EP252 The Agentic SOC Reality: Governing AI Agents, Data Fidelity, and Measuring Success

14 snips

Nov 17, 2025

In this discussion, Alexander Pabst, Deputy Group CISO at Allianz, and Lars Koenig, Global Head of Detection & Response, explore the transformative journey of moving from traditional security information and event management (SIEM) to an agentic SOC model. They delve into the intricacies of governing AI agents, emphasizing the balance between automation and necessary human oversight. The guests share insights on enhancing data fidelity, unexpected challenges during implementation, and the dramatic efficiency gains achieved, including saving 68 analyst-years per quarter.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

INSIGHT

Agentic SOC Is A Journey Not A Destination

Allianz views agentic SOC as a multi-stage journey rather than a finished product.
They estimate their maturity around level two moving toward level three, not full autonomy.

ADVICE

Collaborate Early With Strategic Vendors

Work closely with strategic partners and involve yourselves in product development to build trust.
Give vendor teams visibility into your diverse environment and regulatory constraints to shape usable features.

ADVICE

Keep Humans In The Loop For High-Risk Actions

Treat AI as a co-pilot, not an autopilot, for actions with high impact.
Require human-in-the-loop for anything destructive or with severe organizational effect.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Guests:

Alexander Pabst, Deputy Group CISO, Allianz
Lars Koenig, Global Head of D&R, Allianz

Topics:

Moving from traditional SIEM to an agentic SOC model, especially in a heavily regulated insurer, is a massive undertaking. What did the collaboration model with your vendor look like?
Agentic AI introduces a new layer of risk - that of unconstrained or unintended autonomous action. In the context of Allianz, how did you establish the governance framework for the SOC alert triage agents?
Where did you draw the line between fully automated action and the mandatory "human-in-the-loop" for investigation or response?
Agentic triage is only as good as the data it analyzes. From your perspective, what were the biggest challenges - and wins - in ensuring the data fidelity, freshness, and completeness in your SIEM to fuel reliable agent decisions?
We've been talking about SOC automation for years, but this agentic wave feels different. As a deputy CISO, what was your primary, non-negotiable goal for the agent? Was it purely Mean Time to Respond (MTTR) reduction, or was the bigger strategic prize to fundamentally re-skill and uplevel your Tier 2/3 analysts by removing the low-value alert noise?
As you built this out, were there any surprises along the way that left you shaking your head or laughing at the unexpected AI behaviors?
We felt a major lack of proof - Anton kept asking for pudding - that any of the agentic SOC vendors we saw at RSA had actually achieved anything beyond hype! When it comes to your org, how are you measuring agent success? What are the key metrics you are using right now?

Resources: