There’s a distinct gap between reading about AI agents in security operations and building them for production use. The difference between spinning up a Langchain demo locally and deploying durable, reliable agents that your team depends on daily is vast, and it’s where most organizations struggle to translate AI enthusiasm into operational value.
George Warbacher, Head of Security Operations at Live Oak Bank, has spent the past year bridging that gap. His journey from tinkering with Cursor and Claude Code to building production agents for his SecOps team reveals something crucial about where AI is genuinely transforming security work versus where it remains speculative. After months of late nights building agents from scratch, George developed a refined perspective on what’s hype and what’s real when it comes to AI in the SOC.
The conversation touches on everything from the technical challenges of managing agent context and memory to the broader implications of natural language interfaces replacing query language expertise to why George believes SOAR platforms face disruption. Most importantly, it illuminates a pragmatic path forward for security teams looking to adopt AI without falling prey to vendor hype or unrealistic expectations about automation replacing human judgment.
Key Takeaways
The Real Power of AI in SecOps is Natural Language Investigation: The most immediate operational value is enabling analysts to investigate alerts using natural language instead of mastering specific query languages, platform APIs, and tool nuances. This fundamentally lowers the barrier to entry and accelerates investigations without requiring deep platform expertise.
Building Production Agents Requires Engineering Rigor Beyond Demos: Creating agents locally is straightforward, but making them durable enough for production use demands solving challenges like retry logic, failbacks, context management, and multi-user execution that most tutorials skip entirely. This gap explains why many organizations struggle to move beyond proof-of-concepts.
SOAR Platforms Face Disruption from Natural Language Automation: Just as cursor and Claude Code made building software accessible through conversation rather than coding mastery, AI agents will make security automation more accessible by replacing static playbooks with dynamic, conversational workflows that junior analysts can build and modify without extensive programming knowledge.
The Analyst Role is Transforming, Not Disappearing: AI will shift the role from alert analysis toward investigation and threat hunting rather than eliminating security analyst positions. Agents will increasingly handle tier 1 work, while human analysts focus on the complex investigative work that emerges from agent output rather than starting from raw alerts.
MCP Creates the Integration Layer Security Teams Need: The Model Context Protocol represents a significant breakthrough for security operations by enabling agents to interact with security tools through standardized interfaces. This solves the longstanding challenge of creating a true single pane of glass by letting agents orchestrate actions across disparate security platforms through natural conversation.
The transformation George describes is already happening in production at Panther, where our AI agent automatically triages alerts by gathering comprehensive context from your data lake, analyzing historical patterns, and presenting intelligent summaries in minutes instead of the 30+ manual minutes traditional workflows require. Learn more about Panther AI and our MCP server implementation.
