AI-Augmented SOC Survey

AI-Augmented SOC: A Survey of LLMs and Agents for Security Automation (Srinivas, Kirk, Zendejas, Espino, Boskovich, Bari, Dajani, Alzahrani; California State University, San Bernardino). Journal of Cybersecurity and Privacy 2025, 5, 95; published 5 November 2025; CC BY. Source: mdpi.com/2624-800X/5/4/95 (DOI 10.3390/jcp5040095). A PRISMA-guided systematic review (600 records → 105 papers included, 2022–2025; OSF-preregistered). It is the closest academic prior art for an agentic-SOC capability maturity model: it proposes a five-level autonomy ladder and maps it onto the incumbent SOC-CMM.

Eight SOC functions

The survey organizes the field around eight SOC functions and catalogues the LLM and AI-agent techniques applied to each: log summarization, alert triage, threat intelligence, ticket handling, incident response, report generation, asset discovery and management, and vulnerability management. These are the same functional rows an agentic-SOC reference architecture must model.

The five-level capability maturity model

The paper’s headline contribution is a five-level autonomy ladder for AI-enabled SOCs (its Section 4, Figure 3):

LevelNameHuman relationship
L0Manual OperationsHuman-only; predefined rule sets, no AI/LLM
L1AI/LLM-Assisted OperationsDecision support (alert prioritization, initial triage); analysts retain full control and verification — human-in-the-loop
L2Semi-Autonomous OperationsAI with SOAR/LLMs automates routine tasks; explicit human approval for critical or ambiguous cases
L3Conditionally Autonomous OperationsAI independently runs complex analysis, attack-path reconstruction, and reporting; analysts review and approve critical actions — human-on-the-loop
L4Fully Autonomous OperationsAI manages the full incident lifecycle with minimal human involvement; humans shift to governance and strategic oversight

The progression runs across the human-in-the-loop → human-on-the-loop → human-out-of-the-loop spectrum. The paper notes that fully autonomous (L4) operation remains largely theoretical, and its own classification of current implementations (Table 3) places nearly all of them at L1–L3.

The level names matter for the wider prior-art picture. An earlier automated scan misattributed the “Automation Rules → AI Assistance → AI Collaboration → AI Delegation” vocabulary to this paper; those are the CSA model’s names. This survey’s actual ladder — Manual → AI-Assisted → Semi-Autonomous → Conditionally Autonomous → Fully Autonomous — is instead near-identical to the independent Mohsin et al. SOC ladder, which is strong convergence evidence for that shape.

Explicit crosswalk to SOC-CMM

Section 4.1 positions the model as a domain-specific extension of SOC-CMM (the Business / People / Process / Technology / Services maturity model), rather than a replacement. It maps its autonomy levels onto SOC-CMM process-maturity levels: L0–L1 to SOC-CMM Maturity 1–2 (Initial/Defined), L2–L3 to Maturity 3–4 (Managed / Quantitatively Managed), and L4 to Maturity 5 (Optimizing), while adding AI-specific criteria SOC-CMM does not carry — model governance, data provenance, explainability, and autonomy-safety controls. The authors frame it as “an AI-focused overlay that quantifies automation maturity and trust calibration.” This is a worked template for the standards-crosswalk layer an agentic-SOC maturity model needs.

Status and limits

The model is proposed, not validated. Section 4.2 describes validation as future work: content validity through alignment with SOC-CMM, SIM3, and NIST CSF; construct validity in simulated environments (Wazuh, Security Onion, Elastic Stack) and operational settings; correlation of maturity scores with mean-time-to-detect, mean-time-to-respond, and false-positive rates; and inter-rater reliability checks. Treat the ladder as a conceptual scaffold with academic grounding but no empirical calibration. A model that ties autonomy advancement to measured outcomes can close that gap.

Relevance to the build

  • Direct prior art the planned agentic-SOC maturity model must crosswalk against, catalogued alongside the other ladders in Agentic SOC Autonomy Ladders.
  • Its near-identity with the Mohsin et al. ladder makes the manual → assisted → approval-gated → conditional → delegated shape the settled SOC-specific convention.
  • Its SOC-CMM mapping and its acknowledged lack of validation mark where a new model adds value: an evaluation-in-the-loop discipline that ties autonomy advancement to a measured signal.