| # Agentic SOC: Autonomous Security Operations Center |
|
|
| Research & architecture design document for building a fully autonomous Security Operations Center powered by LLM-based reasoning agents. |
|
|
| **Start here:** [Full Research Document](./agentic-soc-research.md) |
|
|
| ## Key Highlights |
|
|
| - **Core Innovation:** Store the *model*, not the *data*. Normal logs update the baseline and are discarded. Only anomaly logs are retained. ~70% cost reduction vs traditional SIEMs. |
| - **Architecture:** 7-layer pipeline from CloudTrail ingestion β statistical baselining β multi-agent LLM triage β automated remediation |
| - **Three-Way Verdict:** Every alert ends in one of: False Positive (dismiss), True Positive + Auto-Remediate (act), True Positive + Escalate (human) |
| - **Grounded in Research:** Based on 15+ papers including CORTEX (arxiv:2510.00311), AACT (arxiv:2505.09843), CloudAnoAgent (arxiv:2508.01844) |
|
|
| ## Architecture Overview |
|
|
| ``` |
| CloudTrail Events β Feature Extraction β Baseline Accumulator (no raw storage) |
| β |
| anomaly detected |
| β |
| Multi-Agent LLM Triage |
| (Orchestrator β Behavior Analysis β |
| Evidence Gathering β Reasoning) |
| β |
| ββββββββββββββββββΌβββββββββββββββββ |
| FALSE POS AUTO-ACT ESCALATE |
| (dismiss) (remediate) (human) |
| ``` |
|
|
| ## Files |
|
|
| - `agentic-soc-research.md` β Full research document (15 sections, ~1500 lines) |
| - Covers: architecture, baseline algorithms, multi-agent pipeline, MITRE ATT&CK mappings, storage economics, implementation roadmap, code examples, and 20+ paper references |
|
|
