# Classical ML vs Generative AI in the SOC: What to Learn First

By Summer Rankin · 2026-07-05

> Classical ML vs generative AI in the SOC: what each does well, why classical methods still drive most detection, and which fundamentals to learn first.

Generative AI gets the conference keynotes and the budget conversations. Every vendor booth now has an assistant, a copilot, or a chatbot promising to change how the SOC works. Meanwhile, the model actually deciding whether last night's authentication spike was an attack is almost certainly a gradient-boosted tree or an isolation forest that nobody put on a slide.

That gap between the hype and the work is worth understanding before you decide what to learn.

## What Classical ML Does in a SOC

Classical machine learning covers the methods that have run detection for years: classification, regression, clustering, and anomaly detection. In a SOC they do the heavy lifting.

- Classification decides malware or benign, phishing or legitimate, given labeled training data.
- Anomaly detection flags the login, flow, or process that sits far from normal without needing a signature.
- Clustering groups similar alerts so analysts triage a batch instead of a thousand singletons.

These methods win on structured security telemetry for concrete reasons. They are fast enough to score millions of events an hour. They are cheap to run. They are interpretable, so you can explain why an event scored high. And on tabular data like auth logs and netflow, a well-tuned tree model beats a general-purpose language model on accuracy every time. Our post on [reducing false positives with machine learning](/blog/reducing-false-positives-security-alerts-machine-learning) shows how much of that day-to-day tuning is classical ML work.

## What Generative AI Does in a SOC

LLMs are good at language, and a SOC has a lot of language in it.

They summarize a sprawling incident timeline into a paragraph. They explain an unfamiliar command line to a junior analyst. They draft the report, the notification, and the ticket. They answer questions over your documentation and runbooks. They help you write a detection or a SIEM query faster. Our writeup on [using generative AI in security operations](/blog/how-to-use-generative-ai-security-operations) goes into where this pays off and where it does not.

What they are not is the detector on high-volume structured data. Running an LLM to score every authentication event would be slow, expensive, and less accurate than a classical model built for the job. The strength of generative AI is turning messy language into useful language, not scoring telemetry.

## Learn the Fundamentals First

Here is the opinionated part. If you are building your skills, learn classical ML before you chase generative AI.

Two reasons. First, classical methods are where most production detection lives, so the skills transfer directly to work you will actually do. Second, and more important, the fundamentals teach you how to think about data. Feature engineering, class imbalance, thresholds, precision versus recall, evaluation on held-out data: these concepts are what let you judge whether any model, classical or generative, is telling you the truth. An analyst who understands model evaluation can spot when an LLM is confidently wrong. An analyst who only knows how to prompt cannot.

Generative AI is worth learning. It is genuinely useful for the language-shaped parts of the job, and the best setups pair the two: a classical model makes the detection decision, an LLM explains and enriches it. But you get more out of the LLM once you understand the fundamentals underneath it, not before.

Start with classification and anomaly detection on real data, get comfortable with evaluation, then add generative AI on top. That order builds practitioners who can tell a good model from a good demo.

We teach both, in that order. The [Applied Data Science and AI for Cybersecurity](/courses/applied-data-science-ai) course grounds you in classical detection, and the [AI Cyber Bootcamp](/courses/ai-cyber-bootcamp) goes deeper on applying AI across security work. Both feed the live training at [Applied Data Science at Black Hat USA 2026](/lp/applied-data-science-black-hat-2026).

Build the foundation before you chase the headlines: [enroll for Black Hat USA 2026](/lp/applied-data-science-black-hat-2026).

## FAQ

### Is classical machine learning still relevant now that LLMs exist?

Very much so. LLMs are strong at language tasks: summarizing an incident, drafting a report, explaining a log line, or answering questions over documentation. But the core detection work in a SOC, scoring whether an event is anomalous or classifying a sample as malicious, is still handled by classical methods like gradient-boosted trees, isolation forests, and clustering. These models are faster, cheaper, more interpretable, and more accurate on structured security telemetry than a general-purpose language model.

### Should a new SOC analyst learn classical ML or generative AI first?

Classical ML first. The fundamentals of classification, anomaly detection, feature engineering, and model evaluation are what most production detection is built on, and they teach you how to reason about data, thresholds, and false positives. That grounding makes you better at using generative AI too, because you understand what a model can and cannot know. Chasing LLMs before the fundamentals leaves you able to prompt but unable to evaluate whether the output is right.

### What are LLMs actually good at inside a SOC?

Language-shaped tasks. LLMs help with summarizing long incident timelines, translating a detection into plain English for a report, explaining an unfamiliar command line, querying documentation, and drafting communications. They can also help analysts write detection code or SIEM queries faster. What they are not good at is being the detection itself on high-volume structured telemetry, where classical models are more accurate and far cheaper to run.

### Can generative AI and classical ML work together in detection?

Yes. A practical pattern uses a classical model to do the detection (flag the anomaly or classify the event) and an LLM to explain and enrich the result: summarize the surrounding activity, map it to a likely ATT&CK technique, and draft the analyst note. The classical model provides precision and speed on the decision, the LLM provides context and communication. Using each for what it is good at beats forcing either to do the other's job.


---

Canonical: https://gtkcyber.com/blog/classical-ml-vs-generative-ai-soc/