Next-generation SOAR with AI: redefining Cyber Security orchestration

Automation has become a cornerstone of Cyber Security Operations Centers (CyberSOCs). SOAR (Security Orchestration, Automation and Response) platforms have evolved from simple playbook execution tools into intelligent systems.

In their new generation, SOAR platforms integrate Large Language Models (LLMs), enabling more contextual, autonomous orchestration with continuous learning capabilities. This transformation is redefining how cyber analysts engage with threats, data, and systems.

■ SOAR (Security Orchestration, Automation and Response) streamlines Cyber Security by integrating data and tools into a unified system that accelerates incident response and enhances collaboration across SOCs. This allows organizations to defend against cyber threats more quickly and effectively, consolidating multiple data sources and tools into a cohesive environment.

Next-generation SOAR: conversational AI for contextual automation

LLM-powered SOAR platforms allow analysts to interact with systems using natural language, generate and modify playbooks, interpret alerts, draft reports, and even propose responses to complex threats.

Key applications

• Automated playbook generation based on natural language descriptions.
• Incident summarization and automatic creation of technical reports.
• Threat prioritization based on operational and critical context.
• Adaptive response suggestions grounded in frameworks like MITRE ATT&CK and detected TTPs.

SOAR has evolved from a mere execution tool into an intelligent system capable of learning and adapting.

Advantages over traditional SOAR

• Reduced reliance on manual coding.
• Improved interpretability of events and decision-making.
• Continuous learning through human feedback.

Challenges in integrating LLMs into SOAR

• Validation of automated actions: Prevent LLMs from making unsupervised, undesirable decisions.
• Hallucinated findings: Risk of inaccurate interpretations or fabricated responses.
• Prompt privacy and security: Sensitive query data must be rigorously protected.
• Cultural adaptation and training: Analysts must develop new skills to interact effectively with generative AI.

LLM language models offer more contextual and autonomous orchestration, redefining operations in CyberSOCs.

Use case: Implementing LLM-powered SOAR in an MSSP

A Managed Security Services Provider (MSSP) integrated a next-gen SOAR platform with LLMs to automate incident handling and client communications.

Analysts could query the system using natural language to get threat summaries, validate automated steps, and adjust playbooks in real time.

Outcomes achieved

• 48% reduction in Mean Time to Investigate (MTTI)
• Improved quality and speed of incident reports.
• 60% increase in automated resolution of low-severity incidents.

Recommendations

• Set up validation controls for actions suggested by LLMs.
• Incorporate algorithmic governance frameworks and decision auditing.
• Foster co-creation between analysts and AI through effective prompt design.
• Ensure data privacy and security in interactions with LLMs.

Conversational AI integration enables the drafting of reports, interpretation of alerts, and proposal of responses to complex threats.

Conclusion

The integration of LLMs into SOAR platforms marks a new era in Cyber Security automation—more intelligent, contextual, and collaborative.

This technology not only boosts efficiency but empowers analysts with conversational capabilities that transform their operational approach. The goal is not to replace humans, but to build a powerful synergy between expert knowledge and generative artificial intelligence.