Generative AI gets the conference keynotes and the budget conversations. Every vendor booth now has an assistant, a copilot, or a chatbot promising to change how the SOC works. Meanwhile, the model actually deciding whether last night’s authentication spike was an attack is almost certainly a gradient-boosted tree or an isolation forest that nobody put on a slide.
That gap between the hype and the work is worth understanding before you decide what to learn.
What Classical ML Does in a SOC
Classical machine learning covers the methods that have run detection for years: classification, regression, clustering, and anomaly detection. In a SOC they do the heavy lifting.
- Classification decides malware or benign, phishing or legitimate, given labeled training data.
- Anomaly detection flags the login, flow, or process that sits far from normal without needing a signature.
- Clustering groups similar alerts so analysts triage a batch instead of a thousand singletons.
These methods win on structured security telemetry for concrete reasons. They are fast enough to score millions of events an hour. They are cheap to run. They are interpretable, so you can explain why an event scored high. And on tabular data like auth logs and netflow, a well-tuned tree model beats a general-purpose language model on accuracy every time. Our post on reducing false positives with machine learning shows how much of that day-to-day tuning is classical ML work.
What Generative AI Does in a SOC
LLMs are good at language, and a SOC has a lot of language in it.
They summarize a sprawling incident timeline into a paragraph. They explain an unfamiliar command line to a junior analyst. They draft the report, the notification, and the ticket. They answer questions over your documentation and runbooks. They help you write a detection or a SIEM query faster. Our writeup on using generative AI in security operations goes into where this pays off and where it does not.
What they are not is the detector on high-volume structured data. Running an LLM to score every authentication event would be slow, expensive, and less accurate than a classical model built for the job. The strength of generative AI is turning messy language into useful language, not scoring telemetry.
Learn the Fundamentals First
Here is the opinionated part. If you are building your skills, learn classical ML before you chase generative AI.
Two reasons. First, classical methods are where most production detection lives, so the skills transfer directly to work you will actually do. Second, and more important, the fundamentals teach you how to think about data. Feature engineering, class imbalance, thresholds, precision versus recall, evaluation on held-out data: these concepts are what let you judge whether any model, classical or generative, is telling you the truth. An analyst who understands model evaluation can spot when an LLM is confidently wrong. An analyst who only knows how to prompt cannot.
Generative AI is worth learning. It is genuinely useful for the language-shaped parts of the job, and the best setups pair the two: a classical model makes the detection decision, an LLM explains and enriches it. But you get more out of the LLM once you understand the fundamentals underneath it, not before.
Start with classification and anomaly detection on real data, get comfortable with evaluation, then add generative AI on top. That order builds practitioners who can tell a good model from a good demo.
We teach both, in that order. The Applied Data Science and AI for Cybersecurity course grounds you in classical detection, and the AI Cyber Bootcamp goes deeper on applying AI across security work. Both feed the live training at Applied Data Science at Black Hat USA 2026.
Build the foundation before you chase the headlines: enroll for Black Hat USA 2026.