Sophos

Andrea Gillhuber,

Why AI Agents in the SOC Don't Learn Over Time

AI agents are already assisting Security Operations Centers (SOCs) in analyzing security incidents. However, one fundamental problem remains: the systems lack a permanent memory to store experiences and use them to inform future decisions.

© Robert Kneschke/stock.adobe.com

Artificial intelligence is increasingly taking on tasks in security operations centers such as analyzing security alerts, performing SIEM (Security Information and Event Management) queries, and executing automated playbooks. However, according to security specialist Sophos, most AI agents lack a crucial capability: they cannot permanently store past insights and use them to inform future decisions.

A lack of context makes decision-making more difficult

While experienced security analysts factor in past incidents, attack patterns, or known false positives into their assessments, many of today’s AI systems treat each new incident in isolation. Previous assessments of IP addresses, recurring user activities, or attack patterns that have already been analyzed are not automatically incorporated into new analyses. As a result, insights that would be helpful in classifying new security events are lost.

One potential solution is Retrieval-Augmented Generation (RAG), in which language models access external knowledge sources. However, this technique merely makes information retrievable; it does not create a permanent memory.

Advertisement

A functional AI memory would need to integrate different types of knowledge. These include historical incident data, information about the IT environment, past assessments, and their temporal and technical context. Only then would AI agents be able to recognize recurring patterns or independently identify false alarms.

Researchers are working on new approaches

Various concepts are currently being explored, including mechanisms for knowledge consolidation, dynamically linked knowledge structures, and time-based data models. At the same time, new challenges are emerging in areas such as auditability, data protection, and compliance.

Managed Detection and Response (MDR) providers, in particular, face the challenge of how to leverage insights from different customer environments without violating data protection regulations.

Autonomous SOC agents remain a topic for the future

The security specialist concludes that many of today's AI systems are more like sophisticated automation tools than fully autonomous agents. They speed up analyses and assist security analysts, but so far lack the ability to learn sustainably from their own experiences.

  • Xing Icon
  • LinkedIn Icon
Advertisement
Advertisement

You might also be interested in

Advertisement
Advertisement
Advertisement
Advertisement

B&R

CRA guide for Powerlink checked

TÜV Rheinland has audited the "CRA Guide for Powerlink" from B&R. The guide is one of the first independently audited technical documentations for the implementation of the EU Cyber Resilience Act in automation.

read more...
Advertisement
Advertisement
Advertisement
Subscribe to our newsletter
Advertisement
Back to home