tl;dr - About $2 per alert. AI SOC is one of the hottest buzzwords in security but has anyone else ran the numbers on how many tokens they use and how much this costs?

Most AI SOCs function by taking alerts from your SIEM or other security tools, investigating them by correlating data between your different tools, and creating a write-up about the alert with a timeline, risk score, and conclusion about if it’s a false positive or not. RunReveal has performed tens of thousands of AI SOC driven investigations for our customers, with many different models, and we wanted to present some of the data.

In a traditional SOC your costs are mostly associated with:

• Technology: SIEM, SOAR, threat intel providers, etc.
• People: SOC analysts, training for analysts, professional services.

However, an AI SOC introduces a new factor: tokens. Instead of a traditional SOC where a large team of analysts investigate alerts, an AI SOC is mostly staffed by AI Agents that expend tokens and a small number of analysts who review their findings and work on follow up activity.

Comparing and contrasting the costs of these things is hard to do, but counting the cost of tokens is relatively easy to do. This is not meant to be a scientific breakdown of OpenAI vs Anthropic, Claude 4.6 versus 4.7, etc.; it’s just data we pulled that will probably be useful for other’s estimations and mental model of how many tokens an AI SOC uses.

Token costs

RunReveal’s AI SOC Agent has a variety of tools at its disposal: It can access logs, run queries, interface with threat into providers, save IOCs, etc. All of this functionality requires input and output tokens for an LLM to orchestrate.

Your security team might have different tools, agent harnesses, prompting, etc. In addition to those differences, each model has different costs associated with their input and output tokens. All this to say you might see different results, but our results have been fairly consistent across more than 50,000 SOC investigations and activities.

Looking at just a random cross section of recent Claude models, recent investigations, etc., you can see that the costs vary but the order of magnitude does not. You’re likely to pay between $1 and $3 per AI SOC investigation for Sonnet, and the larger more costly Opus models cost more.

My opinion is that I haven’t observed a major difference in efficacy between the larger Opus models and the cheaper Sonnet models, but that should be a blog post on it’s own.

It doesn’t take much more math to see that an AI Agent performing AI SOC capabilities is significantly more cost efficient than a human doing it. Investigating 100 complex alerts thoroughly might take $200 for an AI Agent and 1 hour, but it could take a human multiple days of work.

What does the AI SOC agent actually do?

An AI SOC agent works by having a set of instructions, per alert context, a defined set of tools, and an LLM that it can interact with a goal of completing the instructions in the prompt.

By default, our prompt more or less tells the agent to investigate the alert, correlate it with other log sources, and update the case with a few different artifacts (summary, false positive or not, timeline, etc).

The LLM chooses what steps to follow, what tools to invoke, and when it has satisfied the initial base prompt. RunReveal provides the harness around the agent, the capabilities to talk to inference providers, and the tools for the LLM to show it’s work.

Here’s a real example where you can see this in action. We received an alert from GuardDuty for Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed. When this occurred, RunReveal automatically spun up a new case in our case management tool and a new agent to work that case. In the following video you can see exactly the steps, the prompt, and the tools that the agent uses.

The steps are exactly what a human does, except it’s able to reason and action about the individual steps significantly faster, completing the entire investigation in about 90 seconds.

1. The agent fetches the alert, and checks the linked case.
2. The agent looks for similar alerts, checks to see if the actor alan@runreveal.com had done anything else suspicious around this time.
3. Examines what triggered the alert, and notes exactly what behavior had occurred to set off the GuardDuty alert.
4. Updates the case with it’s findings, now that it has concluded that it’s a false positive.

You can’t replace all the humans

At $2 per alert, this technology is a massive benefit and massive detriment to our industry. However, there’s no going back and I believe all SOCs in the future will be leveraging AI for the bulk of the work.

SOC Analyst is one of the first “break into security” roles that so many in the security industry held. The SOC Analyst role was one of the few functioning parts of the security industry’s talent pipeline, and eroding this will only worsen the talent shortfalls in our industry.

There’s no hiding the fact that this technology has it’s benefits though. Detection & response programs are extremely difficult and cost intensive to build. Using AI to investigate, tune, and respond to your alerts makes standing up a functioning D&R program much more attainable, and with less of a need to outsource it.

At the end of the day, you can’t and shouldn’t replace your entire security team with AI Agents, and this is a microcosm of the broader AI changes in the labor market. This is still a new technology and we haven’t even scratched the surface of efficacy, quality, and how good these workflows will get as models and tooling improve. But the takeaway is simple: the economics already make sense, and they’re getting better fast. Tokens are just a new line item, one you can measure, budget, and optimize.