SecurityQuick Answer. Model intuition is the cognitive skill SOC analysts need as agentic AI takes over Tier 1 and Tier 2 triage: the ability to recognize when an agent’s output feels right but is structurally wrong. CISOs investing in agentic SOC transformation should treat structural-versus-surface correctness as a teachable skill, not a competence analysts will pick up on the job, and make agent decision boundaries first-class artifacts with the same discipline as incident response playbooks.
An agent triages 200 alerts overnight and surfaces five for human review. The summaries are crisp. Each one references a real CVE, names a real vendor, and recommends a real mitigation. The analyst reads the top of the queue: a critical firewall flaw, actively exploited, with a vendor advisory link. The mitigation guidance says to restrict access to the management interface. Move it behind a jump host. Treat any exposed instance as potentially compromised. Reasonable, actionable, well-formed.
Except the vulnerability is not in the management interface. It is in the User-ID Authentication Portal, a feature designed to face untrusted users by definition. The mitigation that applies to a management plane (lock it down, restrict the network path) is not the mitigation that applies to a captive portal, which exists specifically to greet anonymous traffic. The right answer requires disabling response pages on internet-facing interfaces or, if the feature is not in use, disabling it entirely. An analyst who took the agent’s summary at face value would have shipped technically wrong guidance to defenders who needed to act today.
This is a real example. It happened in our own pipeline last week with CVE-2026-0300. The agent’s output was surface-correct: it identified a real CVE, framed a real risk, and proposed a real-sounding mitigation. It was structurally wrong: the wrong component, the wrong mitigation, and the wrong mental model of where the attack surface lived. The analyst caught it because the analyst had read the PSIRT advisory directly and noticed the gap.
That kind of catch is what I have started calling model intuition. I introduced the term last week in a CSO Online piece by Neal Weinberg on reskilling the SOC for agentic AI. The definition I gave there is the working one: the ability to recognize when an agent’s output feels right but is structurally wrong. The rest of this piece is about why that skill is going to matter more than every technical retraining program CISOs are currently funding, and how to build it deliberately.
The Reframe
The Tier 1 and Tier 2 SOC analyst has always been a signal processor. Triage an alert, correlate against context, decide whether to escalate. The work is repetitive and pattern-matching-heavy, which is exactly why agentic systems are good at it. Several large security operations have already moved their L1 and L2 functions to agents. The CSO Online piece walks through DXC, Accenture, and Virgin Atlantic doing this at scale.
What changes is not the SOC’s purpose. It is where the human sits in the loop. Analysts do not stop working when agents handle triage; they relocate from inside the process to above it. They stop processing signals and start evaluating whether the system processing them is sound. That sounds like a small move. It is a complete reframing of the cognitive task.
A signal processor needs domain knowledge: protocols, vendor advisories, attacker tradecraft, the muscle memory to recognize a beacon by its timing. An evaluator needs all of that plus something extra: the ability to judge a piece of reasoning that arrives pre-packaged and confident. The agent does not say “here is what I noticed, what do you think?” The agent says “alert resolved, here is the summary, escalating only this one.” The analyst’s job is to figure out, in seconds, whether to trust that conclusion.
This is the part the field is underestimating. The agentic transition is not just about freeing analysts from drudgery. It is about asking them to make a different kind of judgment, on faster cycles, with less of the raw context they used to have at their fingertips.
Surface-Correct vs Structurally-Right
Model intuition is the ability to distinguish two failure modes that look identical from the outside.
Surface-correct outputs match the expected shape of an answer. They reference real artifacts. They use the right vocabulary. They follow the format of a competent analyst’s report. If you read them as a person reads an email, scanning for plausibility, they pass. Most AI outputs are surface-correct, because the systems are trained to produce outputs that look like the answers in their training data.
Structurally-right outputs match the underlying mechanics of the problem. The reasoning chain holds. The mitigation actually addresses the vulnerability. The CVE actually affects the named component. The score actually represents the risk in this organization’s threat model. The corroboration actually comes from independent sources.
These are different properties. An output can be surface-correct and structurally wrong (the Palo Alto case above). It can be structurally right and surface-clumsy (rare, but real). It can be both, which is what every analyst hopes for and what no system delivers consistently.
The gap between these two properties is where model intuition operates. An analyst with model intuition can read a surface-correct output and notice that something underneath does not hold. Often, they cannot articulate the problem in the first beat. They sense it before they prove it. The articulation comes after they go look at the primary source.
Three Worked Examples
Three patterns I have seen this play out in, drawn from our own pipeline and from peers running agentic operations.
The wrong component. An agent summary names a real CVE and recommends mitigations that are right for a different component of the same product. The CVE-2026-0300 case above is one version. Another common one: vulnerabilities in vendor-shipped libraries that get described as if they were vulnerabilities in the vendor’s product, leading to mitigation advice that locks down the wrong layer. The structural test is whether the named mitigation actually closes the named attack surface. Often it does not, and the analyst has to read past the summary to find out.
The CVSS shortcut. An agent flags a vulnerability as moderate because the CVSS score is 7.8 local. The agent is right that 7.8 is moderate and right that local matters. The agent is wrong that this risk is moderate for the organization, because the local LPE chains trivially with the web-app RCE that has been sitting in a known-vulnerable internal service for six weeks. The CVSS number is structurally a vendor-level statement about a single bug. It is not a statement about the organization’s exposure, which depends on the chain. An analyst who lets the score do the thinking will misprioritize.
The corroboration illusion. An agent surfaces a story as ALERT because “two independent outlets” reported it. The analyst checks. Both outlets cite the same vendor blog post. The corroboration is illusory; the structural test was source diversity, not outlet count, and the agent applied the wrong test. This is a particularly common failure mode for triage agents that consume RSS feeds, because most outlets republish the same wire copy with light editing. The analyst’s job is to read past the apparent corroboration and verify what is actually being said by whom.
In each of these, the agent’s output is competent on the surface and wrong underneath. In each, the catch requires the analyst to hold a model of how the answer should be structured and notice when the structure breaks, even when the surface is intact.
How CISOs Train For This
Model intuition is teachable, but not the way SOC training has historically worked. Three investments worth making now:
Run red-team exercises against your agents, with humans on the receiving end. Build a synthetic queue of agent outputs where some are structurally right and some are surface-correct but structurally wrong. Have analysts work the queue. Score not on whether they accepted the right ones, but on whether they articulated why for both the accepted and the rejected. The articulation is the training; the score is just the proxy. Over a few cycles, analysts will start sensing the shape of structurally wrong output before they can name the problem.
Make agent decision boundaries first-class artifacts. What an agent is permitted to do, and explicitly not permitted to do (block production traffic, send external communication, reach into privileged systems), deserves the same authoring discipline as incident response playbooks. Bounded authority is the operating control that lets agentic AI scale safely, and it gives analysts a stable reference for what counts as the agent staying inside its lane. When the agent acts outside its boundary, that is itself a structural signal: the output may be surface-correct, but the action was structurally out of scope.
Require tell-back protocols on accepted outputs. When an analyst accepts an agent’s conclusion, require them to write a short note on why. Not for every alert; that would defeat the productivity argument. For a sample, randomized, with the rate calibrated to the organization’s tolerance for friction. The tell-back is two things at once: an audit trail when an agent’s conclusion turns out to be wrong, and a forcing function for the analyst to engage with the structural question instead of just acknowledging the surface.
What does not work: more training on prompt engineering. Prompt engineering is a skill for getting better surface output. Model intuition is a skill for judging surface output. They are different problems, and conflating them is the single most common error CISOs are making in agentic SOC retraining right now.
Why This Is Bigger Than the SOC
The agentic transition is not unique to security operations. Wherever the work is signal processing under pressure, agents are coming. Triage in legal review, claims processing in insurance, vetting in compliance. The cognitive shift is the same in each: people stop being inside the process and start being above it. The reskilling problem is the same in each. The difference in security is that the cost of a structurally wrong call is higher and the adversary actively wants to produce surface-correct outputs that are structurally weaponized.
The systems we are deploying are not just productivity tools. They are trust-positioned objects with persistent memory, broad authority, and outputs that read with confidence. The defender’s edge over the next several years will not come from running faster than the agents. It will come from running a layer above them, where structural judgment compounds and surface plausibility does not.
Build that layer deliberately. Hire for it. Train for it. Measure it. The CISOs who do will field the SOCs that actually work in 2027 and beyond. The ones who do not will field SOCs that scale the wrong answers as efficiently as the right ones, and will not notice the difference until the wrong answers cost them an incident.
Model intuition is the name for the skill. Now go build it.