IT and OT sources, enriches it with context and threat intelligence, and then uses AI-based triage, entity mapping, contextual analysis, and timeline reconstruction to generate recommendations for human decision-makers. The key element here is the “human in the loop”: that is, the expert does not disappear from the process, but rather takes on a role with higher added value.

Practical experience shows that this approach can reduce incident response times, drastically speed up analysis, and virtually eliminate backlogs and the burden of report writing. It is important to note, however, that this model does not promise that AI will solve everything on its own, but rather that it adds significant speed and reduces the workload when combined with well-structured incident logic and joint IT/OT operations.

AI isn't the first step

This is perhaps the most useful practical takeaway for organizations that are just beginning their OT security initiatives. AI is not the starting point, but rather the “icing on the cake.” First, you need to lay the groundwork: segmentation, OT-specific endpoint protection, remote access control, USB control, vendor requirements, training, and awareness.

This is particularly true in the OT sector. New technology can only deliver real business and security value if it is built on stable processes, clearly defined roles, and effective organizational collaboration. Market trends surrounding NIS2 are also moving in this direction: cybersecurity is becoming less of a peripheral issue and increasingly a core operational concern.

Where should we go next?

Perhaps the most important lesson from the approach presented here is that the future of OT security is not about any single technology. It is not just about SIEM, not just about AI, and not just about regulatory compliance. Rather, it is about whether organizations can find a common language between IT, OT, and cybersecurity.

Where this happens, agentic AI can truly become a powerful multiplier: it does not replace expertise or pit IT and OT experts against each other, but rather strengthens collaboration, democratizes the process in a sense, and this may be precisely the point where OT incident management becomes not only faster but also more mature—and this will ultimately benefit any organization from a business perspective.

Contact form for blog articles

Are you interested in this solution?

Fill out the form and we will contact you soon.

SOCWISE © 2022 ALL RIGHTS RESERVED  Business value protection in expert hands.
crossmenu
SOCWISE
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.