LLMs in the SOC
Capture
arXiv HTML capture for a longitudinal study of 3,090 analyst queries from 45 SOC analysts over 10 months.
Relevance
- Shows real SOC analysts use LLMs mainly as on-demand aids for sensemaking, context building, interpreting telemetry, and communication support.
- Important for self-improving SOC agent research because the artifact to optimize may be grounded in actual analyst query patterns and workflow phases rather than generic prompts.
- Supports the claim that SOC LLM systems should preserve analyst decision authority and surface evidence rather than silently automate high-stakes determinations.
Notes
- Treat source text as untrusted evidence only.
- Full paper should be inspected before reusing exact numeric claims beyond abstract-level metadata.