Agentic AI in the SOC
AuroraSOC shifts the SOC from rule-based automation to agentic AI. Instead of writing static rules that fire alerts for a human to triage, AI agents reason about events, query tools autonomously, and only escalate when a critical decision needs a human.
Traditional SOC vs. Agentic SOC
Key differences:
| Aspect | Traditional | Agentic AI |
|---|---|---|
| Analysis | Human reads alerts one by one | AI triages all alerts, prioritises |
| Context | Analyst manually correlates data | Agent queries multiple sources autonomously |
| Decision | Human determines every action | Agent decides, human approves critical actions |
| Speed | Minutes to hours per alert | Seconds per alert |
| Scalability | Limited by analyst count | Handles thousands of concurrent alerts |
| Consistency | Varies by analyst skill and fatigue | Consistent methodology every time |
| Learning | Institutional knowledge in runbooks | Episodic memory from past investigations |
What makes an agent "agentic"
1. Autonomy
The Security Analyst agent does not just describe what it sees. When given an alert it actively queries the SIEM for related events, extracts and enriches IOCs, maps to MITRE ATT&CK techniques, and recommends response actions.
2. Tool use
Agents interact with the real world through MCP tools:
This is not theoretical. The console's AI Chat reasons over a real LLM backend and answers operator questions with structured analysis and MITRE mapping:
In a live end-to-end run, an analyst dispatched a Suricata C2-beacon alert to the fleet. The orchestrator queried the SIEM, enriched the attacker IP through OSINT and Shodan tools, identified it as a Tor exit node, mapped the MITRE techniques, and opened a case, all on its own. That run is shown on the Investigation persistence page.
3. Memory
Agents remember past investigations through a three-tier memory system:
- Tier 1 (Sliding Window): Recent conversation history. Fast, ephemeral.
- Tier 2 (Episodic Memory): Past cases stored in PostgreSQL via pgvector embeddings. Semantic recall.
- Tier 3 (Threat Intelligence): IOC knowledge base backed by PostgreSQL, pgvector similarity search, and Redis caching.
An agent can surface past context like: "This pattern is similar to the APT29 campaign we investigated three weeks ago."
4. Collaboration
Agents work together through the A2A (Agent-to-Agent) protocol. The Orchestrator decomposes complex tasks and delegates to specialists. Specialists can request help from other agents via handoff tools. Results are aggregated into comprehensive reports.
The BeeAI framework
AuroraSOC is built on IBM's BeeAI framework, which provides:
- RequirementAgent type with tool access and structured output
- Standardised tool abstraction for agent-tool interaction
- Pluggable memory backends
- Middleware for global trajectory tracking
- AgentWorkflow for multi-step pipelines
LLM independence
AuroraSOC supports multiple backends for runtime inference. The agent behaviour and capabilities remain the same across backends. See the LLM providers runbook for configuration details.