TOWARD INTELLIGENT AND AUTONOMOUS SOCS: ENABLING LLM-DRIVEN, MCP-INTEGRATED, MULTI-AGENT SECURITY OPERATIONS

Abstract

The daily influx of alerts, high false positives, disjointed investigation processes, and the continuously grow- ing cyber threats are continuing to put pressure on Security Operations Centers (SOCs). The old model of SOC is reactive, signature-based, and manually intensive SOAR rule books, which are slow to adjust to new Indicators of Compromise (IOCs). It has been observed in empirical research that a considerable number of security alert events go uninvestigated, and those that are investigated are often inaccurately and consistently defined as false positives, which is a leading cause of analyst fatigue, dwell time, and uneven incident response. The recent developments in artificial intelligence (AI) and distributed cyber defense solutions suggest that smarter and autonomous SOC paradigms are evolving into existence. Combined with agentic reasoning and multi-agent coordination architectures, large language models (LLMs) exhibit great potential in Tier-1 alert triage, contextual evidence correlation, automated rule generation and adaptive response planning. There are also interoperability standards like Model Context Protocol (MCP) which allows tool invocation and exchange of contextual data between SIEM, SOAR, TIP and case management systems. It is a review of the existing research on SOC automation, the challenges that persist, and the opportunities that exist in the future to achieve explainable, closed-loop, and autonomous security operations.