Rebuilding the Middle — What Organizations and Individuals Must Do Before the Pipeline Runs Dry

TL;DR

Ehulse

~8 min read · April 20, 2026 (Updated: April 20, 2026) · Free: Yes

The first post diagnosed the problem: MSSP, MDR, and now AI have hollowed out the analyst development pipeline across three waves. This post is the prescription. Two tracks: what your organization must redesign, and what you as an individual must choose to do regardless of what your org decides.

The hollow middle didn't happen overnight. It happened one contract renewal at a time, one SOAR deployment at a time, one "we automated Tier 1" announcement at a time. Each decision made economic sense in isolation. Together, they gutted the training ground where senior analysts are made.

If you haven't read Part 1, the short version: the entry-level analyst role was eliminated by MSSP contracts in 2012, accelerated by MDR agreements in 2019, and AI is now positioned to finish the job, unless we design it differently. The expertise that built your senior analysts is leaving faster than you're replacing it. The pipeline is dry.

So now what?

There are two conversations here, one for organizations, one for individuals, and they run in parallel. Because the uncomfortable truth is that even if your organization gets this right, the system around you probably won't. And even if the system fails, individuals can still build something real inside it. Both paths matter. I'm giving you both.

For Organizations: Stop Optimizing for Throughput. Start Designing for Development.

Audit Your Automation Before You Add More

The first question isn't "what should we automate next." It's "what did our last automation actually produce?"

If you deployed SOAR three years ago to handle Tier 1 alert triage, here's what you need to measure: what percentage of your current junior analyst workflow requires them to learn something new? Not process a ticket. Not follow a playbook step-by-step. Actually reason through something ambiguous, form a hypothesis, and test it.

If that number is below 30%, you don't have a headcount problem. You have a development problem. And adding more automation, more AI-assisted triage, more auto-closed alerts, more "handled by the platform," will deepen it, not solve it.

Automation that eliminates all investigative volume doesn't free your analysts. It starves them.

Build Intentional Learning Gaps Into Your Automation

This is the most counterintuitive operational design decision most security leaders won't make, and the one that matters most.

Don't automate every Tier 1 case. Route a structured percentage of known-outcome cases to junior analysts as development reps. Cases where the verdict is already established, where the "answer key" exists. Let the analyst work the case, reach a conclusion, and then compare against the automated baseline.

This does two things simultaneously. It preserves investigative volume, the raw material of expertise development. And it creates a closed-loop feedback mechanism that accelerates pattern recognition in a way that no training course can replicate.

Think of it like flight simulation. The military doesn't replace all live flight training with simulators just because simulators exist. Simulators and live reps serve different functions. Automated verdicts and analyst-worked cases serve different functions too. Design for both.

A reasonable target: route 20–30% of closed, known-outcome cases to juniors as supervised development work. Track verdict accuracy over time. When accuracy consistently reaches a threshold, graduate the analyst to unsupervised complex cases. This is a development pipeline with measurable gates, not a vague hope that people will "grow into the role."

Redefine What Layer 2 Automation Looks Like

Here's the design principle most vendors won't tell you: the automation that's actually worth buying doesn't replace analyst judgment. It amplifies it.

Layer 1 automation, data retrieval, enrichment, log correlation, alert generation, is already saturated. Every vendor does this. It's commodity.

Layer 2 automation, pattern recognition, behavioral correlation, narrative synthesis across time, is where the real leverage lives. And the right design for Layer 2 isn't "the machine reaches the verdict." It's "the machine structures the evidence so the analyst can reach the verdict faster and with better information."

The difference is critical. One eliminates investigative reps. The other multiplies their quality.

When you evaluate new AI platforms, ask this question explicitly: does this tool replace the analyst's reasoning, or does it scaffold it? The platforms worth building on are the ones that treat the analyst as the decision authority and themselves as the intelligence layer underneath.

Measure the Pipeline, Not Just the Queue

Alert volume is not a security metric. Mean time to respond is not a security metric. These are throughput metrics. They tell you how fast you're moving. They tell you nothing about whether you're building the team that will handle the threat you haven't seen yet.

The metrics that actually map to long-term security posture include: analyst verdict accuracy over time, rate of hypothesis-driven investigation versus playbook-closed tickets, percentage of analysts progressing through defined development gates, and time from junior to mid-tier promotion with capability validation.

If none of those numbers live in your quarterly reviews, you're optimizing for the wrong thing. The queue will always clear. The question is who's left to handle the next one.

For Individuals: The Pipeline Is Broken. Build Anyway.

Here's what the organizational section can't tell you: your organization might not do any of this. Many won't. The economics of short-term automation ROI are too compelling, the budget cycles too short, and the leadership too focused on the metric that's easy to show in a board slide.

So here's the other track. The one you control.

Seek Investigative Volume Deliberately

If your environment has automated most of Tier 1, the reps you need aren't coming to you automatically. You have to go find them.

Volunteer for the cases the playbook doesn't cover. Ask to work the edge cases, the ones where the automated system flagged low confidence or produced an inconclusive result. These are the cases that didn't fit the pattern. They're also the cases that build pattern recognition faster than a hundred clean closures.

Every analyst I've seen accelerate their development, from junior to genuine threat hunter in compressed timelines, shared one trait. They were allergic to easy. They consistently chose the harder problem when they had the choice.

The reps are there. The automated system missed some of them. Go find what it missed.

Document Your Reasoning Before You Check the Answer

This is the discipline that separates analysts who develop from analysts who just close tickets.

Before you look at the enrichment, before you pull the threat intel, before you check what the platform recommended, write down your hypothesis. What do you think this is? What evidence would confirm it? What evidence would rule it out?

Then investigate. Then compare your reasoning against what you found.

This practice does something specific: it externalizes your thinking so you can examine it. You stop being a passive consumer of verdicts and start being an active reasoner who builds and tests models. Over time, the gap between your initial hypothesis and the final verdict narrows. That narrowing is expertise forming.

Most analysts never do this because the job incentivizes speed over reflection. Do it anyway. Even three minutes of written reasoning before you investigate will compound over thousands of cases into something the automation can't replicate: judgment.

Treat AI as a Sparring Partner, Not an Oracle

The analysts who will thrive in the AI-saturated SOC aren't the ones who learn to use AI tools most efficiently. They're the ones who learn to interrogate AI output most effectively.

When the AI tells you this is a credential stuffing attack, ask it what evidence would change that conclusion. When it gives you a confidence score, ask what assumptions are baked into that confidence. When its narrative doesn't match your intuition, push back and trace the reasoning gap.

This isn't skepticism for its own sake. It's calibration. You're building a working model of where AI reasoning is strong and where it's brittle, and that model is what makes you genuinely useful in the investigation loop. The analyst who can identify when the AI is wrong and correct it is an order of magnitude more valuable than the analyst who accepts what the system returns.

The AI doesn't know your environment the way you do. That local context, the anomalous user who's always anomalous, the server that always generates noisy logs, the legitimate admin tool that looks like lateral movement, lives in you. Don't outsource the judgment that depends on it.

Build T-Shaped Knowledge Deliberately

Breadth without depth makes you replaceable. Depth without breadth makes you a specialist who can't see the attack that crosses domains.

T-shaped knowledge, deep expertise in one area, working knowledge across the adjacent terrain, is the architecture that holds up. Pick one attack pattern, one threat actor category, one technique cluster and go deep. Read the research. Reproduce the TTPs in your lab. Build the detection. Understand the evasion.

Then stay curious about everything else. Read across threat intelligence reporting. Follow the incidents you weren't involved in. Talk to the analyst on the next shift about the case they're working.

The senior analysts who became irreplaceable didn't become irreplaceable by knowing a little about everything. They became irreplaceable because they went deep somewhere, and then used that depth to see further across the landscape than everyone else.

The Compounding Effect

Here's what the organizations that get this right will discover, and what the individuals who take this seriously will build:

Expertise compounds. Not linearly, exponentially. The analyst who develops solid pattern recognition in year two becomes the analyst who can mentor a junior in year three, who becomes the architect of better detection in year four, who becomes the person who can look at the AI's output and know, not guess, know, whether it's right.

That person can't be replaced by a platform. They can't be outsourced to an MSSP. They can't be substituted by a better algorithm.

They are the algorithm. Trained on real cases, validated by real outcomes, calibrated by years of feedback that no vendor can package and sell.

The hollow middle happened because we stopped building those people. We automated their training ground and wondered why the bench went empty.

The way out is the same as the way back in: design for development. Protect the pipeline. Give analysts the investigative volume they need to become the people you can't replace.

The tools will keep improving. The threat landscape will keep evolving. The only sustainable edge is a team that gets sharper faster than both.

If you're building or rebuilding a SOC, two questions worth asking before your next platform purchase: Does this tool develop your analysts or replace them? And when your best person leaves in three years, will the analyst behind them be ready?

If you're an individual analyst navigating a world where the automation is coming regardless: seek the hard cases. Document your reasoning. Argue with the AI. Go deep somewhere. The expertise you build now is yours. It moves with you.

#ai #security #information-security

< Go to the original