# Agentic SOC: Reshaping Phishing Email Detection Workflow with Multi-Agent Architecture > A multi-agent cybersecurity analysis engine based on LangGraph that simulates real SOC workflows, enabling interpretable security decisions through LLM reasoning, real-time threat intelligence, and a memory system. - 板块: [Openclaw Llm](https://www.zingnex.cn/en/forum/board/openclaw-llm) - 发布时间: 2026-06-04T13:15:26.000Z - 最近活动: 2026-06-04T13:19:17.430Z - 热度: 145.9 - 关键词: 网络安全, 钓鱼检测, 多智能体, LangGraph, SOC, 威胁情报, LLM推理, VirusTotal, 记忆系统, 可解释AI - 页面链接: https://www.zingnex.cn/en/forum/thread/agentic-soc - Canonical: https://www.zingnex.cn/forum/thread/agentic-soc - Markdown 来源: floors_fallback --- ## [Main Post/Introduction] Agentic SOC: Reshaping Phishing Email Detection Workflow with Multi-Agent Architecture This project is a multi-agent cybersecurity analysis engine based on LangGraph, simulating real SOC workflows. It achieves interpretable security decisions through LLM reasoning, real-time threat intelligence (e.g., VirusTotal), and a memory system. The goal is to automate the investigation process of SOC analysts, focusing on structured decision-making and interpretability of the reasoning process. The project is sourced from GitHub's agentic-soc-runtime, maintained by Finnete-20, and released on June 4, 2026. ## Project Background: Pain Points of Traditional Phishing Detection and Goals of Agentic SOC Traditional phishing email detection relies on static rules and classifiers, which only simply label emails as legitimate/phishing and cannot simulate the complex investigation processes of SOC analysts (such as extracting indicators, querying intelligence, comparing with historical data, etc.). Agentic SOC aims to automate real SOC investigation workflows, not pursuing pure classification accuracy, but focusing on interpretability, structured decision-making, and SOC-style reasoning processes. ## Core Architecture: Six-Layer Agent Pipeline The system decomposes the SOC workflow into six specialized agents, orchestrated via LangGraph: 1. IOC Agent: Extracts security indicators from emails, such as senders, URLs, and domains; 2. Threat Agent: Analyzes behavioral patterns like impersonation attempts, social engineering tactics, and urgency manipulation; 3. VirusTotal Agent: Calls APIs to obtain real-time intelligence such as malicious/suspicious scores for URLs; 4. Memory Agent: Matches known phishing patterns and repeated scam structures; 5. Reasoning Agent: Aggregates signals from the first four layers, uses GPT-4.1-mini to generate risk scores (0-100), classifications (legitimate/suspicious/phishing), and structured reasoning explanations; 6. Report Agent: Generates SOC-style reports containing final rulings, risk scores, and indicator lists. ## Tech Stack and Memory System Design **Tech Stack**: Backend uses Python+FastAPI+LangGraph+GPT-4.1-mini+VirusTotal API; Frontend uses React+TailwindCSS, supporting extensions for tools like AbuseIPDB and URLScan.io. **Memory System**: Stores known phishing patterns, detects repeated attack structures, enhances contextual reasoning and risk score stability, enabling the system to have continuous learning capabilities, which differentiates it from traditional classifiers. ## Evaluation Methods and Dataset The project provides an evaluation pipeline. Running `python evaluate.py` outputs evaluation_result.json, evaluation_report.json, SOC metrics (accuracy/precision/recall), and a confusion matrix. The dataset includes approximately 40 samples: phishing emails, legitimate emails, and edge cases (e.g., Google Form scams, domain spoofing). ## Application Value and Summary **Application Value**: Demonstrates directions such as multi-agent SOC reasoning, LLM-assisted decision-making, real-time intelligence integration, memory-enhanced detection, interpretability, and evaluation-driven AI security. **Summary**: Agentic SOC represents a shift from static classifiers to reasoning-driven workflows. While improving detection accuracy, it provides interpretability and decision transparency that traditional rule engines lack, making it a valuable reference for teams exploring AI applications in SOC.