Everyone has an opinion on AI in security. Most of those opinions come from people who either read a vendor whitepaper or did a 20-minute demo. Here’s what I actually use day-to-day as a 23-year-old working in a SOC.
Table of contents
Open Table of contents
The Short Answer
Not everything. The hype is real but so is the noise. Some tools have genuinely changed how I work. Others are dressed-up autocomplete that I stopped using after a week.
What I Actually Use
Microsoft Copilot for Security
I was sceptical. Microsoft’s track record with AI products has been… uneven. But Copilot for Security has earned its place in my workflow, specifically for two things:
Incident summarisation. When a Sentinel incident comes in with 40 related alerts, having Copilot pull a coherent narrative out of the noise saves real time. It’s not perfect — it occasionally misses context or over-weights certain signals — but it gets me oriented faster than reading alert-by-alert.
KQL generation. I know KQL well enough to write basic queries. Copilot handles the ones where I’d otherwise spend 10 minutes looking up the exact syntax for a join across DeviceNetworkEvents and IdentityLogonEvents. It’s a force multiplier for the queries I’d write anyway, not a replacement for understanding the data.
What it doesn’t do well: novel threat hunting. It’s good at helping you dig into known patterns, not discovering ones that aren’t already in its training data.
GitHub Copilot
I use this for scripting work — PowerShell, Python, a bit of Terraform. The autocomplete is useful for boilerplate. The “explain this code” feature has saved me time when I’m looking at someone else’s tooling and need to understand it quickly.
Caveat: it confidently produces wrong code sometimes. You need enough knowledge to catch the mistakes. Don’t use it as a substitute for learning.
Claude (Anthropic)
For longer-form reasoning tasks. When I’m trying to think through an attack path, draft a detection rule and reason about why an adversary might evade it, or write up a post-incident review, Claude handles the back-and-forth better than the chat interfaces built into security tooling.
I also use it for first drafts of documentation and security policies. Still needs editing, but “start from scratch” to “edit a draft” is a significant time reduction.
What I Tried and Stopped Using
- Security-specific AI chat tools built into SIEMs: too constrained, too slow, not worth the context-switching
- AI-generated threat reports: useful for background reading, not for anything you’d act on without verification
- Automated playbook generation: the output needed so much rework it was faster to write from scratch
The Honest Take
AI hasn’t replaced any part of my job. It’s reduced the friction on tasks I was already doing. The people talking about 10x productivity gains are mostly selling something. The people saying it’s useless haven’t spent enough time figuring out where it actually fits.
Start with the specific problems that slow you down, not with the tools and work backwards.