SOC in Southeast Asia in Critical Condition
SOC (Security Operations System) teams in Southeast Asia are currently in a critical state and experiencing extraordinary pressure. Based on a report recorded by Indonesia’s BSSN (National Cyber and Crypto Agency), there were 3.64 billion cyberattacks or anomalous traffic events in Q1 and Q2 of 2025, with more than 83% of those attacks consisting of malware.
Not only in Indonesia, cyber attacks in the ASEAN region also increased by around 56%, while Singapore experienced a 21% increase in incidents, a 67% increase in infected infrastructure, and a 4x increase in APT attacks since 2021. This situation forces SOC teams to remain on alert, dealing with an ever-increasing volume of threats.
This surge in attacks comes at a time when many organizations are lacking cybersecurity talent. The 2025 ISC2 Cybersecurity Workforce Study, which involved 16,029 security professionals, shows that 88% of organizations feel the real impact of the skills shortage, and 59% report that the need for skills is already at a critical level.
ISC2 also highlights that this pressure has left many professionals feeling exhausted and overwhelmed by the workload they have to handle, exacerbating the risk of alert fatigue and missed incidents.
Over the past two decades, SOC teams have used SIEM (Security Information and Event Management) as the backbone of their security operations. However, with 3.64 billion attacks reported in just 7 months, classic SIEM architecture is being pushed to its limits: it must be highly performative, fast, and still operable by teams that are already understaffed.
This is where the need to move from classic SIEM to an Agentic SOC becomes urgent, driving the need for a more autonomous SOC that can take over repetitive tasks and allow analysts to focus on strategic decisions.
Understanding Classic SIEM vs. Agentic SOC
What is Classic SIEM?
Classic SIEM is a system that collects, normalizes, and correlates logs from various sources to detect threats based on predefined rules (rule-based).
Key Characteristics:
- Rule Based Detection
Security event detection relies on predefined correlation rules and signatures. - Static Correlation Logic
Detection rules are fixed and need to be manually updated to address new threats. - Alert-centric workflow
SOC operations are driven by alerts, not by security outcomes. - Human-in-the-loop
Security analysts play a direct role in incident investigation, validation, and response. - Manual alert triage
The process of sorting and prioritizing alerts is done manually by analysts - Static playbook-based response
Incident handling follows a predefined playbook - Limited Context
Data correlation is dominated by logs with limited cross-domain context. - Reactive security posture
Security actions are taken after alerts or incidents are detected..
Examples of platforms: Splunk, IBM QRadar, Elastic Security, Wazuh, etc.
What is Agentic SOC?
Agentic SOC is a security operations center that works and thinks independently using AI Agents to detect and handle threats autonomously following the directives and parameters used by the organization.
Key Characteristics:
- Goal-driven workflow
Rather than simply handling alerts, security operations are focused on achieving security goals and outcomes.. - Behaviour-based detection
Threats are identified through behavioral patterns and context analysis, not static rules. - Human-on-the-loop
Analysts act as policy and decision supervisors without being involved in every technical execution. - Automated Triage
Incidents are automatically prioritized, aggregated, and enriched with context by AI agents. - Proactive Response
As a mitigation against significant impact, the system is able to identify and address threats. - Outcome-centric SOC
The success of the SOC is measured by the security outcomes achieved, not the number of alerts handled.
Examples of Agentic SOCs: Google Agentic SOC, Palo Alto Cortex XSIAM, CrowdStrike, etc.
The following are the differences in data processing flows and decision-making mechanisms between classic SIEM and Agentic SOC.
When is Classic SIEM sufficient?
Based on data from ISACA and ISC2 2025, classic SIEM remains a valid choice in the following conditions:
The use of Classic SIEM is most appropriate when your organization operates in an environment that places a high priority on compliance and strict manual controls. If your company has a stable on-premise infrastructure with minimal cloud migration paths, classic SIEM provides the predictability needed by audit teams. This solution is ideal for organizations that already have a mature SOC team with experienced analysts who rely on proven playbooks and runbooks. With an alert volume of less than 500 per day, your team can still perform manual triage without the risk of extreme work fatigue. In essence, traditional/classic SIEM is chosen if you need full transparency where every detection decision must be traceable to specific rules, and require a solution with a more predictable total cost of ownership (TCO) without a major investment plan in a new platform.
Suitable for: Organizations with heavy compliance requirements (banking, healthcare, government), stable legacy environments, and established SOC teams.
When should you use Agentic SOC?
On the other hand, Agentic SOC becomes an urgent necessity when your organization faces a scale of threats that is no longer manageable by human resources. If your team is overwhelmed by thousands to millions of events every day, this system is here to overcome alert fatigue and prevent analyst burnout, which often leads to high turnover rates. Agentic SOC is crucial for companies operating in complex environments such as multi-cloud or hybrid, where data is scattered across various integration points. Furthermore, if your organization has limited human resources or difficulty recruiting experts, this technology closes that gap by automating reactive processes and manual triage. Agentic SOC is a must-have if your business demands super-fast response times, where mean time to recovery (MTTR) must be resolved in minutes to minimize the impact of cyberattacks.
Suitable for: Organizations with high threat volumes, limited teams, complex cloud/hybrid environments, and fast response time requirements.
After understanding how classic SIEM and Agentic SOC work, how do you decide when your organization should adopt both?
Zentara Labs summarizes this into a flow chart based on consistent patterns from various studies (SANS, ICASA, and ISC2) on alert volume, false positives, headcount limitations, and MTTR, so it can be used as a practical guide to assess whether your organization is still safe in the classic SIEM zone, it’s time to add an AI-assisted SOC, or it’s necessary to jump to a full Agentic SOC.
Zentara also developed an Agentic SOC called SentinelIQ, which simplifies the complexity of classic SIEM while meeting today’s modern automation needs.
SentinelIQ offers:
- ZX: a dashboard that displays real-time security status, incident tracking, and direct communication with the SOC team.
- Odyssey: an AI assistant that answers your security questions in natural language and can provide recommendations.
Transform Your SOC Operations With Zentara’s AI-Powered SIEM
Modern security operations demand more than visibility—they require speed and intelligence. Whether you rely on a classic SIEM or are moving toward an Agentic SOC, Zentara’s AI-powered approach helps close the gap between detection and action. Discover how SentinelIQ can reduce alert fatigue, improve response time, and strengthen your security operations.
Contact Zentara today to get started.
