AgentSOC: A Multi-Layer Agentic AI Framework for Security Operations Automation

arXiv cs.CL / 4/23/2026

💬 OpinionDeveloper Stack & InfrastructureIdeas & Deep AnalysisModels & Research

共有:

Key Points

The paper proposes AgentSOC, a multi-layer “agentic” AI framework aimed at automating Security Operations Center (SOC) workflows that struggle with alert correlation and interpreting multi-stage attacks.
AgentSOC uses a single operational loop that normalizes heterogeneous alerts, enriches context, generates and validates hypotheses, and plans risk-based actions that comply with security policies.
The framework is designed to include perception, anticipatory reasoning, and feasibility checks to ensure recommended containment steps are practical as well as effective.
Conceptual evaluation in a large enterprise setting indicates improvements in triage consistency and more accurate anticipation of attacker intentions, with containment options balanced for both security impact and operational burden.
A minimal proof-of-concept using LANL authentication data further demonstrates the feasibility of the proposed architecture.

Abstract

Security Operations Centers (SOCs) increasingly encounter difficulties in correlating heterogeneous alerts, interpreting multi-stage attack progressions, and selecting safe and effective response actions. This study introduces AgentSOC, a multi-layered agentic AI framework that enhances SOC automation by integrating perception, anticipatory reasoning, and risk-based action planning. The proposed architecture consolidates several layers of abstraction to provide a single operational loop to support normalizing alerts, enriching context, generating hypotheses, validating structural feasibility, and executing policy-compliant responses. Conceptually evaluated within a large enterprise environment, AgentSOC improves triage consistency, anticipates attackers' intentions, and provides recommended containment options that are both operationally feasible and well-balanced between security efficacy and operational impact. The results suggest that hybrid agentic reasoning has the potential to serve as a foundation for developing adaptive, safer SOC automation in large enterprises. Additionally, a minimal Proof-Of-Concept (POC) demonstration using LANL authentication data demonstrated the feasibility of the proposed architecture.