Toward Autonomous SOC Operations: End-to-End LLM Framework for Threat Detection, Query Generation, and Resolution in Security Operations

Researchers present an end-to-end LLM framework that automates Security Operations Center (SOC) workflows by combining ensemble-based threat detection, syntax-constrained query generation, and retrieval-augmented resolution support. The system reduces incident triage time from hours to under 10 minutes while achieving 82.8% detection accuracy and improving resolution prediction from 78.3% to 90.0%.

This research addresses a critical operational bottleneck in enterprise cybersecurity. SOCs currently struggle with overwhelming alert volumes, fragmented tooling across SIEM platforms, and manual triage processes that consume significant resources. The framework's innovation lies in its domain-constrained architecture—rather than applying general-purpose LLMs directly, researchers built platform-specific constraints and retrieval mechanisms that ensure generated queries are syntactically correct and executable against real systems like IBM QRadar and Google SecOps.

The ensemble detection approach demonstrates mature AI engineering. By combining the three best-performing LLMs rather than relying on a single model, the system achieves both high accuracy (82.8%) and low false positives (0.120 rate)—critical for production security environments where false alarms create alert fatigue. The SQM architecture's 0.384 BLEU and 0.731 ROUGE-L scores represent substantial improvements over baseline LLM performance, indicating that structured prompting and metadata-grounded evidence retrieval meaningfully enhance output quality.

For enterprise security teams and vendors, this framework suggests concrete ROI through dramatic efficiency gains. Reducing triage time from hours to ten minutes translates directly to faster incident response and freed analyst capacity for higher-value work. This capability becomes increasingly valuable as threat volumes grow and enterprise IT infrastructure becomes more complex. The improvement in resolution code prediction accuracy to 90% indicates the system can reliably recommend remediation actions, reducing human decision-making bottlenecks.

Future development will likely focus on extending this architecture to additional SIEM platforms and integrating broader threat intelligence sources. Vendors investing in AI-augmented security operations gain competitive advantage as enterprises prioritize automation and efficiency gains.

• →Ensemble LLM detection achieves 82.8% accuracy with 0.120 false positive rate on SIEM logs, meeting production reliability requirements.
• →SQM syntax-constrained query generation doubles baseline LLM performance through platform-specific constraints and metadata-grounded prompting.
• →Framework reduces incident triage time from hours to under 10 minutes, representing massive operational efficiency gains for SOCs.
• →Retrieval-augmented resolution support improves incident remediation prediction from 78.3% to 90.0% accuracy.
• →Domain-constrained LLM architectures with structured retrieval mechanisms enable enterprise-grade AI deployment in security operations.