Cybersecurity Analyst.
Cybersecurity analyst demand keeps growing, but AI agents are absorbing the tier-1 triage work that used to train new analysts.
Low risk, high transformation.
The federal government projects 29% employment growth for information security analysts through 2034, far faster than almost any other occupation, with roughly 16,000 openings a year. That demand is not slowing down. What is shifting is the shape of the work: AI agents now handle the bulk of tier-1 alert triage, the repetitive task that used to be where junior analysts learned the job. The role is not disappearing. The path into it, and the daily mix of tasks once inside it, are both changing fast.
3 shifts already visible in the data, in order of magnitude.
Tier-1 alert triage is now the most successfully automated task in the SOC.
Gurucul's 2025 Pulse of the AI SOC survey found 73% of organizations report successful automation of alert triage and prioritization, the highest figure among the SOC workflows it measured. This is also the work that historically trained new analysts, which is narrowing the entry point into the field even as overall demand for the role keeps growing.
AI agents are closing out routine alerts without a human in the loop.
At St. Luke''s University Health Network, Microsoft Security Copilot''s triage agent now handles phishing alert investigation around the clock, saving nearly 200 hours of analyst time per month and cutting incident report creation from hours to minutes.
Analysts are being asked to secure AI agents, not just networks.
Google DeepMind''s AI Control Roadmap treats capable AI agents like potential insider threats that need least-privilege access, monitoring, and escalation paths of their own. That work is landing on security teams as a new category of system to defend.
What the leaders are doing.
| № | Company | Sector | What they are doing | Year | Source |
|---|---|---|---|---|---|
| 01 | St. Luke's University Health Network | Healthcare | Deployed Microsoft Security Copilot's alert triage agent to autonomously handle phishing alerts, saving the security team nearly 200 hours per month and cutting incident report creation from hours to minutes. | 2026 | microsoft.com ↗ |
| 02 | Blackbaud | Software | Security operations team used CrowdStrike's Charlotte AI over 30,000 times in 30 days for detection triage and investigation, reporting a 3x improvement in mean time to resolve and freeing analysts to focus on higher-priority threats. | 2026 | crowdstrike.com ↗ |
What is declining, growing, emerging.
- 01Manual log correlation and first-pass alert triage on high-volume, low-signal events
- 02Writing detection queries from scratch for routine, well-understood threat patterns
- 03Closing out confirmed false positives by hand
- 01Reviewing and validating an AI agent's triage decisions and investigative reasoning
- 02Threat hunting and proactive investigation work freed up by automated triage
- 03Identity and access management extended to machine accounts and AI agent permissions
- 04Incident response coordination across cloud, identity, and endpoint telemetry
- 01Securing AI agents and models as a distinct asset class, including monitoring agent behavior for anomalies
- 02Auditing AI-driven security decisions for accuracy, bias, and escalation failures
- 03Zero-trust architecture design that accounts for non-human, agentic identities