SOC analysts often operate across multiple security tools & platforms and, in the case of MSSP SOCs, across multiple diverse customer environments. In addition, alert volumes can rapidly spike, leading to a decrease in the quality of triage investigations. Agentic AI architectures address this issue through specialized, autonomous agents that collaborate to enhance human analyst workflows. Each agent connects to security tools via APIs and leverages LLMs through services like AWS Bedrock and Anthropic, enabling context-aware, highly quality analysis every time, in minutes. The AI agents act as a central orchestration engine which enables:
Direct analysis of insights provided by security tools including SIEMs and EDRs
Correlation against LLMs & custom data sources (operational documentation)
Execution of advanced triage activities including log data queries & threat hunts
Presentation of triage steps and findings
Four-Layer Agent Architecture
Ingestion Layer: Ingestion agents receive alerts from SIEM platforms, EDR tools, and threat intelligence feeds, immediately assessing available contextual data and identifying information gaps. They determine additional data requirements from cloud APIs, log sources, or asset management systems, then create investigation plans passed to the next layer.
Investigation Layer: Investigation agents execute detailed analysis, running complex queries across multiple data sources simultaneously. They correlate network traffic patterns, analyze malware behavior, and cross-reference indicators against threat intelligence platforms. Multiple agents pursue concurrent analytical threads, contributing findings to shared investigation context.
Analysis Layer: A specialized analysis agent reviews all investigation findings, re-examining the original alert alongside gathered evidence to ensure conclusions are well-supported. When gaps or inconsistencies are identified, it directs additional investigation with specific guidance, creating a feedback loop for thorough assessment. If additional context is required at this stage, the agents can respond by repeating or taking extra steps through the Investigation Layer.
Presentation Layer: Presentation agents transform technical results into actionable intelligence for different audiences—detailed technical findings for SOC analysts to accelerate their investigation. The agents maintain full audit trails of investigation steps and reasoning paths for compliance and validation. The investigation is complete with a proposed most-likely hypothesis for the cause of the alert, with a secondary less-likely hypothesis also presented.
Implementation Summary
The agents will depend on robust API integrations with existing security infrastructure and tools including SIEM & EDR platforms. The architecture will need to support both real-time API calls and batch processing based on investigation requirements. LLM integrations with platforms such as Anthropic and AWS Bedrock are necessary to provide rich amounts of data against which to correlate tool insights. This agentic approach represents a significant opportunity to evolve beyond traditional SOC workflows.
Overview
The agentic AI platform will form an intelligent nucleus between existing tech stacks and the immense processing power of LLMs.
