Agentic SOC: Autonomous Security Operations Center
Research & architecture design document for building a fully autonomous Security Operations Center powered by LLM-based reasoning agents.
Start here: Full Research Document
Key Highlights
- Core Innovation: Store the model, not the data. Normal logs update the baseline and are discarded. Only anomaly logs are retained. ~70% cost reduction vs traditional SIEMs.
- Architecture: 7-layer pipeline from CloudTrail ingestion β statistical baselining β multi-agent LLM triage β automated remediation
- Three-Way Verdict: Every alert ends in one of: False Positive (dismiss), True Positive + Auto-Remediate (act), True Positive + Escalate (human)
- Grounded in Research: Based on 15+ papers including CORTEX (arxiv:2510.00311), AACT (arxiv:2505.09843), CloudAnoAgent (arxiv:2508.01844)
Architecture Overview
CloudTrail Events β Feature Extraction β Baseline Accumulator (no raw storage)
β
anomaly detected
β
Multi-Agent LLM Triage
(Orchestrator β Behavior Analysis β
Evidence Gathering β Reasoning)
β
ββββββββββββββββββΌβββββββββββββββββ
FALSE POS AUTO-ACT ESCALATE
(dismiss) (remediate) (human)
Files
agentic-soc-research.mdβ Full research document (15 sections, ~1500 lines)- Covers: architecture, baseline algorithms, multi-agent pipeline, MITRE ATT&CK mappings, storage economics, implementation roadmap, code examples, and 20+ paper references