As 2025 came to a close, many security teams took stock of a year defined by pressure. Threats moved faster, attackers leaned harder into social engineering, and assumptions that once felt safe no longer held up under real-world conditions.

Across the second season of SOC Unlocked: Tales from the Cybersecurity Frontline, SOC leaders, practitioners, and security executives reflected on what the year actually demanded of them. They didn’t dwell on what should have worked, but what did. Their stories were shaped by real incidents, real trade-offs, and real people trying to keep organizations running in the face of fast-moving threats.

Looking back, what emerged wasn’t a checklist or a trend report. It was a set of lessons shaped by experience, ones the modern SOC can no longer afford to ignore.

These are the lessons that defined 2025.

One of the most consistent insights from SOC leaders was a shift in how they viewed the SOC’s role inside the organization. Instead of treating it as a temporary stop or an entry-level proving ground, the most effective teams treated the SOC as the foundation of their security program.

Patricia Titus, Field CISO at Abnormal AI, reminded us that there is no “right” path into cybersecurity—and no substitute for lived experience. She reflected on her own unconventional journey and the importance of asking for responsibility early. “I think we don’t ask enough for what we want in this field,” she said, recalling how her career accelerated by stepping into roles before they were clearly defined.

That same mindset showed up repeatedly across the season. SOCs weren’t treated as entry-level churn zones by the strongest organizations. They were treated as training grounds—places where people learn how attacks really unfold.

As Titus put it plainly, “Cybersecurity careers often follow non-linear paths.” And in 2025, the SOC proved to be the most effective place to build those paths—by exposing analysts to real attacker behavior, real incidents, and real decision-making pressure.

Automation was everywhere in 2025. But trust in automation was not. Across SOC Unlocked, teams repeatedly shared stories of response workflows that technically worked—but failed operationally because they removed context too early.

Lisa Tetrault, SVP of Security Services at Arctic Wolf, cautioned against runaway expectations. “Let’s not get ahead of our skis. AI is a fantastic tool, but it’s not replacing humans anytime soon. We still need that human overlay for the things machines aren’t great at yet.”

Automation worked best when it handled the mechanics—data collection, enrichment, correlation—while humans handled interpretation and decision-making. SOCs that tried to automate judgment without context struggled. SOCs that used AI to remove friction thrived.

Steven Dumolt, Senior Security Engineer at Veeva, summarized it from the practitioner’s seat: “Data collection should always be automated. But when it comes to making decisions, that’s still a human call.”

This year didn’t prove that AI could run the SOC. It proved that analysts who understand how to use AI effectively are now indispensable.

From MFA fatigue and help desk manipulation to deepfake interviews and vendor impersonation, social engineering dominated nearly every serious incident discussed in 2025. Lisa Tetrault captured this shift: “The strongest attacks today don’t break technology, they manipulate trust.”

That forced SOCs to rethink what “front line” meant. Email, collaboration tools, identity workflows, and even hiring processes became active attack surfaces. Detection had to expand beyond malware and signatures to include behavioral anomalies and context.

As Ethical Hacker FC warned, “Trust is the biggest vulnerability in both physical and digital security.” You can’t patch trust, but you can detect when it’s being abused.

Several guests spoke candidly about analyst burnout, and none treated it as a soft issue.

Tetrault described burnout as an operational failure, not a personal one. “Culture isn’t an Easy-Bake Oven. You can’t just do it once and you’re done. You have to lean in, every single day.”

High-performing SOCs in 2025 redesigned work itself. They rotated analysts across tools and roles. They invested in training and internal certification. They celebrated wins publicly and created space for learning—not just alert closure.

Dumolt reinforced the point from experience: “We fight alert fatigue by giving analysts freedom to explore different areas. No one is stuck managing just one tool forever.”

Despite years of emphasis on prevention, 2025 brought SOC leaders back to the familiar truth that detection is non-negotiable.

The SOCs that held up under pressure weren’t chasing signatures or relying on out-of-the-box detections. They focused instead on deeply understanding their own environments—how users authenticate, how identities move, and how everyday workflows normally unfold.

As Piotr Wojtyla, Head of Threat Intel & Platform, explained, “Understanding the normal behavior of our users and what constitutes abnormal behavior within our organization is really where the strengths start to come into place.” When that baseline was clear, subtle deviations surfaced quickly, often before an incident fully materialized.

Wojtyla also warned against uniformity. “Every fingerprint for an organization is uniquely different,” he said, underscoring why detections copied wholesale or left generic fail over time. If your detections look like everyone else’s, attackers already know how to move around them.

The SOC is no longer a place where alerts pile up and incidents quietly close. It’s where talent is developed, trust is tested, and modern defense takes shape in real time. As attacks continue to target humans, not just infrastructure, the SOCs that thrive are the ones built to understand behavior, context, and intent, not just payloads and signatures.

As one SOC Unlocked guest put it, “Stay diligent, keep learning every day, and if you’re hesitant about AI—lean in. This isn’t going away.” The teams that embraced that mindset didn’t chase hype. They adapted thoughtfully, pairing human judgment with automation to stay ahead of change.

If we learned anything in 2025, it's that the role of the SOC has fundamentally changed. It’s not just responding to incidents; it’s defining what modern security becomes next.

Tune in to SOC Unlocked for even more insights heading into the new year.