Twenty-two seconds. That is the window that industry researchers measured in early 2026 between initial compromise and the first lateral-movement action by an autonomous AI attack agent. Not twenty-two minutes. Not twenty-two hours. Twenty-two seconds from foothold to follow-on action, on real production networks.

That number rewrites every assumption the security industry built between 2010 and 2024. Perimeter firewalls assumed attackers needed hours to study a network before acting. Quarterly penetration tests assumed the threat surface changed slowly. Business-hours SOCs assumed the weekend gap was survivable. None of those assumptions hold in 2026. Adversaries are attacking at computer speed, and every defender who is still operating at human speed is losing ground every hour of every day.

What changed, and why it changed fast

Three forces converged in late 2025 to produce the 2026 threat environment.

First, generally available language models crossed a capability threshold where they could autonomously chain reconnaissance, exploitation, and post-exploitation actions without human intervention. In September 2025, researchers documented the first fully autonomous AI-orchestrated intrusion where the model handled 80 to 90 percent of the operation end to end. That was a research demonstration. By the first quarter of 2026, equivalent capability is commodity.

Second, agentic AI is spreading explosively across the defender surface as well. Gartner projects that 40 percent of enterprise applications will embed task-specific AI agents by the end of 2026, up from under 5 percent at the start of 2025. Microsoft reports that 80 percent of Fortune 500 companies already deploy AI agents in production. Every one of those agents is a new attack surface that did not exist eighteen months ago. In simulated environments, Galileo AI researchers found that a single compromised agent poisoned 87 percent of downstream decision-making within four hours.

Third, the economic barrier to deploying attack automation collapsed. Running a capable attack agent no longer requires an offensive-security specialist: a ransomware affiliate with modest skills can rent the same tooling as a nation-state operator. A Dark Reading poll published in the first quarter of 2026 found that 48 percent of cybersecurity professionals now identify agentic AI and autonomous systems as the single most dangerous attack vector facing their organisation.

The result is an asymmetric war where the offence has industrialised and the defence, in most organisations, has not.

Computer-speed attack requires computer-speed defence

If your adversary can move from initial access to ransomware deployment inside a weekend, a monitoring team that looks at dashboards Monday morning is not a SOC. It is a post-mortem function.

Computer-speed defence means three things, all of which must be true simultaneously.

1. Detection latency measured in seconds, not hours. Telemetry from every endpoint, every identity event, every cloud API call is normalised and correlated in real time. Behavioural baselines flag deviations the instant they happen.
2. Autonomous containment for high-confidence detections. A confirmed credential compromise triggers automatic session revocation and password reset in under a minute, without waiting for a human on-call to read a Slack alert. A confirmed malware detonation on an endpoint triggers automatic isolation before the next process can spawn.
3. Humans in the loop for judgement calls, not for every alert. Senior analysts focus on complex investigations, adversary simulation, and detection engineering. The low-level triage that consumed SOC-analyst careers for a decade is now machine work.

Only the best is good enough now

A decade ago, any SOC was better than no SOC. That bar has moved. In 2026, the gap between an elite SOC and an average one is no longer the difference between fast and slow. It is the difference between detecting the intrusion and missing it entirely.

Three capabilities separate the SOCs that keep up from the ones that do not.

Detection engineering maturity. Off-the-shelf vendor rules catch commodity malware. They do not catch a living-off-the-land intrusion where the attacker uses PowerShell, scheduled tasks, and built-in admin tools. Catching that requires a team that writes and tunes its own detections, runs adversary-simulation exercises weekly, and maps coverage explicitly against the MITRE ATT&CK matrix. If your SOC cannot tell you what percentage of the ATT&CK techniques relevant to your environment it currently detects, it is not doing detection engineering. It is doing alert management.

Automation that has actually been trusted with production. Every SOC brochure mentions SOAR. Very few have playbooks that are authorised to take containment actions without human approval. Those authorisations are hard to earn: they require the automation to be demonstrably safer than the human alternative, which requires months of shadow-mode validation and conservative confidence thresholds. An SOC that cannot point at specific automated responses that ran last week without human intervention is not defending at computer speed.

Deep specialist bench. An AI-driven intrusion does not look like commodity malware. Investigating it demands malware reverse engineers, cloud forensics specialists, and identity-platform experts on the same team. Very few organisations can staff that bench internally. A quality MSSP spreads that specialist cost across many clients.

What a modern SOC actually does

The functions are unchanged in name from 2015. Everything about how they are executed has changed.

Continuous monitoring and detection

Telemetry from endpoints (EDR on every workstation and server), identity events (Entra ID, Okta, AD), cloud control planes (Azure Activity, AWS CloudTrail, GCP Audit), network flows, email gateways and application logs feeds a SIEM that correlates in real time. Detection is layered: signature rules for the commodity tail, behavioural baselines for the novel middle, and AI-assisted anomaly scoring for the long-tail edge cases.

Alert triage, done mostly by machines

A mid-market environment generates hundreds of alerts per day; large enterprises, tens of thousands. In 2026 those alerts are scored, enriched, and clustered by ML models before a human sees them. Low-confidence alerts are auto-closed into a batch queue. High-confidence alerts arrive at a human analyst already enriched with asset context, user behaviour baselines and threat-intel indicators. Triage that used to burn analyst minutes per alert now consumes seconds.

Investigation

When triage confirms an incident, senior analysts conduct a structured investigation: initial access vector, lateral movement map, blast radius, data exposure. AI-assisted tools draft timelines, suggest hypotheses and generate report skeletons. The judgement calls stay human.

Response

For high-confidence well-understood detections, SOAR playbooks execute containment automatically, in seconds: endpoint isolation, credential reset, session revocation, OAuth token revocation, email recall. For ambiguous detections a human authorises the action before it runs. Both paths are logged and post-reviewed.

Continuous improvement

After every significant incident, the SOC conducts a post-incident review, updates playbooks, tunes detection rules, and feeds lessons learned back into detection engineering. The feedback loop is what separates a SOC that was good in 2023 from one that is still good in 2026.

Why 24/7 is not a budget question

The most common objection to continuous coverage is cost. Every CFO who has that conversation should first see the threat-actor schedule. Ransomware operators consistently prefer to trigger encryption payloads on Saturday nights and early Monday mornings, precisely the window when business-hours SOCs are dark. An attack that starts encrypting at 02:00 Saturday can run eight hours before the first weekday employee notices, which is enough time to destroy backup infrastructure, delete shadow copies, and exfiltrate the most valuable data.

Add the 22-second number to that pattern. A business-hours SOC in 2026 is not providing partial protection. It is providing the illusion of protection: the cost without the coverage. The option is binary, genuine 24/7 capability or no meaningful SOC, and the honest conversation is about how to acquire the capability, not whether to.

In-house SOC vs. MSSP

An internal 24/7 SOC requires a minimum of eight to twelve analysts across three shifts plus senior detection engineers, a SOC manager, a threat intelligence function, and a specialist bench. In the Norwegian market, where experienced security analysts are scarce and expensive, personnel costs alone for a small in-house SOC typically exceed several million NOK annually before tooling. The tooling stack (SIEM, EDR, SOAR, threat intel feeds, NDR, vulnerability management) adds substantially more.

For mid-market Norwegian organisations, 100 to 2,000 employees, a reputable MSSP typically delivers better security outcomes at lower total cost than building from scratch. The economics work because the MSSP spreads its specialist bench and tooling across many clients, draws threat-intelligence breadth from monitoring many environments at once, and does not bear the recruitment risk of competing for scarce Nordic security talent.

The selection bar is higher than it was two years ago. Ask every MSSP candidate these questions: what percentage of your containment playbooks run without human approval today, and which ones? What is your median MTTD and MTTR broken down by detection category? What is your MITRE ATT&CK coverage figure against techniques relevant to our environment, and how was it measured? How do you handle data sovereignty for Norwegian clients? If the answers are vague, the SOC is not operating at the level that 2026 demands.

Measuring SOC effectiveness in the AI era

A SOC that cannot measure itself cannot improve. The KPI set is unchanged in structure from the pre-AI era. The target numbers have moved by an order of magnitude.

MTTD. Measured in seconds for automated detection classes, measured in minutes for detections that require human triage. Any number measured in hours indicates a structural problem.

MTTR. For threat classes the SOC has authorised automation on, MTTR should be under one minute. For threats requiring human judgement, under the attacker's next-step window (typically under 15 minutes in 2026 intrusions).

False positive rate. Below 10 percent for surfaced alerts. Higher rates indicate poor detection tuning and lead directly to alert fatigue.

ATT&CK coverage. Quantified, re-measured quarterly, validated by purple-team exercises. Ideally above 75 percent for techniques relevant to the organisation's threat profile.

The Norwegian regulatory reality

NIS2, which Norway is implementing through updates to existing security legislation, establishes binding cybersecurity requirements for operators of essential services and important entities. It mandates appropriate technical and organisational measures, incident detection and reporting capability, and documented monitoring processes. A 24-hour initial incident reporting obligation is not achievable without continuous monitoring. The Norwegian National Security Authority (NSM) Basic Principles for ICT Security align closely with SOC operational functions on logging, monitoring, and response.

Beyond compliance, Norway's energy, maritime, and defence industrial base is a priority target for both state-sponsored actors and financially motivated criminals. Continuous security monitoring is not a compliance checkbox for Norwegian organisations. It is an operational necessity.

Taking the next step

The honest starting question is not what does a SOC cost. It is how long would it realistically take our current setup to detect an AI-driven intrusion in our environment. If the answer is measured in anything longer than minutes, the gap needs closing.

ZeroSubnet operates a dedicated Security Operations Center staffed by experienced Norwegian analysts, providing continuous monitoring, detection and response services across Norway and the broader Nordic region. Our SOC combines modern SIEM, EDR and SOAR tooling with deep expertise in the Norwegian threat landscape and the AI-driven attack patterns emerging through 2026. All client data is processed and stored in Norway. Contact us if you want to close the speed gap on your terms, before an adversary closes it on theirs.