Add README

README.md

@@ -0,0 +1,33 @@
+# Agentic SOC: Autonomous Security Operations Center
+
+Research & architecture design document for building a fully autonomous Security Operations Center powered by LLM-based reasoning agents.
+
+**Start here:** [Full Research Document](./agentic-soc-research.md)
+
+## Key Highlights
+
+- **Core Innovation:** Store the *model*, not the *data*. Normal logs update the baseline and are discarded. Only anomaly logs are retained. ~70% cost reduction vs traditional SIEMs.
+- **Architecture:** 7-layer pipeline from CloudTrail ingestion → statistical baselining → multi-agent LLM triage → automated remediation
+- **Three-Way Verdict:** Every alert ends in one of: False Positive (dismiss), True Positive + Auto-Remediate (act), True Positive + Escalate (human)
+- **Grounded in Research:** Based on 15+ papers including CORTEX (arxiv:2510.00311), AACT (arxiv:2505.09843), CloudAnoAgent (arxiv:2508.01844)
+
+## Architecture Overview
+
+```
+CloudTrail Events → Feature Extraction → Baseline Accumulator (no raw storage)
+                                              │
+                                         anomaly detected
+                                              │
+                                    Multi-Agent LLM Triage
+                                    (Orchestrator → Behavior Analysis →
+                                     Evidence Gathering → Reasoning)
+                                              │
+                              ┌────────────────┼────────────────┐
+                         FALSE POS         AUTO-ACT          ESCALATE
+                         (dismiss)       (remediate)         (human)
+```
+
+## Files
+
+- `agentic-soc-research.md` — Full research document (15 sections, ~1500 lines)
+- Covers: architecture, baseline algorithms, multi-agent pipeline, MITRE ATT&CK mappings, storage economics, implementation roadmap, code examples, and 20+ paper references