If I have any regret about attending IT By Design’s Build IT Live conference a few weeks ago (and I don’t) it’s that I missed this year’s Black Hat conference as a result, and therefore missed all of the hype excitement about AI SOC solutions. Forrester, for example, counted “at least a half-dozen booths—some of them very large—proclaiming the ’first AI-powered SOC’”.

Robert Johnston (pictured), the general manager in charge of N-able’s Adlumin unit, saw the same thing during the show and asked analysts he met with there to explain what distinguishes AI SOC services from the AI-powered MDR/XDR service he provides.

“Every single one of them just smiled and shook their head,” he recalls. “There’s no difference. You’re one and the same.”

Which is kind of what Johnston felt going into those conversations. “We’re easily able to replicate their agent-based AI response capabilities and agent-based AI analyst capabilities,” he says. Indeed, AI is already handling 70% of Adlumin’s incident investigation and threat remediation activity without any human assistance.

“The result is wickedly, crazy fast response times,” Johnston says, as in five seconds to identify an event and 15 seconds to begin responding.

“If a human analyst had to look, investigate, reason, and make a decision about what to do about that particular event, you could be looking at 15 minutes or 30 minutes,” Johnston says. “A lot can happen in 15 minutes or 30 minutes.”

Which is why Johnston predicts that as AI foundation models get more powerful and Adlumin gets better at leveraging them, it won’t be longer than a year or two before the percentage of events requiring human intervention shrinks from today’s 30% to zero and the company’s human analysts all become (my words, not his) “agent bosses” doing quality assurance on an army of bots.

“They will be monitoring the model, changing the model, improving the model, and making it more effective in both reasoning and response,” he says.

Of course, the AI SOC vendors will all reach that milestone eventually too. What they’ll lack when they get there though, according to Johnston, is the maturity that only years of experience on the front lines of managed security can get you.

“AI SOC companies without an MDR backbone are just less capable MDR companies,” Johnston says.

Four more quick points on Adlumin, AI, and MDR

1. Johnston’s prediction that bots will be doing 100% of the work analysts do today within two years gives you a sense for how rapidly AI-based security capabilities are improving. Per N-able’s 2025 State of the SOC Report, fully 86% of alerts required human validation and 10% required MDR team intervention as of January and February this year.

2. Yes, many MSPs have reservations about letting AI essentially run SOCs autonomously at present, but Johnston doesn’t expect that to last much longer.

“MSPs are getting very comfortable with the technology. They’re using it themselves, they’re forming business models around it, and it’s working,” he says. “12 more months from now, they’ll be asking you why you aren’t using AI.”

3. Every time a new model comes out, “the number of parameters doubles, the cost cuts in half, and the size of the model decreases by 30%,” Johnston says. “All of that is going to lead to better MDR.”

But also cheaper MDR if the cost’s dropping that quickly, right? Don’t count on it, Johnston says. MDR services may cost progressively less to deliver in the years ahead, but they’ll also resolve progressively more alerts more rapidly and effectively.

“I don’t think prices will go down because the value has increased so much,” Johnston suggests.

4. My conversation with Johnston took place shortly before CISA publicly disclosed two new additions to its Known Exploited Vulnerabilities Catalog involving N-able’s N-central RMM product. So I followed up to see how Adlumin’s SOC did in protecting users from those flaws. Here, in full, is what the company said in response:

Two critical vulnerabilities were identified within the N-able N-central solution—which require authentication to exploit—and could allow a threat actor to elevate their privileges and maliciously use N-central if not patched. We acted quickly to release a hotfix to address these vulnerabilities, which we have communicated to all N-central customers. Our security investigations have shown evidence of this type of exploitation in a limited number of on-premises environments. We have not seen any evidence of exploitations within N-able hosted cloud environments. Our commitment to security and transparency will continue; we have reserved two CVEs (CVE-2025-8875, CVE-2025-8876) that relate to this hotfix which we will release in the coming weeks. We’ll update customers with any additional information that becomes available as our investigation continues into this matter.

Share