AgentSOC: A Multi-Layer Agentic AI Framework for Security Operations Automation
This addresses automation challenges in SOCs for large enterprises, but it appears incremental as it builds on existing agentic reasoning concepts.
The study tackled the problem of automating Security Operations Centers (SOCs) by introducing AgentSOC, a multi-layered agentic AI framework that improves triage consistency, anticipates attackers' intentions, and provides recommended containment options, with a minimal Proof-Of-Concept demonstration showing feasibility.
Security Operations Centers (SOCs) increasingly encounter difficulties in correlating heterogeneous alerts, interpreting multi-stage attack progressions, and selecting safe and effective response actions. This study introduces AgentSOC, a multi-layered agentic AI framework that enhances SOC automation by integrating perception, anticipatory reasoning, and risk-based action planning. The proposed architecture consolidates several layers of abstraction to provide a single operational loop to support normalizing alerts, enriching context, generating hypotheses, validating structural feasibility, and executing policy-compliant responses. Conceptually evaluated within a large enterprise environment, AgentSOC improves triage consistency, anticipates attackers' intentions, and provides recommended containment options that are both operationally feasible and well-balanced between security efficacy and operational impact. The results suggest that hybrid agentic reasoning has the potential to serve as a foundation for developing adaptive, safer SOC automation in large enterprises. Additionally, a minimal Proof-Of-Concept (POC) demonstration using LANL authentication data demonstrated the feasibility of the proposed architecture.