How Does AI SOC Work? An Alert Walks the Substrate

An AI SOC is a security operations center where an AI SOC Agent investigates every alert, correlates evidence across your stack, and acts under guardrails. It reads from your SIEM, EDR, identity, and cloud as alerts fire, maps each to MITRE ATT&CK, issues a verdict with a reasoning trace, and triggers a response your team approves or auto-runs. In production, Simbian's AI SOC Agent resolves 92% of alerts without a human.

Most "how does ai soc work" pages describe a three-stage pipeline (triage, investigate, respond) and call it a day. That hides the part SOC Managers actually need to evaluate: what the agent does between the stages, what happens when an alert lands at 03:14 on a Saturday, and what the platform looks like on day one versus day ninety. This piece walks through the AI SOC mechanism the way a senior analyst would walk a new hire through a real investigation — one alert, end to end, with the architecture visible.

What an AI SOC is, and what it isn't

The category goes by a few names — autonomous SOC, agentic SOC, AI-driven SOC. The shift underneath the labels is the same: SOC automation used to mean pre-written playbooks running on rules a human wrote; an AI SOC means an agent that investigates, reasons, and decides on its own.

An AI SOC is not a SIEM, an XDR, or a SOAR with an LLM bolted on. Those generate or orchestrate signals. An AI SOC acts on them. The agent reads every alert the moment it fires, pulls evidence from the rest of your stack, decides whether it is real, decides what to do about it, and writes the reasoning down so a human can audit any step.

There is a useful split inside the category. Tools that add an LLM-driven copilot to an existing console are still humans-in-the-loop products: the analyst clicks, the copilot summarises, the analyst decides. An AI SOC moves the work the other way. The agent decides, and the analyst sets the policy that governs which decisions need human approval and which do not. Simbian calls this self-improving, not self-driving. Humans keep containment authority and escalation calls; the agent handles the mechanical investigation work that drowns Tier 1 and Tier 2 today.

This is the practical test: if removing the agent breaks day-to-day SOC operations, you have an AI SOC. If removing it just slows the analyst down, you have a copilot.

The substrate: Skills, Triggers, Cases, and Records

Underneath the agent are four engineering primitives. Every Simbian agent — AI SOC, AI Pentest, AI Threat Hunt, AI NetSecOps — is built from the same four:

• Skills: what the agent knows how to do. Investigation playbooks, query patterns, planning steps, and response actions, written as plain-language policy and compiled to deterministic behaviour. Adding a phishing investigation Skill is editing prose, not writing code.
• Triggers: when the agent runs. A Trigger can be an external alert (a Falcon detection, a Sentinel rule firing, a Microsoft Defender incident, a Purview DLP event) or an internal signal from another agent (a Pentest finding queues a SOC investigation against the same host).
• Cases: the units of work the agent operates on. A SOC alert, a Pentest finding, and a Threat Hunt hypothesis all share one Case backbone, so the same primitive flows across the platform.
• Records: the audit trail. Every reasoning step, every tool call, every piece of evidence, every action, written to the Case Record so any human can replay what the agent did and why.

An Agent Spec composes these primitives for a specific purpose; an Agent Manager handles drafts, challenger versions, canary sampling, and safe promotion to 100% of traffic. That is the substrate. It is the reason a new agent ships in weeks, not quarters — a new agent is a new Agent Spec on existing Skills, Triggers, Cases, and Records, not a fresh codebase. Velocity claims without that mechanism are marketing; with it, they are engineering.

How an alert moves through the substrate

Take a concrete alert. A CrowdStrike Falcon detection fires at 03:14 local time on a finance user's laptop:

Suspicious PowerShell execution — host LAPTOP-7842, user jdoe, encoded command invoked Get-ADUser and exported the domain user list.

In a traditional SOC this sits in a queue until someone wakes up. In an AI SOC the Investigation Skill picks up the Case the instant the Trigger fires. From there:

1. Federated query in parallel

The agent does not pull the alert into a central data lake and re-query. It queries every connected system in place, in parallel:

• The EDR for the full process tree, parent process, child processes, file writes, and network connections.
• Identity (Entra, Okta, AD) for jdoe's recent sign-ins, MFA challenges, conditional access events, and group memberships.
• MDM (Intune, Jamf) for device compliance, patch level, and disk encryption status.
• Cloud (Microsoft 365, Google Workspace, AWS) for jdoe's recent file activity, mailbox events, and any cross-tenant access.
• Threat intelligence for the encoded command's signature, the destination IPs, and any matching campaign indicators.
• The behavioural baseline for jdoe's normal hours, normal hosts, normal commands, and normal data volumes.

The federated layer normalises everything to one common schema. The agent reasons across the whole estate instead of one tool at a time.

2. MITRE ATT&CK mapping

The encoded PowerShell maps to T1059.001 (PowerShell). The Get-ADUser export maps to T1087.002 (Domain Account Discovery). The 03:14 sign-in maps to a deviation from jdoe's baseline. Every finding lands on the same coordinate system, which is what lets coverage compound across cycles.

3. Reasoning trace

The agent assembles the chain in human-readable form: jdoe works in Finance and has no history of running PowerShell against AD. The session started at 03:14 EST, three hours outside her normal sign-in window. The parent process is Outlook, which suggests a phished attachment. The host has been compliant and patched until this session. Severity: high. Confidence: 0.94.

4. Verdict

True positive. Probable initial access via phishing followed by domain reconnaissance. The Case Record carries the full process tree, every IAM event, every TI lookup, every baseline comparison, and the chain of inference.

End to end, the investigation completes in roughly 90 seconds. A Tier 2 analyst would need 45 to 60 minutes to assemble the same evidence by hand, assuming they were awake.

Skills decide the response, not the alert

The verdict is only useful if the incident response respects how your SOC operates. Skills are the place that lives. A regulated bank running this same alert at quarter-end change-freeze does not want auto-containment; it wants a page to on-call and a frozen action queue. A mid-market SaaS with no change window wants auto-isolation and a Slack notification. An MSSP tenant has a third answer: isolation is allowed but disabling user accounts is the customer's call.

Same alert. Three different right answers. The Skills layer encodes which one applies to which environment as plain-language policy: risk tolerance and escalation thresholds, named investigation playbooks, asset criticality, identity tiers, change-freeze windows, regulatory constraints. The agent enforces the policy deterministically. The Record shows which Skill ran and which policy fired so an auditor can replay every action.

The response itself is graded. Tier 1 actions (close a verified false positive, acknowledge a duplicate, suppress a known benign pattern) auto-execute and log. Tier 2 actions (notify a manager, queue a password reset, open a ticket in ServiceNow) auto-execute and notify. Tier 3 actions (isolate a host, disable an account, push a firewall rule) require approval, even when confidence is 0.99 and the evidence is overwhelming. That is the self-improving, not self-driving line in practice.

Self-improving means a three-phase ramp

This is the part most "AI SOC explained" pages skip, and the part SOC Managers most want to see. An AI SOC does not arrive at 92% auto-resolution on day one. It converges there across three named phases:

• Phase 1, Signal Alignment: are we looking at the same data? The agent and your analysts confirm they see the same logs, the same enrichments, the same baselines. Accuracy is not the metric here; shared inputs is. Skipping this phase produces the most common adoption failure mode in the category, where teams argue about verdicts before agreeing on what is being read.
• Phase 2, Outcome Alignment: given the same data, do we reach the same conclusions? The agent's true-positive and false-positive rates, severity labels, and reasoning quality are measured against the analyst's. Every disagreement requires a structured correction ("here's what I concluded and why") rather than a complaint. This is the phase where the curve bends.
• Phase 3, Operationalization: can we run this reliably at scale? Review queues, RBAC, confidence thresholds, regression loops. The deployment hits and holds the steady-state number. Any new signal, integration, or use case restarts at Phase 1. That loop is the expansion motion, not bureaucracy.

A typical end-customer pilot runs the three phases over 90 days: days 1 to 30 connect tooling and align signal, days 31 to 60 validate against the L3 baseline, days 61 to 90 scale to 100% under policy. Treating Phase 1 like Phase 3, judging the agent on day-one accuracy, is the single biggest failure mode in AI SOC adoption.

The honest version of the headline: 92% steady state, three-phase ramp, named gates between each.

Self-repair: what AI SOC fixes that nothing else does

Coverage decays. Every SOC Manager knows this: a detection rule goes noisy after a vendor update and gets silenced, a log source goes quiet and nobody notices for three weeks, a connector breaks on a schema change and the agent stops getting the data it needs. The AI SOC Agent reads every verdict and every integration and repairs three things continuously:

• Detection rules: the agent notices noisy, broken, or missing rules from the verdicts themselves. It writes and tunes them in your SIEM's own query language and queues every edit for human review and rollback. The Record carries the verdict that triggered the change.
• Data-pipeline drift: the agent watches ingestion recency, fetch frequency, and catch-up confirmation on every integration. Outcome-based monitoring, not error classification, catches silent failures that error-based alerting structurally cannot. If a SIEM integration goes quiet, the platform sees it and the SOC team hears about it within 30 minutes.
• Integrations: when a vendor ships a schema change and a connector breaks, the agent diagnoses the change and re-learns the new schema on its own. No engineering ticket. The re-learn is bounded to schema discovery; nothing behaviour-changing ships without review.

There is a fourth thing the agent fixes that competitors do not name: unknown unknowns. The canonical SIEM objection is "you can only detect what you wrote a rule for." The AI SOC Agent reads the same logs your SIEM ingests and, from the same volume, surfaces detection use cases that no human has written rules for, adds industry and geography context (you're a UK retail bank; this lateral-movement pattern is common against banks in your region; here's the rule that catches it), and offers to write the detection logic as a one-click draft. With quality signals, the agent promotes the rule itself.

That is what self-improving means at the detection layer. The rule library grows from the logs, with sector context, gated by quality.

Coverage compounds: 33% to 56% to 83%

Self-improvement is not a slogan; it is a measurable arc. A real customer ran the loop across three cycles on six high-value MITRE techniques and saw coverage compound:

• Cycle 1: the AI Pentest Agent ran six techniques in production. The AI Threat Hunt Agent found historical traces of three in the logs. The AI SOC Agent caught two of six in real time. Three new detections and one tuning shipped. Coverage: 33%.
• Cycle 2: the same six plus three new techniques the red team invented. SOC caught five of nine in real time, zero false positives. Four more rules shipped. Coverage: 56%.
• Cycle 3: the red team ran evasion variants. The rules held. SOC caught ten of twelve. Coverage: 83%.

The number is the outcome. The mechanism is the four agents running the same four questions (what could happen, did it happen, did we detect it, can we catch it next time) against the same MITRE coordinate system, with every finding written back to the shared Context Lake™.

The same harness logic shows up in the Cyber Defense Benchmark, where an independent global MSSP scored eleven frontier LLMs against 26 attack campaigns in April 2026. The best frontier LLM alone scored 46%. The same models wrapped in Simbian's harness scored 95%. The frontier-LLM average was around 4%. The harness, not the model, is what crosses the threshold.

How AI SOC fits with the rest of your stack

The AI SOC Agent does not replace your SIEM, EDR, XDR, identity provider, or cloud security platform. It reads from all of them in parallel. The federated reasoning layer normalises SIEM, EDR, XDR, CDR, and identity events to one common schema so the agent reasons across the whole estate instead of one tool at a time. That is what turns 100+ integrations from a feature count into a reasoning claim.

The agent also coordinates with the rest of the Simbian platform. A finding from the AI Pentest Agent elevates the severity of a SOC investigation against the same host. A novel pattern surfaced by the AI Threat Hunt Agent tunes the detection rules the SOC Agent applies tomorrow. A confirmed compromise hands off to the AI NetSecOps Agent for containment at the network layer. One Case backbone, one Context Lake™, one MITRE coordinate system, four agents on the same substrate.

The analyst role shifts up the stack

The work the agent absorbs is the work that burned analysts out: Tier 1 triage, Tier 2 investigation, and the alert-fatigue grind that runs 24/7 and produces uneven quality across shifts. The work humans take on is harder, scarcer, and more valuable. The SOAR engineer and Tier 3 analyst become the AI Skill Manager, encoding the organisation's investigation knowledge into Skills the agents run. Tier 1 and Tier 2 analysts become AI SecOps Analysts, supervising the agents, working what they escalate, and turning issue patterns into asks for the Skill Manager. The SOC Manager becomes the AI SecOps Manager, governing the rollout, the policy, the cost, and the compliance posture across every SecOps program.

Agents take the Tier 1 and Tier 2 playbook work. People move up to build, run, and govern the fleet. The economics flip in the same direction: same team, higher coverage, lower cost per investigation.

Evaluating an AI SOC the way it actually runs

If you are evaluating one, the questions that distinguish a real AI SOC from a copilot dressed as one are not features. They are mechanism questions:

• Can it walk a real alert end-to-end and show you the reasoning trace?
• Does it acknowledge the three-phase ramp, or claim instant 95% accuracy?
• Does it repair stale detection rules, silent log sources, and broken connectors?
• Does it surface detection use cases you have not written rules for?
• Does it expose engineering primitives, or hide behind brand names?

The AI SOC Buyer's Scorecard turns those into an eight-dimension evaluation framework with 30+ vendor questions. It is the cleanest way to compare AI SOC platforms against each other on what the agent actually does, not what the marketing page says it does.

Frequently asked questions

Q: What is an AI SOC? An AI SOC is a security operations centre where an AI agent investigates every alert, correlates evidence across the stack, and acts under guardrails set by your team. The agent reads from your SIEM, EDR, identity provider, and cloud the moment an alert fires, maps it to MITRE ATT&CK, issues a verdict with a reasoning trace, and triggers a response your policy says is safe to run. Humans keep containment authority and approve high-impact actions.

Q: How does an AI SOC differ from a SIEM or SOAR? A SIEM aggregates and queries logs; a SOAR executes pre-defined playbooks when an alert matches a rule. Both depend on humans to investigate, reason, and decide what to do. An AI SOC investigates, reasons, and decides on its own under a policy your team writes in plain language. It does not replace the SIEM or the EDR; it reads from them and acts on what they surface.

Q: Will an AI SOC replace SOC analysts? No. The mechanical Tier 1 and Tier 2 work shifts to the agent, and the AI SOC analyst role evolves up the stack into Skill Manager, AI SecOps Analyst, and AI SecOps Manager. The headcount-elevating pattern is consistent across production deployments: the team handles higher coverage, harder problems, and governs the agent fleet instead of triaging queues.

Q: How long does it take to deploy an AI SOC? SaaS deployments run in hours; on-premises in days. The agent starts resolving alerts on day one, but the production-accuracy headline (typically 92% in steady state) lands at the end of a three-phase ramp: Signal Alignment, Outcome Alignment, Operationalization. A typical pilot runs 90 days across the three phases before hitting steady state.

Q: What integrations does an AI SOC need? At minimum, a SIEM or EDR for alert ingestion. The more sources the agent can query (identity, MDM, cloud, threat intelligence, ticketing, collaboration, and HR for insider-threat contexts), the deeper the reasoning. Simbian's AI SOC Agent supports 100+ native integrations and reads across all of them in parallel via federated reasoning.

Q: Can an AI SOC find threats no rule was written for? Yes. From the same log volume your SIEM ingests, the agent surfaces detection use cases nobody has written rules for, adds industry and geography context, and offers to write the detection logic as a one-click draft. The rule library grows from the logs themselves, gated by analyst review.