Liberty91
An editor's desk under a warm lamp with a red pencil resting on a stack of typeset proof pages, representing the analyst reviewing and signing off work produced by AI agents
Education8 min read

AI and the Security Analyst: What the Role Loses, and What It Keeps.

AI is not replacing the security analyst, but it is changing the job. The parts that are mechanical and repeatable, such as collecting from many sources, extracting and enriching indicators, mapping activity to frameworks, and drafting first-pass reports, are moving to AI agents. The parts that need judgement stay with the analyst: deciding what matters to the organisation, making the attribution call, carrying the accountability for an assessment, and working the human relationships that produce the best intelligence. The job is shifting from doing the legwork to directing the agents that do it and owning the calls that carry consequences. That is a more senior role, not a smaller one, and it is also a wider one: with knowledge agents holding the standing picture on every topic, a single analyst can cover far more intelligence requirements than the job used to allow.

This guide is about what an AI security analyst's day actually changes, which skills matter more now and which matter less, and why “will AI replace analysts” is the wrong question.

The old shape of the job

For most analysts, the bulk of the day has never been analysis. It is collection and formatting: trawling feeds and vendor blogs, copying indicators into a spreadsheet, enriching them one lookup at a time, mapping techniques to ATT&CK by hand, and reformatting the same finding three ways for three audiences. We have written before about this 80/20 problem, where most of an analyst's time goes to the mechanical work and only a sliver is left for the judgement that actually protects the organisation.

That balance is the thing AI changes. When an agent can do the collection, enrichment, and drafting in minutes, the sliver of time for judgement becomes the bulk of the day. The role does not shrink; its centre of gravity moves from production to decision.

What moves to the machine

A useful way to see the change is to sort the work by whether it is checkable. Where the output can be verified, it is safe to automate, and that is most of the high-volume work.

A row of small robotic sorting arms working through trays of documents, everything flowing towards a single human desk waiting at the end, in navy tones with warm orange accent lighting

Collection moves first: agents monitor hundreds of sources continuously and surface only what is relevant to your requirements. Processing follows: extracting indicators, enriching them across services, mapping to ATT&CK, and converting to formats like STIX, all of which a person can check rather than do by hand. First-pass analysis moves too, but only the scaffolding: an agent can lay out the competing hypotheses, rate how far both a source and its data can be trusted, and attach calibrated confidence, leaving a structured starting point rather than a blank page. And first drafts move, with production agents turning the finished analysis into a brief, a technical report, or a detection rule. None of this is the analyst being removed. It is the analyst being handed a fast, tireless junior team.

What stays with the analyst

The work that does not move is the work that needs a person to be answerable for it.

The final judgement stays human. An agent can lay out hypotheses, but the analyst decides which to back and stakes their name on it. The editorial call stays human: knowing when a well-formatted, confident report is simply wrong is a skill a model does not have. Relevance stays human in the sense that matters most: deciding what the organisation actually needs to know is a stakeholder conversation, which is why your intelligence requirements are set by people even when agents learn from them. Accountability stays human, because signing off an assessment that goes to the board and says “this matters, here is what we should do” is a responsibility a machine cannot carry. And relationship-based intelligence stays human entirely: the tip from a peer, the context from a researcher, the trust built over years in a sharing community, none of which an agent can reach.

None of these are gaps that a better model closes. They are the parts of intelligence that run on human judgement and human trust, and they are precisely the parts worth an analyst's time.

The new shape of the job

Put those together and the role looks different. The AI security analyst spends less time producing and more time directing: setting the requirements that point the agents at the right targets, reviewing and correcting what the agents produce, making the calls the agents are not allowed to make, and handling the stakeholder and peer relationships that no agent can touch. The analyst becomes the editor and the decision-maker over a stack of agents rather than the person doing every lookup.

A single desk at the centre of a vast circular library at night, with tall shelf bays radiating outward and several bays glowing amber, representing one analyst drawing on standing knowledge maintained across many topics

The other thing that changes is how far one analyst can reach. Coverage used to be bounded by what a person could hold in their head, which is why teams ended up with one analyst who knows Russian cybercrime deeply, another who knows the infostealer ecosystem, and a gap wherever nobody had time to specialise. Knowledge agents remove that bound: they keep the full body of knowledge on each topic current and contextualise every new event, incident, and report against it, so the deep familiarity is available on demand rather than living in one person's memory. That means a single analyst can credibly cover many more intelligence requirements than before, because the standing knowledge behind each one is maintained for them and the judgement is the only part they still have to bring.

That changes which skills matter. Tradecraft matters more, because an analyst who understands Analysis of Competing Hypotheses and source rating can direct and check agents that apply them, and can catch where they go wrong. Asking the right questions matters more, because the value now comes from framing the problem and the requirements well. Communication and stakeholder management matter more, because the human-facing end of the job is the part that does not automate. The skills that matter less are the ones that were always a tax on the analyst's time: manual collection, hand enrichment, and reformatting. An analyst who leans into the judgement work becomes more valuable, not less.

The same shift applies whether the title is threat intelligence analyst, SOC analyst, or the newer “AI SOC analyst” label. The technology underneath is the same stack of agents; what changes is that the analyst's day moves up the value chain.

Will AI replace security analysts?

No. AI replaces tasks, not the analyst, and the tasks it replaces are the ones that were never the point of the job. What it cannot replace is the judgement, the accountability, and the relationships, and those are the heart of the role.

AI in this role is a force multiplier, not a replacement. A single analyst backed by a stack of agents can now cover the ground that used to need a team, but the analyst is more central to the result, not less, because every call that carries consequences still runs through them. If you want to see what that backing looks like in practice, our AI threat intelligence analyst page covers how the agent stack runs against your requirements while the analyst keeps the pen, and our guide to AI for threat intelligence explains the agents underneath.

Frequently asked questions.

Will AI replace security analysts?

No. AI replaces tasks, not analysts, and the tasks it takes over, such as collection, enrichment, ATT&CK mapping, and first-draft reporting, are the mechanical parts of the job rather than its core. The judgement, the accountability for an assessment, and the human relationships that produce the best intelligence stay with the analyst. The role moves up the value chain rather than disappearing.

What does an AI security analyst do?

An AI security analyst directs a stack of AI agents rather than doing every step by hand. They set the intelligence requirements that point the agents at the right targets, review and correct what the agents produce, make the calls the agents are not allowed to make, such as attribution and what an event means for the organisation, and handle the stakeholder and peer relationships. The agents do the legwork; the analyst owns the judgement.

What is an AI SOC analyst?

It is the same shift applied to security operations: a SOC analyst whose alert triage, correlation, and enrichment are largely handled by AI, leaving them to focus on response decisions, escalations, and judgement under pressure. The label is new, but the underlying change, machines taking the mechanical work and people keeping the judgement, is the same one happening across security roles.

Which skills matter more for an analyst as AI takes over?

Tradecraft, because you need to direct and check agents that apply structured techniques and catch where they go wrong; asking the right questions, because framing the problem and the requirements well is where the value now sits; and communication and stakeholder management, because the human-facing end of the job does not automate. The skills that matter less are manual collection, hand enrichment, and reformatting.

Does using AI mean losing analytical skill?

Only if you let the agents think for you. Used well, AI removes the time tax of mechanical work so analysts can spend more time on judgement, which builds skill rather than eroding it. The risk to manage is over-trusting a confident output, which is exactly why the analyst stays in the loop, reviews assessments against their sourcing and confidence, and owns the final call.

Is an AI analyst as good as a human analyst?

An AI agent is very good at the high-volume, checkable work and genuinely weak at judgement, intent, novel reasoning, and anything that runs on human trust. So the comparison is the wrong one. The strongest setup is not AI instead of an analyst or an analyst without AI, but an analyst directing a stack of agents, which covers far more ground than either alone.

Put this to work on your own threats.

A free tier of Liberty91 is on the way, so any analyst can put AI-powered threat intelligence to work with no budget and no team. Register your interest now to be first in line when it opens, or grab our free, open-source CTI Skills for your AI coding agent today.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.