Definition

AI-SOC describes a Security Operations Center augmented by AI agents that triage alerts, enrich indicators of compromise, draft response actions, and escalate to humans for decisions that change state or impact users.

Why It Matters

Why AI-SOC matters

SOC teams are already running pilots on real telemetry. The work is making sure the wins — faster enrichment, better recommendations — come without giving away review and reversibility.

How It Works

How it works

An AI-SOC inserts an agent into the existing SOAR pipeline. The agent handles the repetitive middle — triage, enrichment, scoring, drafting — while a guardrail layer and approval gates keep consequential actions human-authorized and fully audited.

  • An alert enters the pipeline from SIEM or EDR.
  • The agent triages and deduplicates against open cases.
  • Indicators are extracted and enriched across TI sources.
  • The agent scores risk and drafts a recommended action.
  • A guardrail check and approval gate hold consequential steps.
  • The action and full reasoning trail are written to audit.
Architecture

Reference architecture

Security Alert → AI Triage → IOC Extraction → Enrichment → Risk Scoring → Guardrail Check → Human Approval → SOAR Action → Audit Trail.

Risks

Common risks

  • Skipping human approval on consequential actions for throughput.
  • Agent drift between revisions with no replayable eval.
  • Opaque actions that cannot be reviewed after the fact.
  • Privilege concentrated in a single agent identity.
Controls

Security controls

  • A guardrail layer in front of the agent's tools
  • Approval gates on every state-changing action
  • Replayable, versioned eval suites
  • Audit keyed to identity, revision, and case
Examples

AI-SOC workflow examples

Alert triage

The agent classifies and dedupes incoming alerts before a human sees the queue, cutting noise.

IOC extraction & enrichment

Indicators are pulled from the alert and enriched into one normalized artifact per case.

Risk scoring

A calibrated score and rationale are attached so the analyst can prioritize quickly.

Drafted response

The agent proposes a SOAR action with blast-radius context — but never executes it unapproved.

Human approval

Consequential steps surface to an analyst with exactly enough context to authorize in seconds.

Post-incident summary

A structured case summary is written back to the SIEM and ticketing systems for the record.

Pitfalls

Mistakes to avoid

  • Letting the agent execute containment to look autonomous.
  • Shipping agent changes without a replayable eval suite.
  • Treating the agent as a black box with no audit.
  • Concentrating all tool privilege in one identity.
Related Projects

Related projects

Related Research

Related research

Related Services

Related services

FAQ

Frequently asked questions.

What is AI-SOC?
AI-SOC describes a Security Operations Center augmented by AI agents that triage alerts, enrich indicators of compromise, draft response actions, and escalate to humans for decisions that change state or impact users.
How does AI-SOC relate to SOAR?
AI-SOC is a model for how the SOC works; SOAR is the orchestration substrate it runs on. The agent operates inside the SOAR pipeline rather than around it.
What is the first move toward AI-SOC?
Run an agent in read-only triage mode with a scoped tool surface and a replayable eval. Add state-changing tools one at a time, behind approval.
Is the goal a fully autonomous SOC?
No. The aim is measured assistance with humans in the loop on consequential actions — not an autonomous SOC replacement.
Next step

Stand up an AI-SOC that stays reviewable.

Explore the lab and guardrails behind the work, or get in touch to compare notes.