Most of the data we consume as an industry (benchmarks, surveys, vendor reports) comes from a very specific lens. A U.S.-centric one. Every time you check the demographics section of a survey-based report (if it even exists), you’ll notice that between 80 to 90 % of participants are from the United States.

While those insights might be valuable, they are then biased and don’t reflect the realities that practitioners from other regions experience. We all know that Europe is not North America, with different constraints, priorities, and more restrictive regulatory environments.

This is the reason I decided to launch BridgerWise Research: to produce grounded, experience-driven research that considers the local realities outside the US, starting with Europe.

The goal is to generate insights that help practitioners benchmark themselves with the right peers, and help the cybersecurity community to better understand what’s really happening on the ground, without needing to follow recycled narratives from other parts of the world.

Our first publication — AI in the SOC: European Practitioner Survey 2026 — is a first step in that direction. It’s based on responses from over 50 validated European Security Operations professionals.

That number may seem modest, but it’s actually more representative of European operational realities than many “global” reports where Europe accounts for a very small fraction of the overall sample.

For instance, one recent “industry report covering AI in Security Operations I reviewed, which was one of the final motivations to launch BridgerWise Research, surveyed 282 respondents, with 85% based in North America and only 13% across all of EMEA. When you do the math, that sample is smaller than ours.

When findings from those datasets are presented as universal truths, it’s worth asking: universal for whom?

Let’s get into what our data actually says.

If there’s one phrase that dominates SOC discussions today, it’s alert fatigue. The story goes: SOC teams are drowning in alerts, analysts are burned out, and everything flows from that single chokepoint.

Our data tells there are more layers to that storyline.

Alert volume is real, but it’s not the primary problem European SOCs are concerned about. When we asked regional practitioners to rank their top operational challenges, high alert volume and fatigue came in fourth, cited by 28% of respondents. That’s meaningful, but it’s far from the defining issue the dominant narrative would suggest.

What ranked above it? Tool fragmentation and context switching came first. Too many false positives came second. Insufficient automation came third.

This is quite a different situation that we read everywhere. The problem isn’t just the number of alerts – it is the workflow required to deal with them.

Analysts are changing tools and contexts all the time in order to investigate alerts and respond to incidents. They are switching between the SIEM and its query languages, the SOAR, EDR, Cloud and Identity platforms, threat intelligence platforms and ticketing systems for their investigations.

That inefficient constant switch of context increases investigation time, reduces analyst focus, and makes it difficult to scale operations without adding headcount and specialization.

One respondent put it plainly: “Everyone is talking about reducing alerts (fatigue), but with AI we should be able to turn up the noise, while the SOC evolves into a more strategic role.”

Other research positions this primarily as an overload problem; our European data suggests the why is different. It’s not that analysts can’t keep up with the quantity, it’s that the workflows don’t scale.

When we asked practitioners where AI would deliver the most value, the answers were remarkably consistent: automated alert triage and prioritization (64%), investigation assistance and root-cause analysis (54%), and playbook automation and response orchestration (44%).

These are not aspirational use cases. They map directly onto the pain points teams are already experiencing: reduce the time spent on out-of-the-box and low-quality detections, automate the repetitive Tier-1 work, speed up investigations when context switching is the bottleneck.

Despite the growing interest, AI adoption remains uneven. Around 24 % of respondents report using AI-driven alert triage today, yet many of those teams still struggle with false positives and operational overhead.

Even teams that have deployed SOAR-driven automated playbooks are just as likely to report insufficient automation as a challenge as those without a SOAR at all.

The scope of the automation and AI usage is very important, considering the vast majority of the respondents don’t have dedicated threat hunters that can do unstructured investigations to find hidden threats.

AI is a technology that SOCs want to adopt. They are just not sure yet where.

There are also meaningful differences between enterprise SOCs and MSSPs. Enterprise teams are more focused on detection engineering, investigation assistance, and rule tuning. MSSPs are prioritizing scalable workflows, report and ticket generation, and false-positive reduction. This makes sense given their need to manage multiple client environments efficiently. These aren’t just preferences; they reflect fundamentally different operational pressures.

Here’s where the European context becomes genuinely differentiating, and where a U.S.-focused research lens consistently falls short.

Regulatory requirements are not a side topic for European SOCs. They are a core operational constraint.

Frameworks like NIS2, DORA and the AI Act have a real impact on Security Operations processes and workflows, and this shapes how they think about AI adoption.

When we asked practitioners which compliance challenges concern them most when deploying AI in the SOC, the answers were clear and consistent:

• Explainability and auditability of AI decisions: cited by 2 out of 3 respondents as a top concern. For enterprise SOCs, this number climbs to 73%.

• Liability for automated actions: highlighted by roughly half of all respondents.

• Data residency and sovereignty: the primary challenge for MSSPs, cited by more than half of MSSP respondents, reflecting the cross-border complexity of managing multiple client environments. With many AI SOC tools being available only in the cloud, they need to find other alternatives.

• Third-party and supply chain risk from AI vendors: flagged by around half of both enterprises and MSSPs.

It is worth noting that the survey gave participants the option to select that they have no compliance concerns and feel well-prepared. Not a single respondent chose that option.

One practitioner captured the operational reality precisely: “EU regulations like NIS2 and DORA drive my SOC strategy by mandating ultra-fast incident reporting (e.g., DORA’s 4-hour initial alerts vs. NIS2’s 24 hours) and rigorous third-party risk management, forcing automated detection, real-time logging, and supply chain audits as core priorities. The AI Act further requires explainable AI triage for high-risk detections to ensure compliance during automated Tier-1 handling.”

This creates a dynamic that rarely shows up in North American research: European regulation plays a dual role in AI adoption. For MSSPs, stricter reporting requirements and the operational pressure to scale without headcount are actively accelerating AI adoption, with more than 40% of MSSP respondents citing EU regulations as a driver. At the same time, 1 in 4 respondents points to regulatory uncertainty (particularly around the AI Act and AI governance frameworks) as a barrier that is slowing or preventing AI deployment. The same regulatory environment both pushes and constrains.

This is a real and significant challenge that is usually not reflected in any research built primarily from a North American sample.

The broader pattern that emerges from the data is this: AI adoption in European security operations is being driven by a need to make operations more efficient and scalable, not by technological enthusiasm.

Security teams are not looking for a particular tool, but for incremental friction reduction. Platforms that can remove the need to switch context, reduce the noise from false positives, and allow Tier-1 work to be more effective without proportionally increasing headcount.

AI is emerging and it is expected to become a layer that makes those processes more manageable.

There’s a benefit that the data hints at and I think it deserves attention: proactive threat hunting. Today, less than one third of European SOC teams have dedicated threat hunters, and in enterprise environments, that number drops to 18%. In most cases, hunting is an activity shared among analysts who are already stretched thin across other responsibilities.

Roughly one in four organizations plans to shift toward more proactive threat hunting in the next 12-24 months, but capacity is a bottleneck for them. The teams are fully absorbed by other tasks, and simply don’t have the operational headroom to hunt proactively.

This is where the AI investment story becomes more interesting than it first appears. If AI-driven triage genuinely reduces the manual burden on analysts (fewer context switches, less time on low-quality alerts, faster investigations) it doesn’t just improve the metrics SOC teams already track. It frees up the time and cognitive bandwidth to move from reactive alert handling toward proactive detection. Threat hunting, detection engineering, security analytics – these are the capabilities that make a SOC genuinely harder for adversaries to operate against. Right now, they’re aspirational for most teams. As automation is maturing, they can become achievable.

And at the same time, those teams are increasingly operating under regulatory frameworks that require any AI introduced into the SOC to be explainable, auditable, and defensible. That’s a very different design constraint than what North American vendors are typically building toward.

Looking ahead, 82% of respondents expect AI usage in their SOC to increase over the next 12 months, with 32% expecting a significant increase. But the path forward looks more like gradual embedding into core workflows than a complete transformation. Fully autonomous operations remain rare. Trust, accountability, and integration complexity are still real barriers. The SOC is entering a new phase, but it’s doing so carefully.

The above are just a few findings from our research. The full report covers more topics that are worth reviewing for SOC leaders and practitioners.

If I had to choose one way to describe the theme we uncovered, it would be this: the future of the SOC in Europe is not blocked by alert volume or fatigue. It’s limited by operational design and regulatory complexity.

European security teams are dealing with fragmented tooling, inefficient workflows, high false positive rates, and a compliance environment that adds meaningful governance requirements to every AI decision. That combination is specific and real. And it’s largely invisible in research produced from a predominantly North American lens.

That’s the problem BridgerWise Research was built to address.

As I’ve said, these are just some data points from our first report. There’s a lot more to explore, with a different, grounded, local perspective, and that is our goal.

I invite you to check the full report and I’d genuinely like to hear what resonates with you, and what you’d want to see explored next.

Because if there’s one thing this research confirmed, it’s that we need more European voices in the data.

*** This is a Security Bloggers Network syndicated blog from Cybersecurity & Business authored by Ignacio Sbampato. Read the original post at: https://cybersecandbiz.substack.com/p/state-of-ai-in-europe-soc-secops