Kritan Banstola (University of South Florida), Faayed Al Faisal (University of South Florida), Xinming Ou (University of South Florida)
Large language models (LLMs) are attracting interest from Security Operations Centers (SOCs), but their practical value and limitations remain largely unexplored. In this work, cybersecurity researchers are embedded as entry-level SOC analysts in a university SOC to observe the day-to-day workflows and explore how LLMs can fit into existing SOC practices. We observed that analysts frequently handle large volumes of similar alerts while manually pivoting across heterogeneous and disjoint tools — including SIEMs, OSINT services, and internal security tools. Each tool provides part of the required analysis given a ticket, but the tools cannot easily work together to resolve a ticket without requiring manual effort to integrate the results from the disparate tools. This gap between the tools results in a repetitive and time-consuming workflow that slows down investigations and contributes to analyst burnout. Based on these observations, we designed and implemented an LLM-driven ReAct agent capable of unifying these disparate tools and automating routine triage tasks such as log retrieval, enrichment, analysis, and report generation. We evaluated the system on real SOC tickets and compared the agent’s performance against manual analyst workflows. We further experimented with how iterative prompting and additional analyst instructions can refine the agent’s reasoning and improve response quality. The results show that our agent effectively reproduces several routine analyst behaviors, reduces manual effort, and demonstrates the potential for human-AI collaboration to streamline alert triage in operational SOC environments.