Agentic AI and the Future of AI-Native SOC
Palo Alto Networks EMEA Tech Summit (Barcelona) – Part 1
The main message of this year's Palo Alto Networks EMEA Tech Summit in Barcelona was clear and consistent: all of the company's product lines and development directions are shifting toward autonomous, AI-driven cybersecurity.
Traditional SOC operations are entering a new era, where we are no longer talking about AI-based support, but about Agentic AI – intelligent agents that are capable of not only interpreting, but also executing security operations completely independently.
This direction is consistent in many ways with the efforts of our InfoSec division to build its own developments, particularly in the area of AI functions that support the work of SOC analysts, build context, and enhance automation. The presentations at the Summit confirm that automation, real-time correlation, and intelligent decision support are at the heart of the development of modern SOCs—a direction that can be seen in multiple technological environments and various SIEM solutions.
Agentic AI – the foundation of autonomous SOC
The most dominant message from the Summit:
Palo Alto is not simply integrating AI into SOC, but building Agentic AI, which is capable of functioning as independently thinking and acting security agents.
The essence of Agentic AI is that the system:
- independently interprets incoming events,
- recognizes and tracks the entire attack chain,
- makes decisions without external instructions,
- then automatically executes the necessary steps, often without the use of playbooks.
Practical examples of the presented operation:
- isolation of compromised endpoints,
- blocking user access,
- real-time modification of network rules,
- complete incident management process without human intervention.
Agentic SIEM continues to be powered by Cortex XSIAM and the XDR engine, which, starting with version 3.0, are designed specifically with AI-native architecture.
Agentic SIEM – a new SOC architecture is born
One of the key messages of the Summit was that the company has an ambitious but clear vision for the future:
Traditional SIEMs based on log collection may lose their relevance within five years.
The three main pillars of the XSIAM 3.0 development direction are:
1) AI-native operation
The system is designed so that AI performs all tasks where humans would only slow down the process.
2) Unified data model
Coordinated collection and analysis of real-time data:
- network traffic,
- endpoints,
- identities,
- cloud events,
- application logs.
Precision AI continuously builds context from these sources—it doesn't handle events, it analyzes chains of attacks.
3) Automation of the entire incident cycle
The objectives of XSIAM are:
- detect,
- identify,
- prioritize,
- then closes the incidents,
– and only a few points remain that still require human decision-making.
The SOC vision: an end-to-end learning and responsive system
The Summit painted a clear picture of the future for the coming years:
- SOC operates autonomously,
- the system provides real-time visibility of the entire attack surface,
- only truly critical cases are escalated to human analysts,
- and it will be capable of conducting completely autonomous defense processes.
Such a SOC:
- faster,
- makes consistent decisions,
- and works with a much broader data set than any human team.
Palo Alto is clearly moving toward an autonomous SOC concept based on Agentic AI, which could redefine how security operations centers work in the coming years.
The directions presented resonate well with industry trends and the approach our InfoSec division is taking to build its SOC operations support developments.
This is the first part of a multi-part summary series. The next article will focus on Cortex Cloud, the "code-to-cloud-to-SOC" model, and cloud security automation.
