Louis Zezeran
26. märts 2026
Security operations are under more pressure than ever. Alerts are multiplying, environments are becoming more complex, and skilled cybersecurity professionals remain in short supply. In this episode of the NEVERHACK Estonia Cybercast, Louis Zezeran speaks with Henk van der Heijden, Vice President of Sales at Stellar Cyber, about what this means for the modern SOC and why both technology and team design need to evolve.
This is not just a discussion about tools. It is a conversation about how security operations have changed over time, what has broken in the old model, and how organisations can build something more effective for the future.
At the heart of the episode is a simple but important idea: modern security operations cannot rely on yesterday’s thinking. The volume of data, the number of attack paths, and the expectations placed on SOC teams have changed too much. To keep up, organisations need better visibility, better automation, and a smarter way of organizing human talent.
From early SIEM to modern OpenXDR
Henk brings decades of experience to the conversation, having worked in cybersecurity since the early days of the internet boom. He describes a time when getting customers online was still new, and security operations were only beginning to emerge from more basic network monitoring practices.
In those early years, security data was limited. SOCs were ingesting relatively small amounts of information, typically from firewalls and traditional antivirus tools. That made both the technical challenge and the threat landscape much narrower than what organisations face today. Security monitoring existed, but it lacked the depth, context, and coverage needed for modern defence.
Fast forward to today, and the difference is enormous. Organisations operate across cloud platforms, on-premise infrastructure, laptops, endpoints, mobile devices, SaaS services, and complex hybrid environments. The number of security tools in play can be staggering, and every one of them contributes data that may or may not be useful unless it is properly unified and analyzed.
That is where OpenXDR enters the discussion. Rather than functioning as a narrow SIEM or a standalone detection product, OpenXDR aims to bring different telemetry sources together so that security teams can see how events relate to one another. Instead of isolated alerts, analysts can work from a broader, more connected picture of what is happening across the organisation.
For NEVERHACK, this matters because the platform underpins the way its SOC delivers managed detection and response. The point is not simply to collect logs. The point is to turn fragmented information into operational awareness.
Why visibility inside the network matters
One of the strongest practical insights in the episode is the discussion of attacker movement. The traditional security mindset often focuses heavily on the perimeter: what is coming in, what is going out, and what the firewall can see. But that only tells part of the story.
Henk explains the importance of seeing not just North-South traffic, but also East-West traffic — the movement happening inside the network. This is where the conversation becomes especially relevant for organisations trying to strengthen detection capabilities.
Louis and Henk use an excellent analogy: imagine an attacker as someone who has entered a house. Getting in is only the first step. The real goal is moving from room to room until they reach the place where the valuables are kept. That internal movement is often where defenders have the best chance to catch them before the final impact occurs.
This matters because attackers rarely enter a network and immediately launch ransomware or exfiltrate crown-jewel data. They probe, move laterally, explore, and escalate. If organisations are only watching the front door, they may miss the activity happening in the corridors.
That insight ties directly into the broader concept of zero trust. As the discussion makes clear, zero trust is not just a buzzword or a fixed destination. It is a way of thinking: even inside the network, trust should not be assumed. Systems, users, and connections should all be verified and monitored with care.
The old SOC model is under strain
The episode then shifts into one of its most relevant themes: how SOC teams are structured.
For years, many security operations centers followed a familiar tiered model. Level 1 analysts handled initial triage and alert review. Level 2 analysts performed deeper investigation. Level 3 analysts dealt with higher-level decisions, business impact, and complex escalations.
This structure made sense when alert volumes were smaller and automation was less capable. But Henk argues that the model is increasingly outdated. Today’s SOCs ingest far more data from far more sources, which means more alerts, more noise, and more cognitive load.
The result is that Level 1 roles can become repetitive and draining. Junior analysts end up spending large amounts of time sifting through low-value work instead of developing broader skills. That is not just inefficient — it can damage retention, morale, and long-term team capability.
This is where the conversation becomes especially interesting, because Louis brings in NEVERHACK’s own approach. Instead of rigid levels, the company blends junior and senior analysts together in rotating teams. One team handles frontline work while another focuses on backend improvements, business-level activities, playbooks, and operational development. Then they rotate.
This model creates several advantages at once. Juniors learn directly from seniors. Knowledge sharing happens naturally. People avoid getting trapped in narrow, repetitive roles. And the SOC develops more resilience because team members build a wider understanding of both operations and business impact.
It is a reminder that security operations is not just a tooling problem. It is a leadership and organisational design problem too.
AI should remove low-value work, not remove people
Naturally, any conversation about the future of the SOC now includes AI, and this episode handles the topic well.
Rather than making exaggerated claims about autonomous SOCs, both Louis and Henk take a more realistic and useful view. AI, machine learning, and automation are extremely valuable for handling repetitive, time-consuming work: correlating events, surfacing patterns, reducing noise, and enriching alerts so analysts do not start from scratch.
That is a major benefit. It means humans no longer need to spend as much time on the “stupid work,” as Henk bluntly puts it — the low-level, repetitive effort that machines are increasingly capable of doing faster and better.
But that does not mean the SOC can run without people.
In fact, the episode makes the opposite case. The more capable the AI becomes, the more valuable human judgment becomes at the top of the workflow. People still need to validate actions, understand business context, think through consequences, communicate with stakeholders, and interpret the motivations and behavior of attackers.
This is particularly important when automated actions touch production environments. Security response is never happening in a vacuum. A poorly timed or poorly understood automated action can disrupt services, operations, or even customer environments. That is why human oversight remains essential.
The result is a nuanced message that many security professionals will appreciate: AI is not replacing skilled analysts. It is changing what skilled analysts should spend their time doing.
What this means for cybersecurity professionals
There is also a strong message here for people building careers in cybersecurity.
Louis raises a concern that many younger professionals may have: if AI is taking over the repetitive parts of the SOC, does that mean entry-level jobs disappear? The answer given in the episode is both honest and encouraging.
Yes, some low-value tasks are going away. But that is not necessarily bad news. It means the path forward is to upskill faster, learn broader context earlier, and move toward higher-value work. Analysts who understand the business, can communicate effectively, and can interpret technical signals in context will only become more valuable.
This is why mentorship and team design matter so much. If organisations want to retain people and grow capability internally, they cannot leave juniors isolated in repetitive work. They need structures that accelerate development and make the job more engaging.
That point also connects to one of the business realities discussed in the episode: retaining talent is expensive, but losing trained analysts is even more expensive. When people leave after a short time, organisations lose both money and institutional knowledge. And in a SOC environment, institutional knowledge matters. The longer analysts stay, the better they understand customer environments, patterns of behavior, and what “normal” looks like.
That makes them more effective for both the provider and the client.
Why this episode matters
What makes this episode especially worthwhile is that it moves beyond marketing language. It is not simply “here is a platform.” It is a broader conversation about the future of security operations.
Listeners will come away with a clearer understanding of:
- how SOCs evolved from early SIEM-based models into broader OpenXDR-led operations
- why lateral movement and East-West visibility are so important
- why the old L1/L2/L3 structure is losing effectiveness in many environments
- how AI can reduce noise and improve analyst efficiency
- why human judgment, leadership, and business context still matter
- how better team design can improve retention, capability, and service quality
For security leaders, MSSPs, and SOC managers, this episode is a useful reminder that buying a tool is not the same thing as building an effective security operation. Technology can enable a strong SOC, but it cannot replace thoughtful leadership, good structure, and skilled people.
For analysts and those entering the field, the episode offers something equally valuable: a picture of where the industry is heading, and where the most meaningful work will be.
The future SOC is not just faster. It is smarter, more connected, and more human where it matters most.
Listen now to hear Louis Zezeran and Henk van der Heijden unpack the evolution of security operations, the role of OpenXDR, and what it really takes to build a modern SOC. Visit our website for more episodes, and subscribe to NEVERHACK Estonia Cybercast for more conversations on the future of cybersecurity.
