The SOC at 3 AM

Maria works the 3 AM shift at a security operations center in Manila. She monitors dashboards for a mid-tier American bank. Between midnight and 6 AM on a Tuesday in November, she identified and blocked 12,000 credential stuffing attempts originating from a botnet distributed across fourteen countries. She correlated the attack patterns manually, cross-referencing IP reputation databases, geolocation anomalies, and login velocity thresholds. Her annual salary is $14,200.

Maria was already the cheap option. The bank moved its SOC operations from Virginia to Manila in 2019, reducing per-analyst costs from $78,000 to $14,200. The same extraction pattern that displaced American call center workers two decades earlier had displaced American security analysts. Manila was the destination. Now Manila is the origin.

The RPA bot that entered pilot testing in Q2 2025 processes 4.3 million events per hour. It doesn't work shifts. It doesn't need a cost-of-living adjustment. It doesn't get tired at 4 AM when the attack patterns start blurring together. It costs the bank $8,200 per month — less than Maria's annual salary — and it monitors all fourteen of the bank's SOC clients simultaneously.

Security operations followed the same offshoring arc as every other process-oriented knowledge function. American SOC analysts earning $70,000 to $110,000 were replaced by analysts in Manila, Hyderabad, and Krakow earning $12,000 to $22,000. The quality delta was acknowledged and accepted. A 15% increase in mean time to detection was an acceptable trade for an 80% reduction in labor costs.

This pattern has repeated in every sector where the work can be decomposed into monitoring, classification, and response. Air traffic control remains an exception because the consequences of error are immediately fatal. Security operations do not share that protection. A missed alert at 3 AM results in a breach report filed six weeks later, not a plane crash visible on the evening news. The error tolerance is higher, and higher error tolerance is the precondition for automation.

The offshoring wave of 2015-2020 created a global SOC workforce of approximately 340,000 analysts, concentrated in Southeast Asia and Eastern Europe. That workforce is now positioned identically to the American call center workers of 2001 — doing a job that has been documented thoroughly enough to be automated.

SOAR (Security Orchestration, Automation, and Response) platforms have reduced Tier 1 analyst headcount by 35% to 60% at organizations that adopted them between 2023 and 2025, according to industry surveys. The remaining analysts handle escalations — the ambiguous alerts that automated systems cannot classify with sufficient confidence.

The extraction pattern is visible in real time. SOC managers are asking analysts to document their decision-making processes for "playbook development." The playbooks feed the automation engine. Each documented heuristic — "if the source IP is in this ASN range and the login velocity exceeds this threshold, escalate" — becomes a rule that eliminates the need for the analyst who wrote it.

Maria still works the 3 AM shift. Her queue is thinner each month. The credential stuffing attacks that once required her judgment are now handled automatically. She reviews the bot's escalations — the 2% of events that fall outside the automated playbook's confidence threshold. She is, functionally, a quality assurance layer for the system that is learning to make her unnecessary.

The SOC analyst displacement follows a two-phase pattern. Phase one — active now — eliminates Tier 1 analysts who perform alert triage, log review, and routine incident classification. This phase will be substantially complete within 12 to 18 months at organizations with mature SOAR deployments. Phase two targets Tier 2 and Tier 3 analysts who perform threat hunting, incident response, and forensic analysis. This phase is estimated at 24 to 36 months.

The financial services sector, which employs approximately 40% of the global SOC workforce, is leading the displacement. Banks operate on margin compression logic — every dollar saved on security operations is a dollar returned to shareholders. The risk calculus has been performed. Automated systems miss some things. The cost of what they miss is less than the cost of what Maria earns.

Maria will not be the last person in the Manila SOC. But the SOC will not need 200 analysts on the night shift. It will need 12. Then 6. The chairs will stay. The monitors will stay. The dashboards will keep refreshing at 3 AM. The only thing missing will be the people watching them.

Read the full pattern analysis for a deeper understanding of the forces driving this assessment.