Your best Tier-1 analyst is the one who already knows things the AI doesn’t.
She knows that the encoded PowerShell alert that fires every Tuesday at 2:14 AM on the backup server is a scheduled job that’s been running for seven months. She knows that the marketing team’s VPN connects from a different country every week because half the team is remote and they travel constantly. She knows that the finance department’s SAP server triggers a data exfiltration alert every quarter-end because the batch export job moves 8 GB of reports to the CFO’s SharePoint.
She knows all of this because she spent two years triaging the same alerts over and over, and somewhere along the way she stopped just closing tickets and started understanding the environment. That institutional knowledge, the kind that only comes from seeing thousands of alerts resolve in a specific environment, is exactly what AI agents need to work properly.
The irony is that the job that trained her is the job that’s going away.
The knowledge that matters most can’t be downloaded
When an organization deploys AI triage, the first thing that happens is that the AI makes mistakes that the experienced analyst would never make. It flags the Tuesday backup script. It scores the marketing VPN as a geographic anomaly. It treats the SAP quarterly export as data exfiltration.
These aren’t AI failures. They’re cold-start problems. The AI has the signatures, the threat intelligence, the MITRE mapping. What it doesn’t have is the accumulated judgment of someone who has lived inside this environment for two years.
A junior analyst looks at these alerts and investigates them. The senior analyst glances at them and closes them in three seconds. The difference between those two responses is the most valuable data in the SOC, and right now, most of it exists only in the heads of the people who are about to be told their job has been automated.
The organizations that understand this have a massive advantage. They take their best Tier-1 analyst, the one who closes known false positives in three seconds, and they put her in charge of teaching the AI to do what she does. That’s agent engineering.
What agent engineering actually looks like on a Wednesday
It’s not what you’d expect from the job title. There’s no machine learning research. No Jupyter notebooks. No neural network architecture diagrams.
It looks more like this. The AI flagged 14 alerts yesterday that the overnight analyst overrode as false positives. The agent engineer pulls up the override log. Three of them are the Tuesday backup script
again, which means the behavioral exception she wrote last month isn’t catching the variant that runs on the secondary backup server. She updates the exception. Fixed.
Four of them are the same asset vulnerability scanner hitting a decommissioned subnet. She checks the asset inventory. The subnet was supposed to be decommissioned in Q3 but somebody left two VMs running. She writes a CSAM note to flag the VMs for shutdown and adds the subnet to the scanner exclusion list. The vulnerability alerts are real. The assets aren’t. Problem isn’t in the AI logic. Problem is in the asset data.
Seven of them are a new pattern she hasn’t seen before. A Salesforce integration is making API calls to an external analytics platform at unusual hours. The AI flagged it as suspicious outbound communication. She digs in. Turns out the sales team connected a new BI tool last week without telling IT. The API calls are legitimate but the integration was never registered. She writes a detection exception for the specific API endpoint, files a shadow IT report, and adds the integration to the
known-applications list so the AI doesn’t flag it again.
That’s the job. It’s part security analyst, part platform administrator, part data curator, and part internal detective. The common thread is that every task requires knowing what’s normal in this environment, which is the thing the experienced analyst has and the AI doesn’t.
Why Tier-1 experience is the best preparation
There’s a common misconception that agent engineering requires a computer science background or data science skills. Some vendors and job descriptions reinforce this by asking for experience with Python, machine learning, or model training.
The actual prerequisite is simpler and harder to hire for. You need someone who has seen enough alerts in a specific environment to develop an instinct for what’s normal and what isn’t. That instinct is built through repetition, pattern recognition, and the slow accumulation of context that only happens when you’re in the trenches for a sustained period.
A data scientist can build a model. But they can’t tell the model that the Tuesday 2:14 AM PowerShell alert is a backup job, because they’ve never seen it. A software engineer can write the automation. But they can’t decide which alerts should be exceptions, because they don’t know the environment. The
Tier-1 analyst who’s been closing these tickets for two years is the only person who has both the pattern recognition and the environmental knowledge.
This is why the transition from Tier-1 to agent engineer feels natural for the right analyst. The work changes. The underlying knowledge doesn’t. You’re still using everything you learned triaging 300 alerts a day. You’re just applying it to tune the system instead of processing the queue.
The training gap
The problem is that nobody tells the Tier-1 analyst this is where they’re headed.
Most SOCs deploy AI triage and then figure out the human side afterward. The analysts hear “we’re automating Tier 1” and assume they’re being replaced. The best ones start looking for other jobs
immediately. The ones who stay feel uncertain and defensive about the new tools, which makes them reluctant to trust the AI, which makes them worse at the oversight role they’re being asked to fill.
The organizations that handle this well do two things. First, they name the new role before deploying the automation. “Agent engineer” or “detection tuner” or “AI operations analyst,” whatever the title is, it exists in the org chart before the AI platform goes live. The analyst knows where they’re going.
Second, they invest in the specific skills the role requires. Not a generic “AI for cybersecurity” course. Specific, practical training: how to read an AI reasoning chain and evaluate whether it’s correct. How to write a behavioral exception. How to query the investigation API. How to build a custom playbook. How to interpret the performance metrics on an AI agent.
The skills gap isn’t about AI knowledge. It’s about translating operational experience into system configuration. The analyst who spent two years learning what normal looks like in your environment already has the hard part. The tools part can be taught in weeks.
The multiplier effect
Here’s the math that should make this obvious to any SOC manager.
One experienced Tier-1 analyst, triaging manually, can investigate maybe 40 to 60 alerts per shift if they’re fast and the alerts aren’t complex. That’s their ceiling. They’ll never investigate more than that because there are only so many hours in a shift.
That same analyst, retrained as an agent engineer, writes behavioral exceptions and tuning rules that affect every alert the AI processes. If she fixes one false positive pattern that fires 30 times a day, she’s just saved 30 investigation cycles per day, permanently. If she writes five tuning rules in a month, she’s eliminated 150 daily false positive investigations. The AI handles the execution. She provides the judgment that makes the execution accurate.
That’s not a 2x improvement. It’s a structural change in how analyst effort converts to security outcomes. The bottleneck moves from “how many alerts can this human process” to “how well can this human teach the system.”
Your best Tier-1 analyst is the person best positioned to make that shift. Not because they have a degree in machine learning. Because they have two years of institutional knowledge about your environment that no vendor, no model, and no new hire can replicate. The question isn’t whether they’re ready. It’s whether you’re going to invest in the transition before they leave for somewhere that will.
