The patterns in the SOC were designed for human-led handoffs. But when agents are receiving the alerts, what changes?

Old world: Detection → alert → human triage → runbook → investigation → response. Humans are the reasoning engine. The detection's job is to surface a signal and hand it off. Runbooks are process documentation. Tuning is about managing human attention capacity and reducing noise so analysts don't burn out.

New world: Detection → alert → agent triage (context assembly, enrichment, reasoning) → human decision on escalation/response. Agents are the reasoning engine for tier-1 and tier-2. The detection's job is to provide structured, queryable context for agent reasoning. Runbooks become agent instructions. Tuning logic moves upstream into the detection itself, and the tolerance for noise changes entirely.

We have to flip our mental models and focus on context engineering for agents rather than determinism and hints for human analysts.