Agentic AI SOC Analyst: A Practical Multi-Agent Security Operations Center Solution Based on LangGraph

This project is a production-grade AI Security Operations Center (SOC) analyst system maintained by Luci-699, built on LangGraph and Wazuh SIEM. It achieves automated threat detection, intelligence enrichment, and response handling through 6 collaborative agents, uses a dual LLM injection defense mechanism, and supports Human-in-the-Loop (HITL) active containment features. It aims to address challenges faced by traditional SOCs such as alert overload, scattered intelligence, and response delays. The project is open-sourced on GitHub (link: https://github.com/Luci-699/Agentic-AI-SOC-Analyst-), released on June 12, 2026.

Traditional SOCs face issues like explosive alert volumes, scattered threat intelligence, and cumbersome response processes, leaving analysts overwhelmed. AI (especially LLMs) brings possibilities for SOC intelligent transformation, but single-prompt AI reasoning has limitations such as insufficient ability to handle complex scenarios, vulnerability to prompt injection attacks, and lack of auditable decision chains. The Agentic AI SOC Analyst project was born in this context, building an automated security analysis system through a multi-agent collaboration architecture.

Architecture Design

The system orchestrates 6 professional agents in LangGraph to form a DAG workflow:

1. Gateway Agent: Performs dual prompt injection defense (heuristic filtering + isolated JSON fact extraction) to ensure decision agents receive sanitized data;
2. Classification Agent: Attack classification and severity assessment;
3. Endpoint Agent: Retrieves real-time host process trees and FIM records via Wazuh API;
4. Threat Intelligence Agent: Queries multi-source intelligence like VirusTotal and AbuseIPDB in parallel;
5. Correlation Agent: Searches historical alerts and similar events;
6. Decision Agent: Integrates outputs to generate reports and issue containment requests.

Security Protection

Adopts a three-layer defense strategy: heuristic filters block common attack patterns, isolated LLMs extract structured facts, and decision agents only receive sanitized data to eliminate prompt injection risks.

Tech Stack and Deployment

Uses Python 3.11, FastAPI, LangGraph, HTMX, PostgreSQL, ChromaDB, etc. One-click deployment via Docker Compose, supporting switching between simulation and real-time connectors.

The project provides built-in threat simulation scripts (e.g., creating local accounts, Base64 PowerShell scripts, suspicious scheduled tasks). Simulated attacks trigger Wazuh rules within 10 seconds. The system automatically collects process information, queries threat intelligence, correlates historical cases, and generates reports with containment recommendations. Analysts can view the evidence chain on the dashboard and approve/reject containment operations with one click to verify the system's effectiveness.

Application Scenarios

• Small and medium-sized enterprises: Fill the gap of full-time SOC analysts;
• Large enterprises: Enhance existing SOCs to handle massive alert initial screening;
• MSSPs: Serve as the technical foundation for managed security services, providing 7x24 monitoring and response.

Value

• Deeply integrates with existing security infrastructure, not replacing tools;
• Multi-agent responsibility separation, human-machine collaboration maintains human final decision-making authority;
• Open-source code ensures auditability, establishing a trust foundation.

Agentic AI SOC Analyst represents the direction of security operations evolving from rule-driven to intelligent and autonomous. AI handles rapid processing of massive data, intelligence correlation, and initial analysis generation, while human analysts review decisions, handle edge cases, and optimize the system. This human-machine collaboration model is the correct path for security operations intelligence to address increasingly complex cyber threats.