Why SOCs are Turning to AI Agents

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

One of the blogs that got a lot of traction last year was Blueprint for AI Agents in Cybersecurity, which I co-authored with Dylan Williams. Honestly, I think the popularity mainly boils down to curiosity, like any new tech, everyone wants to know what it really does and if it actually works. Albert Einstein once said, “I have no special talent. I am only passionately curious.” We're all passionately curious about what AI agents can actually do for cybersecurity.

If you need a quick refresher on AI agents, Dylan articulated it perfectly:

“"You may be thinking: well why use agents when I can just use LLMs such as Gemini or Claude? My favorite way to articulate the limitations of non-agentic LLMs is with Andrew Ng’s explanation: imagine if you could write an essay on your computer, but you can’t use backspace. With LLMs, you’re limited to the single prompt you send and the response you get back. Agents leverage adaptability and flexibility, allowing the model to think, iterate, and adapt without constant human intervention.”

Now, you might say, "Filip, isn’t automation already solving this?" Sure, automation helps, I’ve written plenty about handling alerts faster and smarter, but AI agents elevate automation significantly.

You might recall SOAR's promise of easy orchestration through sub-playbooks combined into one main playbook. Great concept, but often tricky to implement due to complexity. AI agents simplify this orchestration dramatically, enabling automated decision-making that adapts and evolves based on context.

If you’d prefer not to set this up yourself, numerous vendors are tackling this exact problem. 

This edition is sponsored by Prophet Security

Alert Reception and Triage with AI Agents

Before a single alert can be investigated by an Agentic AI solution, you first integrate the AI solution with your various alert generating tools and data sources. This is typically done via API integrations and ideally should be an easy process. 

When your alert-generating security tools like SIEM, EDR, Email, or cloud security tools spit out alerts, your first step should be employing an AI-driven enrichment process, let’s call it the Triage Agent. Here’s a detailed breakdown of how this AI agent helps, step by step:

Step 1: Alert Deduplication The first function of your AI Triage Agent is alert deduplication. Security monitoring tools often generate redundant alerts due to repetitive events. The agent identifies and consolidates these duplicates into single incidents. By removing unnecessary noise, analysts focus only on unique events, significantly reducing their investigative workload.

Step 2: Alert Classification by Use Case Next, your AI agent classifies alerts by affected environment, such as email (i.e. email phishing alert), endpoints, cloud instances, or identity assets. By classifying the alert automatically, the AI agent can then understand what types of questions it should answer in order to perform its initial triage. 

Step 2.1: Alert Grouping by Asset: At the same time, the AI agent will group the alert by the affected assets within a given use case (or perhaps across use cases). You might have an email phishing alert and an EDR alert that might be related as part of a single attack chain. This also allows analysts to quickly understand the scope and potential impact of security events. Another example would be if multiple alerts indicate suspicious behavior on a single server, grouping makes it clear that the asset might be targeted, prompting quicker prioritization and response.

Step 3: IOC Enrichment Indicator of Compromise (IOC) enrichment is essential for context. Your AI agent automatically consults threat intelligence platforms, both internal and external, correlating alerts against known malicious indicators. This step immediately identifies if an alert relates to known threats or potential false positives, allowing your team to swiftly assess risk.

Step 4: Machine and Account Enrichment Detailed context is crucial in cybersecurity investigations. Your AI agent collects and integrates comprehensive data about affected machines, operating system details, installed software, patch status, and historical security incidents. Similarly, account enrichment gathers information about the user or service accounts involved, such as user roles, permissions, typical behavior patterns, and recent activities. This granular context helps analysts rapidly assess whether activity is genuinely suspicious or within normal operational parameters.

So now if we have AI agents to handle all of this, imagine applying this thorough process to every single alert because you never know when you'll find that needle in the haystack. This shift means your SOC team can dedicate more time to valuable tasks like:

• SIEM Engineering: Fine-tuning detections, optimizing log sources, and enhancing visibility.

• Detection Engineering: Creating accurate rules that detect real threats instead of generating noise.

• Incident Response: Conducting in-depth investigations of real security incidents (the role typically known as Tier 3).

• Security Automation Engineering: Developing and maintaining robust automation playbooks to streamline detection and response efforts.

Speaking of detection engineering, AI Agents can also surface the noisiest alerts that are great candidates for tuning. Oftentimes, SOC Analysts and Detection Engineers lack closed loop feedback that can augment detection accuracy. Short of having Detection Engineers spend time triaging and investigating alerts themselves, AI agents can act as a great way to close that feedback loop for continuous detection optimization. 

Critical Questions Answered by AI-Driven Investigations

By performing the above enrichment processes, the AI agent will be ready to clearly answer critical investigation questions:

• Who is involved?
  Is this an administrator, service account, or regular user? Understanding who is involved helps prioritise actions based on the user's level of privilege and typical behavior.

• Where is the activity originating from?
  Is it an endpoint, a server, a cloud environment, or an Infrastructure as Code scenario? Knowing the source helps in quickly identifying affected environments and potential containment actions.

• When did it occur?
  Is this a single event or part of a broader pattern? Historical comparisons are essential to recognising anomalies and potential threats.

• What exactly was executed?
  Details on commands, communications, files accessed, or changes made are essential for immediate response and broader incident investigation.

Types of AI Agents Ideal for SOC Alert Triage

Below are four key types of LLM-based agents especially well-suited for SOC alert triage. These categories aren’t mutually exclusive. In fact, the most powerful agents often combine several of them to maximise impact.

1. Tool-Using Agents

These agents pair LLM reasoning with the ability to invoke external tools like APIs, databases, or ticketing systems. In triage, they can:

• Query threat intel platforms for IP/domain reputation

• Pull context from SIEM, EDR, or CMDB systems

• Trigger automated actions or playbooks

Think of them as smart SOC assistants that can both think and do.

2. Reasoning Agents (ReAct, Chain-of-Thought)

Reasoning agents interleave internal thinking (thoughts) with external actions (tool calls, decisions). Using strategies like ReAct (Reason + Act) or Chain-of-Thought prompting, these agents can:

• Walk through alert details step-by-step

• Identify information gaps or uncertainties

• Provide auditable, explainable reasoning for triage decisions

This reasoning transparency is key in environments where trust and verification matter.

3. Memory-Enhanced Agents

Memory-enhanced agents retain and recall previous data, such as historical alerts, past analyst decisions, or known asset behavior. In the SOC, this helps agents:

• Avoid repeating triage on known benign patterns

• Align decisions with prior analyst outcomes

• Maintain continuity across related alerts over time

Over time, these agents become more context-aware and more aligned with the SOC’s unique environment.

4. Agentic RAG (Retrieval-Augmented Generation + Autonomy)

Traditional RAG systems retrieve documents or structured knowledge to inform the LLM’s response. Agentic RAG builds on this by adding autonomy and reasoning. These agents can:

• Plan and execute multi-step retrievals

• Ask, “Do I have enough context?” before acting

• Synthesize info across threat intel, KBs, and past incidents

This makes them ideal for complex triage decisions where information lives across multiple systems or formats.

Putting It All Together

These categories aren’t silos. As organisations mature their use of agent-based triage, they may adopt multi-agent architectures, where responsibilities are distributed across specialised roles ,much like a real SOC team.

For example, imagine a suspicious login alert. A Retriever Agent pulls user activity from Okta and looks up internal policy on login behaviors. A Reasoning Agent evaluates the activity against policy and past behavior. Meanwhile, a Memory Agent recalls that the same user triggered a similar alert last week, which was marked benign. Finally, a Coordinator Agent synthesises these inputs, determines the alert is low-risk, and suppresses it ,logging the full reasoning trail for transparency.

As the field evolves, hybrid agents blending these approaches will become the norm, enabling smarter, faster, and more trustworthy triage workflows.

Potential Challenges of AI Agents

Like any tech, AI agents aren't without challenges. Key areas to watch out for include:

• Transparency, explainability, and Trust: Trust is a key factor in successfully implementing an Agentic AI solution. To that end, when an AI agent presents its findings and conclusion, teams need to understand why. Systems that escalate without clear reasoning create more work, not less. Trust requires explainability.

• Data Quality, Blind Spots, and Bias: AI agents heavily depend on the data they can access. Lack of access to relevant data, poor quality, or biased data results in flawed, incomplete, or misleading outcomes, potentially overlooking genuine threats or flagging normal behaviors as suspicious.

• Edge Cases and Configuration Complexities: Unique IT environments with rare configurations or bespoke setups might confuse AI agents, causing false positives or negatives.

There are many other considerations for deploying AI agents, such as mitigating skills erosion and maintaining human-in-the-loop. Therefore, successful AI agent deployment requires thoughtful design, careful validation, continuous feedback loops, and flexibility.

Closing Thoughts

The era of AI agents in cybersecurity, especially in SOC operations, is still young, but the potential is enormous. By addressing alert overload and analyst shortages, AI agents offer a path from reactive firefighting toward proactive security management.

Curious about how this looks in practice? Check out the Prophet Security and let's continue the conversation.