Agentic SOC: Reshaping Phishing Email Detection Workflow with Multi-Agent Architecture

This project is a multi-agent cybersecurity analysis engine based on LangGraph, simulating real SOC workflows. It achieves interpretable security decisions through LLM reasoning, real-time threat intelligence (e.g., VirusTotal), and a memory system. The goal is to automate the investigation process of SOC analysts, focusing on structured decision-making and interpretability of the reasoning process. The project is sourced from GitHub's agentic-soc-runtime, maintained by Finnete-20, and released on June 4, 2026.

Traditional phishing email detection relies on static rules and classifiers, which only simply label emails as legitimate/phishing and cannot simulate the complex investigation processes of SOC analysts (such as extracting indicators, querying intelligence, comparing with historical data, etc.). Agentic SOC aims to automate real SOC investigation workflows, not pursuing pure classification accuracy, but focusing on interpretability, structured decision-making, and SOC-style reasoning processes.

The system decomposes the SOC workflow into six specialized agents, orchestrated via LangGraph:

1. IOC Agent: Extracts security indicators from emails, such as senders, URLs, and domains;
2. Threat Agent: Analyzes behavioral patterns like impersonation attempts, social engineering tactics, and urgency manipulation;
3. VirusTotal Agent: Calls APIs to obtain real-time intelligence such as malicious/suspicious scores for URLs;
4. Memory Agent: Matches known phishing patterns and repeated scam structures;
5. Reasoning Agent: Aggregates signals from the first four layers, uses GPT-4.1-mini to generate risk scores (0-100), classifications (legitimate/suspicious/phishing), and structured reasoning explanations;
6. Report Agent: Generates SOC-style reports containing final rulings, risk scores, and indicator lists.

Tech Stack: Backend uses Python+FastAPI+LangGraph+GPT-4.1-mini+VirusTotal API; Frontend uses React+TailwindCSS, supporting extensions for tools like AbuseIPDB and URLScan.io. Memory System: Stores known phishing patterns, detects repeated attack structures, enhances contextual reasoning and risk score stability, enabling the system to have continuous learning capabilities, which differentiates it from traditional classifiers.

The project provides an evaluation pipeline. Running python evaluate.py outputs evaluation_result.json, evaluation_report.json, SOC metrics (accuracy/precision/recall), and a confusion matrix. The dataset includes approximately 40 samples: phishing emails, legitimate emails, and edge cases (e.g., Google Form scams, domain spoofing).

Application Value: Demonstrates directions such as multi-agent SOC reasoning, LLM-assisted decision-making, real-time intelligence integration, memory-enhanced detection, interpretability, and evaluation-driven AI security. Summary: Agentic SOC represents a shift from static classifiers to reasoning-driven workflows. While improving detection accuracy, it provides interpretability and decision transparency that traditional rule engines lack, making it a valuable reference for teams exploring AI applications in SOC.