Most SOCs run incident response automation in name only.
The runbooks fire, the tickets route, the alerts enrich with threat intel. Then a human still picks up the phone, opens four tabs, and starts the investigation from scratch.
IR automation has been promised for a decade. Most teams still escalate manually because every automation layer depends on the one beneath it being trustworthy, and that trust collapses the moment a playbook hits incomplete log data, a SOAR workflow assumes a static attack pattern, or an AI copilot hallucinates an artifact that does not exist. The category needs an honest read.
This piece lays out a four-tier maturity model so security leaders can place their current operation on a defined spectrum, see the prerequisites for advancing, and chart a credible path forward. The closing maps Strike48 against tier four, where agentic response becomes operationally reliable.
Incident response automation is the practice of executing some portion of the IR workflow without analyst intervention. The workflow includes alert triage, enrichment, investigation, containment, and remediation. Different products automate different stages with different levels of autonomy.
The category sits on a spectrum. At one end, a scripted playbook runs identical steps every time a specific alert fires. At the other end, an autonomous agent reasons across log sources, identifies attacker behavior across stages of the kill chain, and executes containment actions with analyst approval at critical decision points. Most SOCs operate somewhere in the middle and assume they are closer to the autonomous end than they actually are.
The model below breaks the spectrum into four tiers. Each tier has its own capabilities, prerequisites, and failure modes.
Tier one is the scripted runbook layer that ticketing platforms have offered for years. An alert fires, the playbook runs a fixed sequence, the ticket closes or escalates.
What you get: consistent execution on known alert types. Onboarding time drops. New analysts make fewer process errors.
Prerequisites: an alerting platform, a documented runbook for each alert type, and a way to trigger the runbook from the alert.
Where it breaks: anything novel. The playbook does what it was written to do, no more. When the attacker varies the tactic, the playbook produces a clean ticket on the wrong investigation.
Tier two adds cross-tool orchestration. An alert from the SIEM triggers a workflow that pulls enrichment from threat intel platforms, queries the EDR for endpoint context, opens a ticket in the case management system, and runs containment actions if specific conditions match.
What you get: consolidated investigation steps. Analysts spend less time tab-hopping. Mean time to triage drops on commodity threats.
Prerequisites: integrations between the SIEM, EDR, threat intel, case management, and any tool the workflow touches. Each integration needs maintenance. Each workflow needs version control.
Where it breaks: brittleness. SOAR workflows assume tool APIs stay stable, alert shapes stay consistent, and attack patterns stay recognizable. None of those assumptions hold over time. Teams end up with hundreds of workflows that work most of the time and fail silently the rest.
Tier three introduces AI copilots that sit alongside the analyst. The analyst still drives the investigation. The copilot accelerates the typing.
What you get: faster query construction, faster log summarization, faster report writing. The copilot translates natural language to SIEM queries and surfaces relevant context from prior investigations.
Prerequisites: access to clean log data, a reasoning layer that grounds responses in the actual data, and an analyst workflow that integrates the copilot without adding cognitive load.
Where it breaks: the copilot speeds up the parts of investigation that were already fast. Typing was not the bottleneck. The bottleneck is reasoning across fragmented log sources, identifying attacker behavior across the kill chain, and making the containment call. Tier three accelerates the typing and leaves the hard work untouched.
Tier four is autonomous agents that do the actual investigation work. The agent triages the alert, queries the log sources, correlates across stages of the kill chain, identifies patient zero, collects forensic evidence, and proposes a containment action. The analyst approves the action at the critical decision point.
What you get: mean time to detection compressed below eight minutes in early Strike48 deployments. Investigation work that took an analyst four hours runs in minutes. Alert volumes go from 200 individual tickets to 20 consolidated investigations.
Prerequisites: complete log visibility with no cost-driven blind spots, narrowly scoped agents (one job per agent), verifiable audit trails where every action the agent took is reconstructable, and bounded tool access so the agent cannot reach beyond its scope.
Where it breaks: every one of those prerequisites. Without complete logs, the agent reasons over partial data and produces confident hallucinations. Without narrow scoping, agents drift into adjacent decisions they were not designed for. Without audit trails, the team cannot defend the action to a regulator. Without bounded tool access, a compromised agent becomes a privileged attacker.
The maturity model is not linear progression. Most teams reach tier two and try to skip to tier three by bolting an AI copilot onto their existing SOAR stack. The result is three structural failure modes.
These three failures compound. Teams conclude that AI in IR does not work, when the actual problem is that tier three was built on a tier two foundation that cannot support it.
Tier four agentic response is operationally reliable only when four architectural conditions hold. These are not optional. They define whether the agents can do the work or whether they produce confident output that the team cannot trust.
These four conditions are what separate tier four from a tier three copilot dressed up in agentic marketing.
Tier four agentic response is where the operational gains compress investigation time from hours to minutes, where mean time to detection drops below eight minutes, and where SOC capacity scales without headcount. Teams that get there built the foundation first. They closed cost-driven blind spots, scoped their agents narrowly, locked down tool access through MCP, and grounded reasoning in graph-structured data.
Strike48 is the agentic platform built for tier four. Every architectural condition above is a deliberate design choice, not an aspiration. Agents execute investigations at machine speed. Humans approve high-impact actions. Audit trails reconstruct every decision.
SOAR executes predefined workflows. The team writes the logic in advance, the workflow runs the steps, and the system stops when it hits a condition the workflow does not handle. Agentic response uses autonomous agents that reason across the available data and decide what to do next. SOAR is deterministic. Agentic response is bounded autonomy with approval gates on critical actions.
Tier two SOAR workflows depend on stable APIs, consistent alert shapes, and recognizable attack patterns. None of those hold over time. Teams accumulate workflow maintenance debt and conclude that automation does not scale, when the structural issue is that tier two cannot reach the work tier four does.
No. Tier four agents execute the investigation and propose containment actions. Analysts approve high-impact decisions, handle the exceptions agents flag for human judgment, and oversee the agent fleet itself. The role shifts from individual alert triage to oversight and exception management.
Timeline depends on the log foundation. A SOC running parse-at-ingest with cost-driven blind spots needs to close the coverage gap first, which is usually a quarter or two of work. Once log coverage is complete, deploying agentic response is weeks, not months, because the agents do not need custom workflow logic per use case.