A financial services team recently ran one of our breach-response exercises and performed almost flawlessly. They knew exactly which host to isolate, which account to disable, which step came next. And then they stopped, because no one in the room could authorize the action without a senior sign-off that wasn't available. They had the capability, but they couldn't execute it.
That gap, between what a team has built and what it can actually do when under pressure, is the most consistent thing we see at TryHackMe. We work with more than a thousand security teams, through skills development, our SOC simulator, and tabletop exercises, and the same pattern surfaces again and again. Similar controls, comparable tooling, trained staff, documented playbooks. However, underneath the surface, a wide variance in what any of it amounts to in a real incident.
We call it the execution gap: the distance between what an organisation has built and what its people, processes, technology, and measurement can actually execute under pressure. It's the distance between owning a playbook and being able to pull the trigger on it. We see it in five specific places.
Where we see the execution gap
Across the teams we assess, the execution gap lives in the same five dimensions of a SOC's maturity and each one fails in a recognizable way:
- People and culture: trained does not equal ready. Certifications completed; capability never validated under pressure.
- Processes and procedures: documented does not equal executable. A playbook on the shelf is not the same as one a team can run mid-crisis.
- Technology: deployed does not equal effective. Tools bought and switched on, then left to drown the team in alerts.
- Testing and validation: tested does not equal improved. The exercise happens; the change doesn't.
- Measurement and continuous improvement: tracked does not equal acted on. Dashboards that look good in a board pack but drive no behaviour.
The published data bears it out. In Sygnia's 2026 survey of 600 security leaders, 99% had a formal incident response plan, but still 73% of CISOs said they could not execute it under pressure if a major attack landed tomorrow. Ninety-nine percent was documented; yet seventy-three percent not executable. That is the gap, in two numbers, and we see the same shape across defence, financial services, retail, and telecommunications. These are the same gaps across different industries.
And then there's AI
Every conference, every booth, every board pack now comes with AI attached. But not only does AI not close the execution gap, it amplifies it. It makes strong SOC teams faster and weak ones more dangerous to themselves.
The uplift is real, as highlighted in a peer-reviewed Microsoft trial in late 2025 showing its phishing-triage agent producing six-and-a-half times more true positives per analyst minute. But that only holds when the underlying playbook is right. AI on a broken process doesn't fix that process; it runs the broken process at scale: faster wrong answers, delivered with more confidence. Gartner expects around 70% of large SOCs to be piloting agentic AI by 2028, and only 15% to reach sustainable production. The other 85% will have the dashboards. They won't have a loop that actually closes.
Asking whether to invest in AI isn't needed. Everyone will. Organizations should question whether the gap is small enough that the multiplier helps. Because if the gap is wide, AI widens it.
Sooner or later , the question arrives, usually from the people an organization least wants to improvise in front of such as the auditor, the insurer, the regulator, the board: can your team execute under pressure?
Closing the gap isn't something we can prescribe from the outside because every organization knows its own environment best. But the takeaway is the frame, not the framework:
Don't measure what you've built. Measure what you can do under pressure.
Want to close execution gaps within your cyber security team? Explore TryHackMe for Business.