October 13, 2025

Cybersecurity at machine speed

A blueprint for security operations center modernization

By Jim Anthony, Global Field CTO, DXC

Most security operations centers (SOCs) fight today’s threats with yesterday’s operating model: Too many tools, alerts and too much manual work.

Analysts are stretched, costs rise, incidents linger longer than they should, and it appears as though SOC leaders’ hands are tied. However, achieving “machine speed” isn’t about investing in flashy, complex and expensive technology. It’s about reconfiguring security operations center design so that the right work is completed swiftly and securely by the right agent (human or machine), at the right time.

DXC and 7AI: Agents for change

SOC leaders want measurable risk reduction, predictable outcomes and audit-ready evidence. That means modernization: shifting from manual, ticket-centric workflows to software-driven operations where automation and agent-based AI handle routine investigations and responses while humans supervise exceptions and focus on novel threats.

Fortunately, DXC, in partnership with 7AI, has delivered the first truly agentic security platform.

What is machine speed?

Machine speed refers to end-to-end investigation driven by AI agents that gather context, weigh evidence and recommend (or execute) safe actions while maintaining human control. Think of AI agents as highly intelligent SOC assistants, referencing threat intelligence, comparing to policy and documenting their actions. When information changes, they re-evaluate consistently without shortcuts or fatigue.

With DXC Agentic SOC, AI agents autonomously investigate, contextualize and respond to threats at machine speed with human-level reasoning. Meanwhile, this infinitely scalable, agentic security service reduces operational complexity while delivering faster response times at scale.

Agentic AI works like an analyst

Agentic AI doesn’t just run a script; it follows the steps a tier-1 analyst would: Enrich the alert, correlate related signals, check knowledge bases, document reasoning, take pre-approved actions or escalate with a structured case.

Guardrails define what the agent can do automatically (enrichment, benign closures), what needs a human check (sensitive containment) and when to escalate. And because every step is logged, you get both speed and defensibility, two qualities rarely found together in legacy SOCs.

A blueprint you can execute

  • Start SOC automation where it’s obvious. Target noisy, repeatable tasks such as correlation, deduplication, user/asset lookups, ticket updates and containment handoffs. Free analysts to focus on the gray areas where judgment matters.
  • Treat detections as code. Put them in version control, review changes the same way you review application code, add tests and rollback safely. This shortens change cycles and raises quality.
  • Build a modular, open architecture. Opt for open standards and clean APIs so you can swap SIEM, EDR, CTI or case tools without rebuilding. Avoid lock-in and design for hybrid and multi-cloud from the start.
  • Wire-in enterprise context. Connect identity, CMDB/asset inventory, vulnerability data, OT/IoT, cloud posture and GRC systems. The more relevant the context you provide for SOC automation, the fewer false positives you’ll encounter and the faster you can close incidents.
  • Use a hybrid delivery model. Blend internal teams with trusted partners for follow-the-sun coverage and surge capacity during major incidents without giving up control or telemetry quality.
  • Measure what the business cares about. Track MTTD, MTTR, time-to-containment, SOC automation coverage, false-positive rate, cost per incident and risk reduction (e.g., exposure hours removed). Use these to guide funding and prove value.

Whether you’re running 70% or 95% SOC automation, the principle’s the same: Move repetitive work to machines, keep humans for decisions that require judgment and document everything.

DXC/7AI SOC agent proof points

DXC’s partnership with 7AI illustrates what agentic operations deliver at scale:

  • 99% alert automation
  • 67.5% reduction in investigation time
  • 95% accuracy
  • Over 224,000 analyst hours saved (≈112 analyst-years)
  • Over $11.2M in reclaimed productivity across deployments
  • 25 delivery centers processing ~4.5M daily threats

Faster, more consistent decisions reduce loss expectancy, improve resilience metrics and strengthen customer trust through continuous compliance and clearer evidence trails.

How roles and processes change

Analysts focus on higher-value work.
L1 tasks (classify, enrich, document and close) increasingly shift to automation under human supervision. Analysts spend more time on complex investigations, threat hunting, purple teaming and tuning detections.

Engineers become product owners for outcomes.
Detection engineers and platform teams manage content (detections, response actions, tests and rollout plans) much like application teams manage releases.

Governance tightens, not loosens.
Automated actions run inside guardrails (role-based permissions, approvals for higher-risk steps and clear rollback plans). Bias and drift checks are part of routine ops.

Collaboration broadens.
Security integrates with IT, cloud, OT and risk functions, so responses align with business priorities (e.g., containing an endpoint versus maintaining plant uptime).

A 90-day starter plan

Weeks 1–2: Map and measure.

  • Trace an alert from creation to closure.
  • Baseline MTTD, MTTR, containment time, false-positive rate and cost per incident.
  • Identify between five and ten high-volume workflows ripe for automation.

Weeks 3–6: Connect and codify.

  • Ensure API access between SIEM, EDR, identity, CTI, case management, CMDB, cloud and GRC.
  • Turn two or three top workflows into agentic flows with tests and approvals.
  • Define guardrails for automated actions (who does what, where and when).

Weeks 7–10: Pilot and harden.

  • Run in shadow mode (automation investigates, humans decide).
  • Move to human-in-the-loop (automation proposes actions, humans approve).
  • Graduate low-risk steps to auto-approve with rollback.
  • Track coverage, accuracy and time saved. Tune detections and verify conclusions (or outcomes).

Weeks 11–13: Prove value and scale.

  • Report results in business terms, e.g., incidents handled, hours saved, reduction in exposure and impact on resilience metrics.
  • Add more workflows and extend to additional business units.

The outcome: Faster, safer and easier to explain

SOC modernization is an operating model change, not a tool refresh. When you combine automation-first workflows, AI-assisted investigations and a modular architecture, you reduce dwell time, shrink operational drag and align security outcomes with business goals. The board receives clearer metrics, teams regain time and the organization becomes more resilient.

Connect the dots

A modern SOC operates like resilient software: Fast, observable and consistent. At machine speed, your team absorbs alert spikes without firefighting, contains real threats in minutes and leaves an auditable trail as a by-product of doing the work. That’s modernization with purpose: Security that keeps pace with the enterprise and proves its value in outcomes the business can see.

Why not request an agentic-AI-enabled SOC modernization demo while it’s still front of mind?

Learn more

About the author

Jim Anthony is the Global Field CTO for DXC. He has a strong background in cybersecurity, with a focus on large, complex security and managed hosting opportunities that utilize consolidation, virtualization and cloud services as key components of the delivery method. Prior to joining DXC, Jim achieved numerous successes with companies such as AT&T, Verizon, Data Return and Appgate, while gaining extensive experience in leading global sales engineering and services teams for industry-leading companies. He earned his BSc in Accounting and Computer Science from Minnesota State University.