Security Operations Centers face increasing pressure from high alert volumes, fragmented tools, evolving threats, and a shortage of skilled analysts. Analysts are often required to process large volumes of repetitive alerts while also making complex decisions that depend on organizational context, threat intelligence, business priorities, and tacit operational knowledge.
This project explores how AI can support Security Operations Center (SOC) workflows without replacing human judgment. The goal is to develop human-machine collaboration models in which AI agents assist analysts with alert triage, threat intelligence, investigation, reporting, and response planning, while human analysts remain responsible for validation, oversight, and decision-making.
Project Vision
The project advances a model of AI-assisted cyber operations in which large language model–based agents act as “apprentices” to human analysts. These agents support analysts by gathering and summarizing relevant information, connecting alerts to contextual threat intelligence, suggesting investigative paths, and helping prepare structured reports.
A central idea is that effective cyber operations depend not only on explicit rules and procedures, but also on tacit knowledge: the judgment analysts develop through experience, familiarity with local environments, and repeated exposure to operational patterns. This project investigates how AI systems can learn from analyst feedback and operational workflows to become more useful over time.
Research Approach
The project combines AI, cyber security, human-centered computing, and operational studies of Security Operations Centers. The proposed framework includes four major components:
- Data-Centric Cyber Security Integration. Security operations rely on data from many sources, including alerts, logs, vulnerability scanners, threat intelligence feeds, and network monitoring tools. This project explores how AI can help normalize and interpret heterogeneous data so that analysts can reason across tools and formats more effectively.
- Context-Aware Cyber Situational Awareness. Many cyber incidents cannot be fully understood from internal telemetry alone. External context, such as geopolitical events, economic conditions, social dynamics, and emerging threat intelligence, can shape the likelihood and impact of attacks. The project studies how AI can help identify relevant external signals and integrate them into cyber situational awareness.
- Adaptive Decision Support. AI agents can assist analysts by suggesting investigative steps, summarizing evidence, and recommending possible courses of action. The project emphasizes human-in-the-loop workflows, where analysts validate, refine, or reject AI-generated outputs. These interactions can then provide learning signals to improve future performance.
- Explainability and Impact Measurement. For AI to be useful in security operations, analysts must understand why a recommendation was made and what evidence supports it. The project investigates explainable reporting, evidence attribution, trust calibration, and metrics for measuring impact, including analyst workload, investigation time, and decision quality.
Preliminary Case Study
As an initial feasibility study, the research team developed an LLM-based agent to assist with alert triage in a university Security Operations Center. The agent was designed to process alert tickets, retrieve threat intelligence, query security tools, summarize alerts, and suggest triage decisions.
The preliminary study showed that AI-assisted workflows can help reduce repetitive documentation and enrichment tasks. The agent was able to generate useful summaries and identify relevant threat intelligence in most evaluated cases. However, the study also highlighted the need for careful human oversight, because the model sometimes produced irrelevant associations or hallucinated indicators.
These findings reinforce the project’s central premise: AI can reduce analyst burden and accelerate routine tasks, but effective deployment requires human validation, evidence grounding, and feedback-driven improvement.
Research Challenges
The project addresses several open challenges in AI-assisted cyber operations:
Reliability and hallucination control. AI-generated conclusions must be grounded in verifiable evidence such as logs, telemetry, and threat intelligence.
Trust calibration and human oversight. Analysts need to understand when AI outputs are reliable and when additional verification is required.
Learning from analyst feedback. AI systems must learn from analyst corrections and preferences without disrupting operational workflows.
Evaluation of human-AI collaboration. Success should be measured not only by technical accuracy, but also by operational outcomes such as reduced workload, faster investigations, and improved decision quality.
Privacy and deployment constraints. Many Security Operations Centers require controlled or on-premises deployment to protect sensitive operational data.
Expected Impact
This project aims to improve the effectiveness, agility, and resilience of cyber security operations. By combining AI-enabled automation with human expertise, the project seeks to reduce analyst fatigue, improve alert triage, strengthen situational awareness, and support faster, better-informed incident response.
The research is especially relevant to organizations operating complex digital infrastructure, including critical infrastructure operators, government agencies, universities, managed security service providers, and enterprises with mature or emerging Security Operations Center capabilities.
Related Publication
Massimiliano Albanese, Xinming Ou, Kevin Lybarger, Daniel Lende, Dmitry Goldgof, Faayed Al Faisal, Kritan Banstola, and Arka Ghosh. “Towards AI-Driven Human-Machine Co-Teaming for Adaptive and Agile Cyber Security Operation Centers,” to appear in ACM Transactions on Internet Technology, 2026.