SOAR With Bolt-On AI, or AI With Bolt-On SOAR? The Order Is the Whole Thing.

Blog
08/07/2026

SOAR With Bolt-On AI, or AI With Bolt-On SOAR? The Order Is the Whole Thing.

Dave Brooks
Founding Sales Engineer | AiStrike
SOAR With Bolt-On AI, or AI With Bolt-On SOAR? The Order Is the Whole Thing.
Table of Contents

Most of the security industry is building AI-driven automation backwards, and the buyers are the ones who'll pay for it. The pattern is everywhere right now: take a SOAR, a workflow engine that runs the branches you drew, and staple an AI feature onto the side of it. Call it an AI SOC. Ship it. It demos beautifully.

The problem is the order. The workflow engine is still the thing in charge; the AI just rides along. So you've bought a better-looking version of the same ceiling you already had, and you usually don't find out until you're a year or so in, watching the automation stall on the exact ambiguous alerts you hoped it would take off your plate, wondering why the "AI" can summarize a case but can't actually decide one.

The teams that get the order right are going to pull away from the ones that don't. So it's worth being precise about what the right order is.

I didn't arrive at this from a whiteboard. I spent my last stretch up to my elbows in modern SOAR and automation, good people and sharp tools, and the longer I sat inside it the more I kept hitting the same wall. Once you see it, you can't unsee it.

What "SOAR with bolt-on AI" really is

Picture a decision-tree engine. That's SOAR. Its whole job is to run the branch you drew for it: if this, then that, then the next thing. Deterministic by design, which is exactly what you want for certain jobs.

Now staple an AI feature to the side. It summarizes an alert. Drafts a playbook. Suggests a next step. All genuinely useful, and I won't wave it off. But look at what's in charge. The branch is in charge. The AI is calling out directions to a train that only runs on the track you already laid. The automation still can't reason through the ambiguous middle of your queue. It still breaks when the environment shifts. A human still makes every real judgment call. The AI made the old model prettier. It didn't change what the model can do.

That's the trap. Not that the AI is bad. That it's a passenger.

Flip it

Put the intelligence in the driver's seat and make orchestration the thing it reaches for.

Now the reasoning comes first. Given an alert, the system weighs the context — who the user is, whether that behavior is normal for them, how much the asset matters, what already happened, what the intel says — and decides what this actually is. Then, and only then, it acts. And when it acts, it uses the deterministic pieces as tools. A playbook here. A response action there. Orchestration doesn't vanish. It gets demoted from the boss to the toolbox, which is where it belongs.

This is also where the "but can I trust it" question answers itself, because the answer is built into the shape. Reasoning handles the fuzzy majority. The hard, regulated, can't-take-it-back actions still run on deterministic playbooks with a human approving them. You're not picking between smart and safe. Reasoning covers the ambiguity, rails cover the stakes, and a person stays in the loop on anything you can't walk back.

One caution, because it's the same mistake in a mirror. "AI first" can't mean a single language model in a trench coat. Bolt a raw LLM on top of everything and you've just moved the bolt-on problem up a layer, hallucinations and all. The version that holds up on a real SOC floor is composite: machine learning, knowledge graphs, and language models working together, grounded in your environment instead of guessing at it.

The part that de-risks the decision

Here's what should make this easy to act on. Getting the order right doesn't mean tearing your stack down. The intelligence layer sits on top of what you already run: your SIEM, your identity, your cloud, the connectors your team already sweated over. It makes the orchestration smarter without a migration. You keep what works. You keep the playbooks earning their keep. You put the reasoning above them instead of beside them. So the cost of choosing the right architecture is low, and the cost of choosing the backwards one compounds.

Check the order before you sign

That's the whole lesson, and it's a cheap one to apply. Before you buy anything with "AI" on the label, ask which way it's wired. Is the intelligence running the operation and reaching for automation when it needs it? Or is it a workflow engine wearing a smart hat? One of those learns and compounds. The other is a prettier version of the ceiling you're already trying to escape, and you'll pay for it twice: once now, and once when you re-platform.

SOAR with bolt-on AI is the comfortable present. AI with bolt-on SOAR is the thing that actually moves you forward. Most of the market hasn't sorted out which is which yet. Getting there first is the advantage.

Latest Resources

All Resources
Blog

SOAR With Bolt-On AI, or AI With Bolt-On SOAR? The Order Is the Whole Thing.

SOAR With Bolt-On AI, or AI With Bolt-On SOAR? The Order Is the Whole Thing.
Read More
Blog

4 state-aligned APTs ran in parallel this week.

Read More
Blog

Weekly Threat Advisory: Top Cyber Adversaries

Intelligence is not a feed. Intelligence is structured, attributed, and time-bounded. This week we cataloged 86,008 indicator observations across 268 adversary clusters — including 20,034 high-severity records, an order of magnitude above a normal week and shaped by a Thursday infrastructure flood and a sustained IoT-botnet seeder wave. The story below is what the catalogue actually says — who, what, where, how, and what your blue team should do about it on Monday morning.
Read More
Case studies

How Sunrun Transformed Security Operations with AiStrike

Transforming to an AI-Powered Self-Improving SOC
Read More
Case studies

Global Software Design Company Leverages AiStrike to Investigate Cloud Alerts

Global Software Design Company Leverages AiStrike to Investigate Cloud Alerts
Read More
News

AiStrike Takes on Alert Fatigue with Continuous Detection Engineering at RSA 2026

AI-native platform improves detection quality to cut alert noise, eliminates detection blind spots, and maximizes SIEM ROI through continuous optimization
Read More
News

AiStrike Launches AI-Native MDR to Replace Traditional Managed Detection and Response

SAN FRANCISCO, CA – [02-04-2026] – AiStrike, an AI-native cyber defense platform built for modern security operations, today announced the launch of AiStrike MDR, an AI-powered Managed Detection and Response (MDR) service designed to replace traditional, human-heavy MDR with an AI-led, expert-guided operating model built for scale, speed, and measurable outcomes.
Read More
News

AiStrike Raises $7M to Accelerate AI-Native, Preemptive Cyber Defense

The era of purely reactive security operations is over. AiStrike, a cybersecurity company pioneering AI-native, preemptive cyber defense, today announced it has raised $7 million in Seed funding to scale its agentic AI platform for security operations. The round was led by Blumberg Capital, with participation from Runtime Ventures, Oregon Venture Fund, and strategic angel investors.
Read More
News

Harsh Patwardhan Joins AiStrike as Chief Technology Officer

Reuniting a Proven Leadership Team to Build the Future of Autonomous Security Operations.
Read More
News

AiStrike Announces AI Agents for Detection Optimization, Advancing the Complete AI-Augmented SOC

San Francisco, CA – April 14, 2025 – AiStrike, the AI SOC automation platform transforming cybersecurity operations, today announced the launch of its AI Agents for Detection Optimization—a first-of-its-kind capability that helps security teams improve detection quality, eliminate blind spots, and reduce alert noise by automatically identifying coverage gaps and tuning detections in real time.
Read More
News

AiStrike Emerges from Stealth to Solve Cloud Security Investigation and Response using AI-powered Automation

Guidelines for selecting the most suitable CMS for your project.
Read More
News

Cloud Security Operations Leader AiStrike Launches AI-Powered Cloud Security Investigation and Response Solution on AWS Marketplace

AiStrike leverages advanced AI and machine learning to automate the triage, investigation, and remediation of cloud-native threats, empowering organizations to rapidly respond to threats across all their AWS environments.
Read More
Datasheets

Preemptive AI SOC Platform for MSSPs

MSSPs are under constant pressure to support more customers and increasingly complex environments while maintaining consistent response, coverage, and service quality. Traditional MDR models rely heavily on manual investigation, detection tuning, and analyst-driven workflows, making it difficult to scale operations and deliver proactive outcomes across tenants.
Read More
Datasheets

Preemptive AI SOC Platform

Security teams are overwhelmed by alert volume while real threats still slip through. Traditional SIEM and XDR platforms generate high-noise signals, and many AI SOC tools focus on faster triage without addressing detection gaps or true risk exposure.
Read More
Solution Briefs

Use Cases

From Reactive SOC to Preemptive Security Operatins
Read More
Solution Briefs

AiStrike for AWS

Cloud infrastructure today is the primary target for malicious actors. The risk of exposure of cloud assets continues to grow as organizations expand their cloud footprint and new cyberattacks targeting cloud infrastructure emerge.
Read More
White Papers

CISO Guide: AI-Automated Cloud Security Operations

This guide provides CISOs with a comprehensive understanding of how AI-driven automation can revolutionize cloud security operations, enhancing both efficiency and effectiveness.
Read More
Blog

SOAR With Bolt-On AI, or AI With Bolt-On SOAR? The Order Is the Whole Thing.

SOAR With Bolt-On AI, or AI With Bolt-On SOAR? The Order Is the Whole Thing.
Read More
Blog

4 state-aligned APTs ran in parallel this week.

Read More
Blog

Weekly Threat Advisory: Top Cyber Adversaries

Intelligence is not a feed. Intelligence is structured, attributed, and time-bounded. This week we cataloged 86,008 indicator observations across 268 adversary clusters — including 20,034 high-severity records, an order of magnitude above a normal week and shaped by a Thursday infrastructure flood and a sustained IoT-botnet seeder wave. The story below is what the catalogue actually says — who, what, where, how, and what your blue team should do about it on Monday morning.
Read More