Agentic SOC Capability Maturity Model

A capability maturity model for the agentic Security Operations Center, distinct from the Agentic AI Security CMM that secures agentic-AI applications. Where that model measures whether an agentic application is secured, this one measures whether an agentic SOC’s operations run safely, and specifically whether the SOC has earned the autonomy it grants its agents. It is the maturity half of the dedicated Agentic SOC pair; the reference architecture is its structural counterpart.

The model rests on one idea that separates it from the published autonomy ladders surveyed in Agentic SOC Autonomy Ladders:

Autonomy and maturity are different things, and maturity gates autonomy. How much a SOC delegates to its agents (autonomy) is not the same as how well it is prepared to supervise, measure, and contain them (maturity). A reckless team can switch on high autonomy with no evaluation or governance behind it; a small, careful team can run at low autonomy and be fully mature for its scale. The model’s central question is not “how autonomous are you?” but “have you earned the autonomy you are running?”

The model’s durable subject is trusted-autonomy operations: running automation you can hold accountable at machine speed without losing control of it. AI is the mechanism that makes high delegation reachable today, recorded as the mechanism attribute rather than the organizing principle. The ladder, the gating rule, and the domains are written to survive the normalization of AI into ordinary technology, the way “cloud security” became “security.” The “AI” and “agentic” framing is era-appropriate for findability; the AI-specific particulars (MITRE ATLAS coverage, AI incident-response playbooks, prompt-injection telemetry) live in the dated control-landscape layer of the per-domain deep dives, expected to fold into routine operations over time. One effect of that convergence is already visible: when agentic defenders detect AI-driven attacks on in-house AI applications, the SOC is at once the defender and a defended surface.

On this page

What this CMM is and is not

Is:

  • A self-assessment instrument for SOC leaders, detection engineers, and operations architects, scored as a matrix — an autonomy level per function and a maturity level per domain.
  • A domain-specific extension of SOC-CMM, which as of its 2025 report does not yet model AI or automation. This model occupies that gap and crosswalks back to it.
  • A prescriptive instrument: beyond scoring where a SOC is, it names the next domain to mature so a function’s autonomy can rise safely.

Is not:

  • A vendor scorecard or a single autonomy number. A SOC’s state is a vector across functions, not one grade.
  • A claim that more autonomy is better. The top tier is asymptotic; full unsupervised autonomy is not a goal, and running above earned autonomy is the model’s defined failure mode.
  • An enterprise-only model. The org-profile axis right-sizes it down to a one-person team; a small SOC running fewer functions at lower autonomy is right-sized, not immature.
  • A certification. Vendors and FOSS are named where load-bearing, for concreteness, not endorsement.

The two coupled axes

The model is a grid. Each SOC function (the rows) carries an autonomy level, meaning how much it runs without a human in the decision. Eight maturity domains (the gates) determine how high each function’s autonomy can legitimately climb. An orthogonal org-profile axis right-sizes both. The reference architecture realizes the same grid as planes and agent surfaces; the CMM scores it.

Axis 1 — the autonomy ladder (per function)

Adopted from the converged prior art (the MDPI survey ≈ Mohsin et al.; see the ladder comparison). Scored per function: a SOC’s state is an autonomy vector.

LevelNameHuman relationship
L0ManualThe function is performed by hand
L1AssistedDecision support; a human acts and verifies (human-in-the-loop)
L2Semi-AutonomousRoutine sub-tasks execute; every consequential action needs explicit approval
L3ConditionalRuns within bounds, escalates out-of-bounds; humans monitor and intervene (human-on-the-loop)
L4DelegatedOwns the lifecycle; humans govern outcomes. Asymptotic — a permanent authority boundary, no unsupervised L5

Mechanism is an attribute, not a rung. The ladder measures delegation, not how much AI is involved. Deterministic automation occupies rungs on its own: a deterministic alert-prioritization rule is L1, a remediation playbook that gates consequential actions on approval is L2, and a high-confidence auto-containment playbook that escalates exceptions is L3, all without AI. Each function cell therefore records its delegation level and how much deterministic enforcement bounds the AI. Deterministic enforcement (policy-as-code such as Cedar, plan-validate-execute, typed tool contracts) both delivers delegation directly and is the safety substrate that lets AI reach higher delegation; more of it raises the safe AI ceiling. Because hand-built playbooks are expensive engineering, the model treats agentic AI as a barrier-lowering enabler: it makes the lower and middle rungs reachable for teams that could never afford to script them, not only the higher ceiling the enterprise pursues.

The eight SOC functions

#FunctionGroup
1Data management & pipelineFoundation
2Detection engineeringDetection & analysis
3Alert triageDetection & analysis
4Investigation & case managementDetection & analysis
5Threat huntingDetection & analysis
6Incident response & containmentDetection & analysis
7Exposure & VulnOpsExposure
8Reporting & post-incident learningLearning

Threat intelligence and continuous evaluation are cross-cutting capabilities, not rows: the first is grounding woven through detection, triage, hunting, and VulnOps; the second is the discipline that measures the agents, scored as a maturity domain. Prevention is a lifecycle orientation, not a function: its SOC-owned slices (deception, detection/control validation) live in detection engineering, and broad hardening sits with security engineering. NIST CSF Protect and DevSecOps are adjacent lifecycle phases, integrated at named seams and cross-referenced, not absorbed.

In-house AI applications are a monitored asset class, not a separate framework: the SOC’s detection (2), triage (3), and incident-response (6) functions extend to them, threat-modeled by MITRE ATLAS in D6, with AI-specific incident-response playbooks (CoSAI AI-IR) in function 6 and AI-application telemetry as a D1 readiness requirement. Securing those applications by design remains with the application-security pair (the sec-of-ai surface), cross-referenced. The SOC monitors and responds; the application-security pair secures the build.

Axis 2 — the eight maturity domains

Domains are scored on a five-level, CMMI-shape scale (L1 Initial → L2 Developing → L3 Defined → L4 Managed → L5 Optimizing), cumulative: Level N requires every Level N−1 criterion plus the new ones. They are designed from the SOC’s operational reality, not retrofitted from the application-security domains; four overlap the application-security stack only where the SOC’s own agents must be secured (the shared layer).

#DomainRoleShared layer
D1Telemetry & Data ReadinessAutonomy gate
D2Threat Intelligence & KnowledgeEfficacy gate
D3Evaluation & Ground-TruthAutonomy gate
D4Agent Identity & Action-AuthorityAutonomy gate
D5Observability & OversightAutonomy gate
D6Detection & Response Tradecraft (ATT&CK + D3FEND + ATLAS)Efficacy gate
D7Resilience & Agent Supply ChainAutonomy gate
D8People & GovernanceAutonomy gate

The domains play two roles. Autonomy gates (D1, D3, D4, D5, D7, D8) determine whether an agent can be trusted to act with less supervision. Efficacy gates (D2, D6) determine whether the output is any good: a SOC can run detection autonomously and still detect nothing useful if its tradecraft and threat-intel are weak. Both are scored; only the first set caps autonomy.

The gating rule

A function may run at autonomy L_k only if the domains that govern that level are mature enough to support it. The governing set is cumulative: higher autonomy brings more domains into the gate.

To run a function at……these autonomy-gate domains must support it
L2 (act with approval)D1 Data Readiness · D4 Identity & Action-Authority
L3 (autonomous in-bounds)+ D3 Evaluation/Ground-Truth · D5 Observability/Oversight
L4 (delegated)+ D7 Resilience/Supply-Chain · D8 People & Governance

“Support it” maps to the domain’s maturity level. The MDPI survey supplies the correspondence: its autonomy levels map onto SOC-CMM maturity roughly as L0–L1 ↔ maturity 1–2, L2–L3 ↔ 3–4, L4 ↔ 5. Applied here, a governing domain must be at about maturity L_{k+1} to support function-autonomy L_k.

Two consequences follow:

  • The weakest governing domain caps the function. A function’s earned autonomy ceiling is set by its least-mature governing domain. You cannot delegate triage (L3) if you cannot measure the triage agent’s decisions (D3 immature), even if every other domain is strong.
  • The model is prescriptive. Each function reports three values: current autonomy, the maturity-justified ceiling, and the gap. Operating above the ceiling is the failure mode; operating below is headroom. To raise a function’s autonomy, the model names the binding domain to mature next.

The exact maturity thresholds are calibratable; the correspondence above is the starting anchor, not a fixed constant (see Open questions).

Org-profile right-sizing

The autonomy targets and domain expectations are right-sized across three bands. Maturity is scored against the organization’s scale and risk, never an enterprise absolute.

BandRealityPath to maturity
Solo / smallNear or below the Cyber Poverty LineBorrow capability (ISACs, MSSP/MDR, sector groups); use AI as a barrier-lowering enabler — agentic automation reachable without the expensive playbook and ETL engineering that gated traditional SOAR/SIEM — plus a few well-gated agents
MidIn-house SOC, constrainedSelective AI delegation on high-volume functions; deterministic enforcement does the heavy lifting
EnterpriseFull agent fleetFormal cross-functional alignment, broad delegation, dedicated evaluation and governance

The floor is minimum viable resilience (the Mythos-ready entry tier: realign cost-of-exploitation, early-detection, and blast-radius measures before chasing maturity). A small team running fewer functions at lower autonomy is right-sized, not immature; this is also why People & Governance (D8) reads as informal at small scale and formal at enterprise scale rather than as two separate domains.

Crosswalks

  • SOC-CMM: the incumbent SOC maturity standard, which does not yet model AI. This model extends it; the MDPI survey supplies a worked mapping of autonomy levels onto SOC-CMM maturity that the gating rule reuses.
  • NIST IR 8596: its “Defend” focus area (AI-enabled cyber defense, on the CSF 2.0 Core) is the normative anchor for this model’s scope; the CMM domains map their outcomes against it rather than restating them.
  • MITRE ATT&CK + D3FEND + ATLAS: D6 Tradecraft scores detection coverage against the offensive (ATT&CK), defensive (D3FEND), and AI-system (ATLAS) technique catalogues — the last covering attacks on the in-house AI-application surface.
  • Agentic AI Security CMM: the shared-layer domains (D4, D5, D7, D8) secure the SOC’s own agents like any other non-human identity; this model cross-references that pair rather than duplicating it.
  • Mythos-ready Security Program: its risk register and Priority-Actions table are the CISO-program-level companion; this CMM scores the SOC capabilities several of those actions build.

Per-domain deep dives

Each domain has a deep-dive page carrying the “how”, the way the application-security CMM did: a dated control landscape, level-by-level criteria, right-sizing by org profile, dated vendor and FOSS tooling maps, and a cost/barrier model. This page fixes the framework they hang from.

Open questions and gaps

Calibration and forthcoming pieces

  • The gating thresholds (which domain maturity supports which autonomy level) are anchored to the MDPI ↔ SOC-CMM correspondence but not yet empirically calibrated. The Gartner evaluation criteria and DefenseBench are candidate calibration signals.
  • The per-domain level criteria and cost models are wiki-internal calibration, not an externally ratified standard; each deep dive flags this and will firm up as the model is applied.
  • D6 Tradecraft scores coverage against D3FEND, which is itself thin on AI-era defensive techniques (agent supervision, evaluation-gating, intent attribution, deception against AI attackers) — a named contribution opportunity tracked in the D3FEND AI-defense technique gap.

Relations