From traditional SOCs to CogniRange
Cyber defence in the age of advanced AI

A few days ago, at the Universidad Internacional Menéndez Pelayo summer course, we shared a reflection on advanced artificial intelligence applied to cyber defence, and on the innovation challenges Europe must address if it wants to preserve its technological and operational sovereignty.
The central message was simple: artificial intelligence does not only change the tools of attack and defence. It changes the tempo of cybersecurity.
For years, we have thought about digital defence as a race between attackers and defenders. The attacker looked for a vulnerability, a credential, a misconfiguration or an entry point. The defender tried to detect, block, patch and respond. That asymmetry has always existed. The attacker only needs to find one path. The defender has to protect many.
What changes now is speed.
The next frontier of cybersecurity will not be simply detecting more attacks, but measuring whether our organisations can reason, decide and defend themselves against AI-assisted adversaries.
The next frontier of cybersecurity will not be simply detecting more attacks, but measuring whether our organisations can reason, decide and defend themselves against adversaries assisted by artificial intelligence.
Advanced models and AI agents reduce the time, cost and expertise required to carry out complex tasks. They can help identify exposed surfaces, correlate information, prioritise targets, generate hypotheses, read technical documentation, re-plan and maintain contextual continuity throughout long operations.
This does not mean that artificial intelligence has invented all the problems of cybersecurity. It has not. But it can compress them.
What used to take days or weeks may begin to happen in hours or minutes. What used to require highly specialised teams may become accessible to actors with less technical expertise. What used to be a relatively human sequence may begin to operate at machine speed.
And that leads to the fundamental question.
If the attack accelerates, can defence remain organised as it is today?
The limits of the traditional SOC
The Security Operations Centre, or SOC, has long been a core component of corporate and institutional defence. It receives events, analyses alerts, prioritises incidents and coordinates responses.
But many SOCs were designed for a slower world.
A world in which the volume of signals was lower, campaigns were easier to recognise and analysts had more time to separate what mattered from what did not. Today, the opposite is true. There are more assets, more suppliers, more identities, more cloud, more devices, more sensors, more alerts and more pressure.
The usual response has been to add more tools, more dashboards and more automation. Sometimes that helps. But it can also make the problem worse.
A saturated SOC is not merely an uncomfortable SOC. It is a vulnerability.
When the volume of signals exceeds the human capacity to understand them, the organisation begins to lose something more important than time. It loses judgement. It loses context. It loses the ability to anticipate. And in cyber defence, losing context is often the first step towards losing initiative.
That is why we believe the evolution of the SOC cannot consist simply of adding artificial intelligence as yet another interface.
It must evolve towards what we call CogniSoc.
What is CogniSoc?
CogniSoc is a way of understanding the Security Operations Centre as a cognitive defence system.
Not as a room full of screens. Not as a collection of tools. Not as a repository of alerts.
But as a socio-technical system capable of perceiving, attending, remembering, generating hypotheses, reasoning, deciding and learning.
To perceive means receiving signals from multiple domains: identity, network, cloud, endpoints, suppliers, applications, data, operational technology and AI agents.
To attend means separating the urgent from the incidental. Not everything that makes noise is important. Not everything important makes noise.
To remember means preserving context. Which assets are critical. Which attack paths exist. Which decisions were taken before. Which incidents repeat. Which dependencies the organisation has.
To generate hypotheses means not stopping at the isolated alert. An alert may be an error, a symptom or the first fragment of a campaign.
To reason means assessing intent, impact, probability, uncertainty and possible paths of evolution.
To decide means recommending actions or executing playbooks under clear limits.
To learn means turning every exercise, incident or simulation into cumulative improvement.
That is the shift from a reactive SOC to a cognitive SOC.
And that shift becomes especially important when the adversary begins to operate with the assistance of artificial intelligence.

The next step: CogniRange
If CogniSoc is the evolution of the operations centre, CogniRange is the environment in which that evolution is trained, measured and validated.
A traditional cyber range allows organisations to simulate scenarios, train teams and validate controls. It is a useful tool. But in the face of AI-assisted adversaries, we need to go one step further.
We need to measure whether an organisation can defend itself under automated pressure.
We call that environment CogniRange.
CogniRange is a cognitive cyber range designed to measure defensive readiness. The word readiness matters. We are not speaking only about compliance, auditing or having tools installed. We are speaking about real preparedness.
The question is not only whether the simulated attacker advances. The question is whether the organisation detects, understands, decides, contains and learns.
At which step does the first detection appear? How long does containment take? What signals does the adversary generate? Which alerts are useful and which are noise? Which controls work? Which decisions are justified? Which actions should an artificial intelligence recommend? Which actions may an autonomous system execute? And what must always remain under human command?
This distinction is essential.
In recent years, significant effort has gone into measuring the capabilities of models. That is necessary. But we also need to measure the capabilities of organisations facing those models.
Put simply: it is not enough to know what an advanced AI system can do. We need to know whether our institutions and companies can defend themselves against it.

This is not about building offensive AI
This distinction is critical.
The CogniRange proposal is not about creating offensive artificial intelligence or deploying autonomous agents against real infrastructure. The proposal is to build safe, synthetic, auditable and governed environments.
Environments in which we can represent the operational advantage of an AI-assisted adversary without executing real attacks. Where dangerous actions are blocked by design. Where everything is recorded. Where human supervision exists. Where teams can train, compare and improve without putting real assets at risk.
This point is especially relevant in critical sectors.
When we speak about energy, water, transport, healthcare, industry, public administration or defence, improvisation is not an option. Aggressive tests cannot be launched against production systems. Innovation cannot become an operational risk.
That is why the future of AI-enabled cyber defence needs three things at the same time: ambition, safety and governance.
Ambition to innovate. Safety to avoid creating new risks. Governance to decide what machines may do and what must remain a human responsibility.
European sovereignty will not be only about models
When we speak about technological sovereignty in artificial intelligence, we usually think about models, data, chips, data centres or compute infrastructure. All of that matters.
But in cyber defence there is another layer of sovereignty that is just as important: the ability to evaluate, train and govern our own defence.
Europe cannot limit itself to consuming closed tools, external metrics or imported doctrines. It needs to develop its own capacity to know whether its critical organisations are prepared for threats accelerated by artificial intelligence.
That means being able to create our own scenarios. Measure our own controls. Train our own teams. Generate our own doctrine. And preserve human judgement in environments where operational pressure will continue to increase.
Sovereignty is not only about having technology. It is about preserving the capacity for judgement.

And the cyber defence of the future will increasingly be a discipline of judgement under pressure.
From more automation to better reasoning
There is an understandable temptation: to respond to attacking artificial intelligence with more defensive automation.
But more automation does not always mean better defence.
Automating a bad decision only makes it faster. Automation without context can amplify errors. Automation without traceability makes auditing harder. Automation without limits can turn defence itself into an additional source of risk.
That is why we argue for a different idea: it is not enough to automate. We must reason.
Artificial intelligence applied to cyber defence should help reduce cognitive load, not multiply it. It should explain, not obscure. It should prioritise, not generate noise. It should propose, not replace indiscriminately. It should operate within limits, not through opaque autonomy.
CogniSoc and CogniRange are born from that conviction.
The first describes how the operations centre should evolve. The second describes how to measure whether that evolution works.
What should we start measuring?
If we want to defend ourselves against machine-speed attacks, we need metrics that go beyond counting alerts.
Some questions are far more relevant:
How long does it take the organisation to detect the first significant signal?
At what point in the attack chain does the first useful alert appear?
How long does containment take?
Which controls genuinely reduce risk?
Which parts of the organisation react too late?
What happens when suppliers are involved?
What happens when identity is compromised?
What happens when operational technology appears?
What happens when an AI agent has access to tools, documents or internal systems?
Which decisions are justified?
What evidence can be audited afterwards?
These questions do not belong only to the technical world. They are questions of leadership, governance, investment and sovereignty.
Because an organisation that cannot measure its defence cannot reliably improve it.
The role of PSYON: understanding adversaries, not just machines
For decades, cybersecurity has learned to detect machines: IP addresses, domains, hashes, malware, credentials, traffic, processes and vulnerabilities.
But adversaries are not only machines. They are human organisations operating through digital means.
They have incentives, tempos, narratives, risk thresholds, reputational sensitivities, priorities and the ability to adapt.
We believe the next stage of cyber defence must incorporate reasoning about adversarial intent and behaviour.
We call that layer PSYON.
This is not about propaganda. It is not about manipulation. It is not about automating psychological operations.
It is about supporting defensive decisions by better understanding what the adversary is trying to achieve, what reaction they are trying to provoke, what signals may reveal their true capabilities and what defensive measures may alter their calculation.
In an environment of AI-accelerated attacks, it is not enough to ask what has happened. We must also ask what the adversary is trying to achieve and how the situation may evolve.
An opportunity for Europe
European cyber defence stands at a decisive moment.
Advanced artificial intelligence, cybersecurity and supercomputing are not three separate conversations. They are part of the same transformation. Models need infrastructure. Infrastructure needs security. Security needs intelligence. And intelligence needs governance.
Europe has talent, universities, companies, institutions, research centres and industrial capacity. But it needs to turn those pieces into its own operational architectures.
CogniSoc and CogniRange are our conceptual contribution to that conversation.
Not as closed products. Not as inflated promises. Not as a definitive answer.
But as a direction of travel.
A way of saying that the cyber defence of the future cannot be limited to seeing more events, buying more tools or automating more tasks. It must learn to reason better.
Conclusion
Advanced artificial intelligence does not remove the need for humans in cyber defence. It makes them more important.
But those humans will need new support systems, new training environments and new metrics. They will need operations centres capable of reasoning. They will need ranges where real preparedness can be measured. They will need governed agents. They will need auditable evidence. And they will need doctrine.
The question is not whether artificial intelligence will change cybersecurity. It already is.
The question is whether our organisations will prepare in time.
We are working in that direction: cognitive, governed and measurable cyber defence, capable of helping institutions and companies defend themselves against adversaries that no longer operate only in human time.
Because the next frontier will not simply be detecting more. It will be understanding earlier, deciding better and defending at machine speed.

