Automation: Scripts, SOAR and Agentic
- saraguerra3
- Jan 19
- 3 min read
Entering the 3rd Generation of Automation in Security Operations
By Dinis Fernandes, Managing Director at CyberSafe · 17/12/2025
The speed at which artificial intelligence is evolving is profoundly changing the dynamics of cybersecurity. In recent years, automation—particularly through SOAR (Security Orchestration, Automation and Response) solutions—has helped reduce operational workload and standardise processes. However, the current threat landscape has made this model insufficient.
AI-powered attacks now operate at speeds up to one hundred times faster than traditional defence methods, exposing what has become the greatest vulnerability of modern organisations: the inability of human teams to keep pace with the speed of the threat. Static playbooks supported by SOAR tools no longer meet the level of adaptability required, making the transition to a more autonomous model inevitable.
We are therefore witnessing the beginning of the 3rd generation of automation in Security Operations, where AI Agents complement the playbooks of traditional SOAR solutions.
CyberSafe embarked on this journey 10 years ago with the 1st generation of automation, focused on the creation and maintenance of script-based playbooks, custom-developed for each organisation and environment. This approach required significant effort in both implementation and ongoing maintenance.
In 2021, we evolved to the integration of SOAR solutions, such as Microsoft Sentinel / Logic Apps and, in particular, Palo Alto Networks Cortex XSOAR. CyberSafe became a national reference, delivering high-impact projects, including for a global services company with worldwide scale, and nationally for two of the largest energy companies, one of the biggest banks, two telecommunications operators, and a major private healthcare organisation, among others.
In this 2nd generation, organisations moved from building playbooks from scratch to configuring them. Templates, visual drag-and-drop creation, built-in integrations, and out-of-the-box automation actions accelerated deployment and significantly simplified maintenance.
CyberSafe’s approach—focused on process maturity, integration of heterogeneous ecosystems, and the ability to translate technology into operational value—has positioned us as a strategic partner in the modernisation of security operations.
Now, we take the leap into the 3rd generation with Cortex® AgentiX™. This solution leverages the extensive ecosystem of integrations and automation actions (2,000+) available in XSOAR, introducing AI Agents that coexist with human analysts.
On one hand, AgentiX™ enables the evolution of automation towards AI agents that autonomously perform incident detection and investigation, generating and executing response plans on the fly (instead of relying on static playbooks). On the other hand, human analysts remain in the loop: AI Agents operate autonomously in simple or well-defined tasks but require human validation for high-risk response actions, such as isolating critical systems or network segments.
While there are startups offering automation solutions based exclusively on AI Agents, we believe AgentiX™ presents a more balanced model, combining deterministic, precise playbook-based automation with the flexibility of Agentic AI, supported by guardrails that minimise risk.
The entry of AgentiX™ into the market marks a clear disruption. Autonomous agents dramatically reduce MTTD and MTTR, eliminate most manual tasks, and expand team capacity without increasing headcount. However, unlike agentic-first approaches that introduce autonomy without clear control mechanisms, AgentiX™ ensures transparency, limited and policy-aligned permissions, human supervision for critical actions, and full auditability.
We are currently living through a transformation in security operations, and CyberSafe assumes a strategic role: helping organisations integrate autonomy safely, ensuring that AI agents operate with the rigour, control, and predictability that have always characterised successful SOAR implementations.
Content co-produced by MediaNext and CyberSafe