An Organization-Scoped LLM Agent Runtime Architecture for Regulated Cybersecurity Operations

Researchers propose an organization-scoped LLM agent runtime architecture designed to enforce security and compliance controls across cybersecurity operations in regulated financial environments. The system integrates with existing SIEM/XDR platforms while maintaining auditability, model-agnosticism, and local deployability—addressing a critical gap where current LLM security tools lack the governance framework needed for enterprise-regulated workflows.

This paper addresses a fundamental infrastructure gap in enterprise cybersecurity: while large language models have demonstrated capability on isolated security tasks, they have not been integrated into auditable, organization-scoped runtime systems that satisfy compliance requirements in regulated industries. The researchers identify that modern SOCs and compliance operations require enforcement mechanisms across multiple layers—retrieval, tool execution, memory, findings generation, reporting, and audit trails—where analyst actions carry organizational liability and must integrate seamlessly with existing SIEM/XDR stacks rather than operate as disconnected analytical overlays.

The proposed architecture introduces a typed Security Context enforced at every component boundary, combining a shared Runtime Core with specialist subagents, a governed Tool Adapter Layer, structured findings with evidence references, tiered human-in-the-loop gates, and append-only audit logs. This design prioritizes model-agnosticism and local deployment, critical for regulated institutions managing sensitive threat data. Optional extensions like Model Context Protocol, digital twins for penetration testing, and federated knowledge sharing are positioned as enhancements rather than core dependencies, reducing implementation complexity.

For financial services and compliance-heavy sectors, this represents a significant step toward operationalizing LLM agents in security workflows without sacrificing auditability or regulatory alignment. The implementable testability surface and falsifiable evaluation criteria proposed suggest practical readiness metrics. However, adoption depends on validation across real SOC environments and demonstrated effectiveness on complex, organization-specific threat patterns. The work positions LLM runtime architecture as essential infrastructure rather than analytical novelty.

• →Organization-scoped LLM runtime architecture enforces security, compliance, and audit requirements across entire cybersecurity workflows rather than isolated tasks.
• →Integration with SIEM/XDR stacks as primary context sources enables alert-driven triggers aligned with existing SOC operations.
• →Typed Security Context enforced at component boundaries ensures organization-level scope across retrieval, tool execution, memory, and audit trails.
• →Model-agnostic and locally deployable design addresses regulatory requirements for data sovereignty and platform independence in regulated industries.
• →Tiered human-in-the-loop gates and append-only audit logs provide compliance visibility for financial services and regulated cybersecurity operations.