Agentic AI in SOCs: A Solution to SOAR’s Unfulfilled Promises

0

Security Orchestration, Automation, and Response (SOAR) was introduced with the promise of revolutionizing Security Operations Centers (SOCs) through automation, reducing manual workloads and enhancing efficiency. However, despite three generations of technology and 10 years of advancements, SOAR hasn’t fully delivered on its potential, leaving SOCs still grappling with many of the same challenges. Enter Agentic AI—a new approach that could finally fulfill the SOC’s long-awaited vision, providing a more dynamic and adaptive solution to automate SOC operations effectively.

SOAR emerged in the mid-2010s with companies like PhantomCyber, Demisto, and Swimlane, promising to automate SOC tasks, improve productivity, and shorten response times. Despite these ambitions, SOAR found its greatest success in automating generalized tasks like threat intel propagation, rather than core threat detection, investigation, and response (TDIR) workloads.

The evolution of SOAR can be broken down into three generations:

Despite these advancements, SOAR’s core promise of SOC automation remains unfulfilled for reasons we will discuss shortly. Instead each generation has primarily improved operational ease and reduced the engineering burden of SOAR and not addressed the fundamental challenges of SOC automation.

When seeking to answer the question “of why SOAR hasn’t tackled SOC automation'”, it can be helpful to remember that SOC work is made up of a multitude of activities and tasks which are different across every SOC. Generally though, SOC automation tasks involved in alert handing fall into two categories:

SOAR effectively performs “doing” tasks but struggles with the “thinking” tasks. Here’s why:

It is by automating “thinking tasks” that more of the overall SOC workflow can be automated.

The triage and investigation phases of security operations are filled with thinking tasks that occur before response efforts can even begin. These thinking tasks resist automation, forcing reliance on manual, slow, and non-scalable processes. This manual bottleneck is reliant on human analysts and prevents SOC automation from:

To achieve the original SOC automation promise of SOAR—improving SOC speed, scale, and productivity—we must focus on automating the thinking tasks in the triage and investigation phases. Successfully automating investigation would also simplify security engineering, as playbooks could concentrate on corrective actions rather than handling triage. It also provides the possibility for a fully autonomous alert-handling pipeline, which would drastically reduce mean time to respond (MTTR).

The key question is: how do we effectively automate triage and investigation?

In recent years, large language models (LLMs) and generative AI have transformed various fields, including cybersecurity. AI excels at performing “thinking tasks” in the SOC, such as interpreting alerts, conducting research, synthesizing data from multiple sources, and drawing conclusions. It can also be trained on security knowledge bases like MITRE ATT&CK, investigation techniques, and company behavior patterns, replicating the expertise of human analysts.

Recently, there has been tremendous confusion around AI in the SOC, largely due to early marketing claims from the 2010s, well before modern AI techniques like LLMs existed. This was further compounded by the 2023 industry wide mad dash to bolt an LLM-based chatbot onto existing security products.

To clarify, there are at least 3 types of solutions being marketed as “AI for the SOC”. Here’s a comparison of different AI implementations:

Now that we have clear definitions of several common implementations of AI in the SOC, it can be important to know that a given solution may include multiple, or even all of these categories of technology. For example, Agentic AI solutions often include a chatbot for threat hunting and data exploration purposes, as well as analytic models for use in analysis and decision making.

Agentic AI revolutionizes SOC automation by handling the triage and investigation processes before alerts even reach human analysts. When a security alert is generated by a detection product, it is first sent to the AI rather than directly to the SOC. The AI then emulates the investigative techniques, workflows, and decision-making processes of a human SOC analyst to fully automate triage and investigation. Once completed, the AI delivers the results to human analysts for review, allowing them to focus on strategic decisions rather than operational tasks.

The process begins with the AI interpreting the meaning of the alert using a Large Language Model (LLM). It converts the alert into a series of security hypotheses, outlining what could potentially be happening. To enrich its analysis, the AI pulls in data from external sources, such as threat intelligence feeds and behavioral context from analytic models, adding valuable context to the alert. Based on this information, the AI dynamically selects specific tests to validate or invalidate each hypothesis. Once these tests are completed, the AI evaluates the results to either reach a verdict on the alert’s maliciousness or repeat the process with newly gathered data until a clear conclusion is reached.

After completing the investigation, the AI synthesizes the findings into a detailed, human-readable report. This report includes a verdict on the alert’s maliciousness, a summary of the incident, its scope, a root cause analysis, and an action plan with prescriptive guidance for containment and remediation. This comprehensive report provides human analysts with everything they need to quickly understand and review the incident, significantly reducing the time and effort required for manual investigation.

Agentic AI also offers advanced automation capabilities through API integrations with security tools, enabling it to perform response actions automatically. After a human analyst reviews the incident report, automation can resume in either a semi-automated mode—where the analyst clicks a button to initiate response workflows—or a fully automated mode, where no human intervention is needed. This flexibility allows organizations to balance human oversight with automation, maximizing both efficiency and security.

A common question in the security industry is, “Is AI ready?” or “How can we trust its accuracy?” Here are key reasons why the agentic AI approach can be trusted:

In short, agentic AI offers a more thorough, accurate, and transparent approach to SOC automation, providing security teams with a high level of confidence in its capabilities.

By adopting an agentic AI approach, SOCs can realize significant benefits that enhance both operational efficiency and team morale. Here are four key advantages of this technology:

These benefits not only streamline SOC operations but also help teams work more effectively, improving both the detection of threats and the overall job satisfaction of security analysts.

Radiant Security is the first and leading provider of AI SOC analysts, leveraging generative AI to emulate the expertise and decision-making processes of top-tier security professionals. With Radiant, alerts are analyzed by AI before reaching the SOC. Each alert undergoes multiple dynamic tests to determine maliciousness, delivering decision-ready results in just three minutes. These results include a detailed incident summary, root cause analysis, and a response plan. Analysts can respond manually, with step-by-step AI-generated instructions, use single-click responses via API integrations, or choose fully automated responses.

Book a demo with Radiant to learn more about how an AI SOC analyst can turbocharge your SOC.

LEAVE A REPLY

Please enter your comment!
Please enter your name here