SANS's John Hubbard on Future-Proofing SOC Analysts in the Age of AI

Jul 1, 2025

John Hubbard, Cyber Defense Curriculum Lead at SANS Institute and host of the Blueprint podcast, dives into the future of SOCs in the age of AI. He discusses how AI revolutionizes alert contextualization, enabling better triage decisions by incorporating business context. John highlights the educational gap in teaching both traditional security skills and AI-driven approaches. He also explores the potential of natural language interfaces for complex tasks and shares insights on future-proofing careers in a rapidly evolving tech landscape.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

ANECDOTE

From Tier-One To SANS Instructor

John Hubbard built a SOC from tier‑one analyst to U.S. SOC lead on a 150k endpoint network.
He now teaches those lessons at SANS and authors SOC courses.

ADVICE

Teach Fundamentals, Then Use AI

John Hubbard teaches core security methods then shows AI-accelerated shortcuts.
He keeps exercises for sharpening fundamentals while leveraging AI for speed.

INSIGHT

Context Is King For Triage

John argues AI can dynamically fuse business and asset context to improve triage accuracy.
Better context lets analysts prioritize truly critical alerts with confidence.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Drawing from his experience building enterprise SOCs and teaching thousands of security professionals, John Hubbard, Cyber Defense Curriculum Lead at SANS Institute and host of the Blueprint podcast, tells Jack about how AI is revolutionizing security operations centers, including balancing AI automation with fundamental analyst skills. They also explore practical AI applications in alert contextualization, team performance analysis, and the future vision of natural language interfaces for complex security tasks.

John emphasizes the importance of teaching both traditional methods and AI-enhanced approaches, ensuring security teams can leverage technology while maintaining critical thinking capabilities. He also discusses considerations around local versus cloud-based AI models and offers actionable advice for security professionals looking to future-proof their careers in an increasingly automated landscape.

Topics discussed:

How AI transforms alert contextualization by dynamically incorporating business context and asset information for better triage decisions.
The educational challenge of teaching both foundational security methods and AI-enhanced approaches to maintain analyst skills.
Practical applications of AI in SOC operations, including automated phishing triage and mass analysis of analyst performance data.
The evolution toward natural language interfaces that could enable complex security tasks like packet analysis through conversational commands.
Custom agent development versus relying on vendor-provided AI solutions, including the technical challenges and coding requirements involved.
Future SOC architecture predictions featuring interconnected agents, MCP protocols, and the abstraction of traditional security analyst tasks.
Local versus cloud-based AI model considerations, including data privacy concerns, computational requirements, and trust implications.
The critical question of oversight in automated security operations and who monitors AI agents in increasingly autonomous systems.
Performance analysis capabilities enabled by AI's ability to process written text and logs at scale for team improvement insights.
Practical advice for security professionals to embrace discomfort, invite AI into problem-solving, and establish mentoring relationships for career growth.

Listen to more episodes: