AgentSOC: A Multi-Layer Agentic AI Framework for Security Operations Automation

TL;DR

AgentSOC is a multi-layered AI framework designed to improve security operations automation by integrating perception, reasoning, and action planning, demonstrated through conceptual evaluation and a minimal proof-of-concept.

Contribution

It introduces a novel multi-layer agentic architecture for SOC automation, combining alert normalization, hypothesis generation, and risk-based response planning.

Findings

Enhanced triage consistency in SOC operations

Ability to anticipate attacker intentions

Feasibility demonstrated with LANL authentication data

Abstract

Security Operations Centers (SOCs) increasingly encounter difficulties in correlating heterogeneous alerts, interpreting multi-stage attack progressions, and selecting safe and effective response actions. This study introduces AgentSOC, a multi-layered agentic AI framework that enhances SOC automation by integrating perception, anticipatory reasoning, and risk-based action planning. The proposed architecture consolidates several layers of abstraction to provide a single operational loop to support normalizing alerts, enriching context, generating hypotheses, validating structural feasibility, and executing policy-compliant responses. Conceptually evaluated within a large enterprise environment, AgentSOC improves triage consistency, anticipates attackers' intentions, and provides recommended containment options that are both operationally feasible and well-balanced between security efficacy and operational impact. The results suggest that hybrid agentic reasoning has the potential to serve as a foundation for developing adaptive, safer SOC automation in large enterprises. Additionally, a minimal Proof-Of-Concept (POC) demonstration using LANL authentication data demonstrated the feasibility of the proposed architecture.