Autonomous Security Operations Centers (SOC): AI Agents for Threat Triage, Response, and Orchestration
DOI:
https://doi.org/10.63282/3050-922X.IJERET-V6I2P108Keywords:
Autonomous SOC, threat detection, incident response, SOAR, SIEM, EDR, machine learning, reinforcement learning, MITRE ATT&CK, orchestration, ethical AIAbstract
The escalating complexity and volume of cyber threats have exposed significant limitations in traditional Security Operations Centers (SOCs), particularly in terms of human scalability, response speed, and operational consistency. In response, the cybersecurity industry is increasingly incorporating artificial intelligence (AI) agents into SOC workflows to automate alert triage, incident response, and orchestration across diverse platforms. This review traces the technological evolution of AI-powered SOCs, emphasizing key capabilities such as machine learning-driven detection, autonomous response via Security Orchestration, Automation, and Response (SOAR) systems, and integration across SIEM, EDR, and NDR tools. It analyzes agent-based architectures, including modular AI agents, large language model (LLM) assistants, and reinforcement learning systems, highlighting their practical benefits and deployment challenges. Case studies from leading vendors such as IBM, Microsoft, and Palo Alto Networks demonstrate real-world applications that enhance response efficiency, reduce analyst fatigue, and promote policy standardization. The review also addresses critical issues of explainability, adversarial robustness, and regulatory compliance, framing the roadmap toward fully autonomous Level 5 SOCs. The article concludes that while current implementations exhibit early-stage autonomy, widespread adoption will depend on advances in interpretability, human-in-the-loop integration, and responsible AI governance
References
[1] A. Basta, et al., Open-source Security Operations Center (SOC): A Complete Guide to Establishing, Managing, and Maintaining a Modern SOC, John Wiley & Sons, 2024.
[2] T. R. Kim III, Reducing Entropy Through Targeted Information Sharing: An Exploratory First Principles Approach to Closing the Gaps in Modern Security Operations Centers, Ph.D. dissertation, Marymount University, 2024.
[3] J. Kinyua and L. Awuah, "AI/ML in security orchestration, automation and response: Future research directions," Intell. Autom. Soft Comput., vol. 28, no. 2, 2021.
[4] R. A. Hammed and K. Sheriffdeen, "Revolutionizing SOC efficiency: Adaptive generative AI meets SOAR technologies," 2022.
[5] M. Saqib, S. Malhotra, D. Mehta, J. Jangid, F. Yashu and S. Dixit, "Optimizing spot instance reliability and security using cloud-native data and tools," J. Inf. Syst. Eng. Manage., vol. 10, no. 14s, pp. 720–731, 2025. [Online]. Available: https://doi.org/10.52783/jisem.v10i14s.2387
[6] S. Dixit and J. Jangid, "Asynchronous SCIM profile for security event tokens," J. Comput. Anal. Appl., vol. 33, no. 6, pp. 1357–1371, 2024. [Online]. Available: https://eudoxuspress.com/index.php/pub/article/view/1935
[7] V. S. Chakravarthi and S. R. Koteshwar, "IOT SOC architecture definition," in System on Chip (SOC) Architecture: A Practical Approach, Cham: Springer, 2023, pp. 91–104.
[8] Md. A. I. Mallick and R. Nath, "Navigating the cyber security landscape: A comprehensive review of cyber-attacks, emerging trends, and recent developments," World Sci. News, vol. 190, no. 1, pp. 1–69, 2024.
[9] T. Ajayi, et al., "An open-source framework for autonomous SoC design with analog block generation," in Proc. 2020 IFIP/IEEE 28th Int. Conf. Very Large Scale Integration (VLSI-SOC), IEEE, 2020.
[10] A. Warzyński, P. Bienias, and G. Kołaczek, "Application and evaluation of selected machine learning algorithms in anomaly detection module for SOC," in Dev. Artif. Intell. Technol. Comput. Robot.: Proc. 14th Int. FLINS Conf., 2020.
[11] S. Khaliq, Z. U. A. Tariq, and A. Masood, "Role of user and entity behavior analytics in detecting insider attacks," in Proc. 2020 Int. Conf. Cyber Warfare Security (ICCWS), IEEE, 2020.
[12] F. Ahmed, "Cloud security posture management (CSPM): Automating security policy enforcement in cloud environments," ESP Int. J. Adv. Comput. Technol. (ESP-IJACT), vol. 1, no. 3, pp. 157–166, 2023.
[13] A. W. Mir and R. K. Ramachandran, "Implementation of security orchestration, automation and response (SOAR) in smart grid-based SCADA systems," in Proc. 6th Int. Conf. Intell. Comput. Appl. (ICICA), Springer, 2021.
[14] F. Ahmed, "Cybersecurity policy frameworks for AI in government: Balancing national security and privacy concerns," Int. J. Multidiscip. Sci. Manage., vol. 1, no. 4, pp. 43–53, 2024.
[15] L. Mathur, P. P. Liang, and L.-P. Morency, "Advancing social intelligence in AI agents: Technical challenges and open questions," arXiv preprint, arXiv:2404.11023, 2024.
[16] O. Oniagbi, A. Hakkala, and I. Hasanov, Evaluation of LLM Agents for the SOC Tier 1 Analyst Triage Process, Master’s thesis, Univ. Turku Dept. Comput., 2024. [Online]. Available: https://www.utupub.fi/bitstream/handle/10024/178601/Oniagbi%20Openime%20Thesis.pdf
[17] A. Yaseen, "Accelerating the SOC: Achieve greater efficiency with AI-driven automation," Int. J. Responsible Artif. Intell., vol. 12, no. 1, pp. 1–19, 2022.
[18] A. Basak, S. Bhunia, and S. Ray, "A flexible architecture for systematic implementation of SoC security policies," in Proc. 2015 IEEE/ACM Int. Conf. Comput.-Aided Design (ICCAD), IEEE, 2015.
[19] P. Fraccaro, et al., "Deploying an artificial intelligence application to detect flood from Sentinel 1 data," in Proc. AAAI Conf. Artif. Intell., vol. 36, no. 11, 2022.
[20] S. P. Veluru and M. K. Manchala, "Using LLMs as incident prevention copilots in cloud infrastructure," Int. J. AI, BigData, Comput. Manage. Stud., vol. 5, no. 4, pp. 51–60, 2024.
