Building an Agentic SOC
Cybersec Café #94 - 07/13/26
Every conference talk lately opens the same way - “AI is going to transform your Security Operations.”
Then somebody puts up a slide with an org chart and half the analyst boxes are grayed out.
I think that’s the wrong conversation to be having.
The Agentic SOC isn’t about replacing analysts, it’s about removing the work that analysts never should’ve been doing in the first place and abstracting that manpower to a higher level of thinking.
A modern SOC is made up of two very different types of work.
First, there’s the repetitive, deterministic work. The tasks that follow the same playbook every time - collecting context, enriching alerts, updating tickets, building timelines, writing reports.
And judgement-heavy investigative work. The moments where you need experience, intuition, and an understanding of your environment to make the right call.
Those two categories shouldn’t be treated the same.
Agents excel at repetitive execution.
And humans who are experts in their field excel at judgment.
The mistake many teams make are making is asking AI to replace the analyst, instead of asking it to remove the analyst’s busywork.
If you draw the line just right, you’ll unlock your team’s effectiveness.
So if I were building an Agentic SOC from scratch today, these are the first six places I’d start.
- Today’s Sponsor -
Defend the Org is designed from the ground up to learn and upskill in cybersecurity.
You’ll find yourself engineering detections, triaging alerts, leading incidents, running threat hunts, designing secure systems, and more in carefully curated labs - custom engineered by professional blue teamers.
Whether you’re pivoting into cybersecurity, landing your first role, or grinding for that promotion - DTO will help you get there.
Alert Triage
If I had to pick one place to introduce agents into a SOC, it would be alert triage.
The return on investment is simply too high to ignore when factoring in time saved that can be spent elsewhere.
Think about what happens between the moment an alert fires and the moment an analyst makes a decision.
Ninety percent of it is context gathering:
What asset is this?
Who owns it?
What alerts have fired against it before?
Is this user’s behavior consistent with their team?
Have we seen this indicator anywhere else?
None of those questions require deep security intuition. It’s manual collection and deterministic for a majority of use cases.
An agent can do this before an analyst even looks at the ticket:
Enrich the alert with asset information from your CMDB.
Pull user context from your identity provider and the application in question.
Attach the last 90 days of related alerts.
Query threat intel for known-bad indicators.
Surface previous investigations that touched the same entities.
By the time the analyst gets the ticket, the investigation already has legs to it.
Now they can spend time making decisions rather than information gathering.
The key, though, is knowing where to draw that line.
Every investigation should end with the agent assigning a confidence score to its own findings.
If the evidence is overwhelming, then there’s a strong argument for automatically closing the alert and documenting why.
If the investigation contains any ambiguity, conflicting evidence, or low confidence, it should escalate to a human analyst with everything it discovered attached.
That’s the balance an Agentic SOC should strive for with their alerts.
Let agents prepare investigations and resolve the repetitive work.
Keep humans in the loop to decide outcomes on High and Critical alerts that need further investigation.
Detection Tuning
Detections decay - it’s just the reality of detection engineering.
When your environment changes, attackers evolve, and business logic shifts - what was once a high-signal detection can become noise.
And if analysts are getting paged hour after hour for the same benign activity, eventually someone has to tune it.
The problem is that detection tuning is engineering work. And in a lot of organizations, engineering can get pushed away if you’re caught in an endless fight against operational work.
There’s always another P1 and there’s always another investigation.
And if you’re drowning, there’s rarely a Wednesday where the team says “great, let’s spend the day reviewing our noisy rules.”
So sometimes detections won’t get reviewed for weeks or even months.
This is exactly the kind of work an agent should own.
An agent can quietly run in the background and:
Monitor which detections are producing a high volume of alerts.
Cluster analyst and agent conclusions from triage to find patterns (”87% of X hits close benign because Y”).
Reason to a threshold or query adjustment.
Open the change as a pull request against your detection-as-code repo and tag the on-call for review.
Notice what isn’t happening though.
The agent isn’t deciding your detection strategy. It isn’t pushing changes directly into production.
It’s just doing the tedious analysis that engineers rarely have time for, then presenting an evidence-backed recommendation for review.
The detection engineer’s role now shifts from manually hunting or reviewing analytics dashboards for tuning opportunities to evaluating high-quality proposals.
This is exactly how you build a continuous improvement loop the right way.
Detection Creation
Every incident, threat hunt, and intel report should make your detection in depth strategy better.
Most teams know this, but very few make the time to make it happen.
Think about the last incident your team worked on.
You built a timeline, identified attacker behaviors, uncovered telemetry gaps, andprobably even said something like: “If we’d been collecting these logs, we would’ve caught this sooner” or “We should really have a detection for this.”
All ideas the team floated during the incident, talked about, dropped in the backlog - and either never actioned it or took forever to get started.
An agent can prevent that:
Read the closed incident timeline.
Extract attacker techniques and map them to MITRE ATT&CK.
Identify telemetry gaps that made the investigation harder.
Generate proposed detections based on the exact techniques the attacker used.
Produce documentation, unit tests, and metadata alongside the detection itself in a PR ready for review.
By the time you pick up the work, you’re no longer starting with a blank file.
Instead, you’re tasked with evaluating a short list of already-written detections that are ready for review and validation.
This is the continuous loop most teams dream about between IR and detection engineering - and agents make that possible for teams of any size.
What do Security Engineers do All Day?
The Cybersec Café is now more than just a newsletter. Check out the partner content on the platform of your choice - YouTube, TikTok, Instagram or X.
Incident Triage
An incident is the worst possible moment to be doing basic context collection.
But that’s exactly what happens.
You get paged, join the bridge, and the first thirty minutes are spent doing what an agent could have done before anyone woke up: pulling logs to create timelines, identifying a blast radius, gathering related alerts, and summarizing recent activity on the affected systems.
It’s time consuming and frankly, not very difficult.
And every one of those minutes is a minute the responder isn’t making decisions to push the incident along.
An incident triage agent hands the responder a briefing:
A pre-built timeline of relevant events.
A list of related alerts across the environment.
Users and systems impacted.
Recent activity summaries for each.
Links to historical investigations touching the same entities.
Recommended next steps.
You’ll now be joining the bridge with a full picture and working theory of the incident, not a blank canvas.
That changes the cognitive posture of the entire response.
You’re now jumping straight into solving the problem instead of trying to figure out what’s happening.
And in incidents, cognitive posture is everything.
You want your best people focused on making decisions, not hunting for data.
Threat Hunting
Threat intel is one of the most underused inputs in most SOCs.
Not because teams don’t care about it - but because operationalizing is expensive on your human capital.
When a report drops, someone might skim it. Maybe a hunt gets scheduled. Maybe it doesn’t.
Weeks later, a similar TTP shows up in your environment and nobody remembers you already read about it.
The problem isn’t the intelligence, it’s the gap between “we read this report” and “we hunted for it against our data” without deprioritizing everything on your backlog.
An agent lives perfectly in that gap.
An agent can:
Ingest new threat reports, intel feeds, and vendor advisories as they land.
Extract the TTPs, IOCs, and behaviors described.
Reason on whether it’s applicable to your environment - your assets, your tech stack, your users, your exposure.
Skip what isn’t relevant and prioritize what is.
Launch a hunt against your telemetry using the extracted behaviors.
Return a report with findings, gaps, and recommended detections.
That last step is the whole point.
The output isn’t just “we hunted for X and found nothing.”
It’s a complete assessment of what you looked for, where you looked, what you found, what you couldn’t confirm because of telemetry gaps, and what should get a new detection built out of it.
You’ll stop being the one reading threat reports and pivoting through SIEM queries by hand, and instead become the one reviewing hunt reports and deciding if an incident is needed, what detections to pass to your detection agent, and where to invest in visibility.
That’s threat intel finally doing what it was always supposed to do - drive action and improvement, not sit in a bottomless feed.
Join a growing community of cybersecurity professionals who are serious about leveling up. Connect, collaborate, and grow your skills with others on the same journey. Engage in real-world security discussions and live events (coming soon!).
This is where the next generation of defenders can connect. Join for free below.
Paging
Not every alert deserves to wake up an engineer.
That sounds obvious, yet most of our alerting still fires on the assumption that a single threshold infraction with zero context means something is really wrong.
Let’s be real - it usually doesn’t. It usually means a service blipped, a privileged user legitimately touched a sensitive resource, or a job timed out.
Alert fatigue isn’t just annoying. It’s a security problem.
When your team stops trusting pages, they stop responding urgently to the ones that matter.
An agent sitting in front of your paging system can:
Verify the results from your triage agent.
See if issues self-resolve.
Verify service health from multiple angles.
Correlate the alert with related telemetry.
Determine whether the issue is transient or persistent.
Only then does it decide whether to page a human.
Call it “smart paging” or “an on-call layer that respects human sleep.”
Either way, the outcome is that your engineers get woken up or pulled away from real-life for real problems - not for transient log pipeline problems that resolved themselves at 3:47 a.m.
Reliability improves. And more importantly, so does the quality of the response when a page actually matters.
What This All Adds Up To
The Agentic SOC isn’t a story about a smaller team. It’s a story about an AI supercharged kind of team.
Agents are good at:
Gathering information.
Executing repeatable workflows.
Watching systems continuously.
Turning raw data into actionable context.
Humans are still the ones providing:
Verification.
Judgment.
Prioritization.
Communication with stakeholders.
Business context.
Managing risk decisions.
That second list isn’t going away.
If anything, it’s becoming more valuable.
The opportunity is really to remove the repetitive work that keeps you from doing the work that you could be doing.
The best SOCs won’t be the ones that automate everything.
They’ll be the ones that understand where automation ends and where the human-in-the-loop belongs.
That’s the foundation of an Agentic SOC.
Not fewer analysts, but better equipped ones.
Remember: the goal was never just to close tickets faster.
The goal is to build a more effective security team that frees up smart people to work on real problems.
Agents are just the newest tool for getting there.
Securely Yours,
Ryan G. Cox
P.S. The Cybersec Cafe delivers Deep Dives on a cybersecurity topic designed to sharpen your perspective, strengthen your technical edge, and support your growth as a professional - straight to your inbox.
. . .
For more insights and updates between issues, you can always find me on Twitter/X, Instagram, TikTok, YouTube, or my Website. Let’s keep learning, sharing, and leveling up together.





