TCG074: From SOAR to Agents: Why Practical Automation Has to Survive Contact with Real Infrastructure
Three infrastructure and automation veterans discuss the evolution from SOAR platforms to AI-driven automation, examining the gap between vendor demos and real-world brownfield infrastructure. They explore how DNS remains critically underappreciated from a security standpoint, and debate whether AI is creating more technical debt than it solves. The conversation emphasizes that automation and AI are tools that elevate engineers rather than replace them.
Summary
The episode features host William, co-host Yvonne, and guest Sif, a long-time infrastructure and automation practitioner who has worked at Infoblox and a SOAR vendor called Swimlane, among others. The conversation opens with nostalgia around early network automation tools, particularly Net MRI, which Sif used at DirecTV to change 30,000 interface descriptions in a single night and later to discover rogue printer devices causing broadcast storms across 19 manufacturing plants. These stories frame the core argument that automation has always been about solving real operational problems at scale, not just replacing manual labor.
The group addresses the fear engineers have around AI replacing jobs, arguing consistently that automation has historically elevated engineers to higher-order work rather than eliminating roles. Sif notes that he has never automated himself out of a job despite decades of automation work. William extends this by arguing that the most valuable engineers are those who identify problems and independently solve them in ways that benefit the business, and that AI creates new roles around governance, prompt engineering, and data science rather than simply eliminating existing ones.
A significant portion of the conversation focuses on the gap between polished vendor demos and the messy reality of brownfield infrastructure. Sif acknowledges that AI and automation solutions work well roughly 90-95% of the time, but real environments always have snowflake systems requiring custom handling. Yvonne argues that customers who actively help vendors understand this gap have outsized influence on product direction, often more than vendors' internal teams, because builders and operators have fundamentally different perspectives.
The discussion shifts to DNS as an underappreciated security surface. Sif describes how DNS logs can quickly answer forensic questions that security teams spend days investigating through other means, and how DNS exfiltration was a known attack vector long before most organizations thought to monitor it. He highlights Infoblox's IETF draft proposal to use DNSSEC-signed records to publish MCP server locations, allowing LLMs to securely discover and connect to vendor AI services through trusted DNS infrastructure rather than through unknown third-party MCP servers.
Yvonne raises the challenge of dependency mapping in multi-cloud environments, noting that the early excitement around cloud was largely a greenfield effect, and that as environments matured into multi-cloud complexity, understanding service interdependencies — including identity systems, DNS, and networking — has become nearly impossible. She warns that AI risks becoming a technical debt accelerator, citing the Jurassic Park principle of being so focused on what can be built that teams skip asking whether it should be built. The group agrees that standard workflow automation is still the right tool for many problems that are being reflexively framed as AI problems, and that the AI SOC as a black box concept is being sold faster than organizations can evaluate whether it actually addresses their specific risks.
Key Insights
- Sif argues that he has never automated himself out of a job across decades of network and security automation work, and uses this as evidence that AI will similarly elevate rather than eliminate engineering roles.
- Yvonne claims that customers who actively surface the gap between vendor demos and real-world brownfield environments often have more influence over product roadmaps than vendors' own internal teams, because builders and operators have fundamentally different experiences.
- Sif describes Infoblox's IETF draft proposal to use DNSSEC-signed DNS records to publish MCP server locations, allowing LLMs to securely discover and authenticate vendor AI services without relying on unknown third-party servers.
- Sif contends that DNS logs are one of the fastest and most underused forensic tools in security investigations, capable of answering 'who had this IP and when' questions that security teams spend significant time resolving through other means.
- Yvonne argues that AI carries a high risk of becoming a technical debt generator, noting that the industry lacks the accumulated wisdom to use it intentionally because it hasn't existed long enough to develop best practices.
- The group argues that automation solutions perform at roughly 90-95% reliability in real environments, meaning operators must identify and build exception handling for the snowflake systems that fall outside normal parameters rather than expecting full determinism.
- Yvonne observes that early cloud adoption felt easy largely because it was a greenfield environment, not because cloud itself was inherently simple, and that the complexity has since compounded as organizations accumulated multiple cloud environments with tangled dependency maps.
- William argues that the AI SOC concept is being sold as a black box before organizations have evaluated whether it actually solves their specific business problems and risk posture, mirroring a broader pattern of buying shiny tools before validating fit.
Topics
Full transcript available for MurmurCast members
Sign Up to Access