Sophos
Why AI Agents in the SOC Don't Learn Over Time
AI agents are already assisting Security Operations Centers (SOCs) in analyzing security incidents. However, one fundamental problem remains: the systems lack a permanent memory to store experiences and use them to inform future decisions.
Artificial intelligence is increasingly taking on tasks in security operations centers such as analyzing security alerts, performing SIEM (Security Information and Event Management) queries, and executing automated playbooks. However, according to security specialist Sophos, most AI agents lack a crucial capability: they cannot permanently store past insights and use them to inform future decisions.
A lack of context makes decision-making more difficult
While experienced security analysts factor in past incidents, attack patterns, or known false positives into their assessments, many of today’s AI systems treat each new incident in isolation. Previous assessments of IP addresses, recurring user activities, or attack patterns that have already been analyzed are not automatically incorporated into new analyses. As a result, insights that would be helpful in classifying new security events are lost.
One potential solution is Retrieval-Augmented Generation (RAG), in which language models access external knowledge sources. However, this technique merely makes information retrievable; it does not create a permanent memory.
A functional AI memory would need to integrate different types of knowledge. These include historical incident data, information about the IT environment, past assessments, and their temporal and technical context. Only then would AI agents be able to recognize recurring patterns or independently identify false alarms.
Researchers are working on new approaches
Various concepts are currently being explored, including mechanisms for knowledge consolidation, dynamically linked knowledge structures, and time-based data models. At the same time, new challenges are emerging in areas such as auditability, data protection, and compliance.
Managed Detection and Response (MDR) providers, in particular, face the challenge of how to leverage insights from different customer environments without violating data protection regulations.
Autonomous SOC agents remain a topic for the future
The security specialist concludes that many of today's AI systems are more like sophisticated automation tools than fully autonomous agents. They speed up analyses and assist security analysts, but so far lack the ability to learn sustainably from their own experiences.










