Agentic SOC: An LLM-Driven Framework for Automated Incident Triage and Response

Abstract

Modern Security Operation Centers (SOCs) face significant challenges in managing the high volume of security alerts, often resulting in increased response latency and analyst burnout. This paper proposes an autonomous framework that utilizes the cognitive reasoning and tool-calling capabilities of Large Language Models (LLMs) to perform Tier-1 incident triage. By serving as an intelligent middleware between detection systems and system actuators, the proposed framework interprets complex alert metadata to execute precise remediation actions in real-time. Experimental validation demonstrates that the agentic approach achieves a Mean Time to Respond (MTTR) of under 10 seconds, successfully bridging the gap between automated detection and manual intervention while maintaining the logical flexibility required for modern security operations.