Search papers, labs, and topics across Lattice.
AgentSOC, a multi-layered agentic AI framework, was developed to address the challenges of alert correlation, attack interpretation, and response selection in Security Operations Centers (SOCs). The framework integrates perception, anticipatory reasoning, and risk-based action planning to normalize alerts, enrich context, generate hypotheses, validate feasibility, and execute policy-compliant responses. Conceptual evaluation and a proof-of-concept using LANL data suggest AgentSOC improves triage consistency, anticipates attacker intentions, and recommends balanced containment options.
Automating security operations doesn't have to be a pipe dream: AgentSOC shows how multi-agent systems can reason about attacks, anticipate attacker intentions, and recommend containment strategies that balance security efficacy with operational impact.
Security Operations Centers (SOCs) increasingly encounter difficulties in correlating heterogeneous alerts, interpreting multi-stage attack progressions, and selecting safe and effective response actions. This study introduces AgentSOC, a multi-layered agentic AI framework that enhances SOC automation by integrating perception, anticipatory reasoning, and risk-based action planning. The proposed architecture consolidates several layers of abstraction to provide a single operational loop to support normalizing alerts, enriching context, generating hypotheses, validating structural feasibility, and executing policy-compliant responses. Conceptually evaluated within a large enterprise environment, AgentSOC improves triage consistency, anticipates attackers’ intentions, and provides recommended containment options that are both operationally feasible and well-balanced between security efficacy and operational impact. The results suggest that hybrid agentic reasoning has the potential to serve as a foundation for developing adaptive, safer SOC automation in large enterprises. Additionally, a minimal Proof-Of-Concept (POC) demonstration using LANL authentication data demonstrated the feasibility of the proposed architecture.
