Home Capabilities Security Focus Areas Reports Events Team Insights R&D Contact Client Portal
Cyberpert R&D
Lab ProjectPublic research note

Autonomous SOC Evidence Chain

A Cyberpert R&D project for making AI-assisted SOC work traceable from raw signal to executive decision.

A Cyberpert R&D project for making AI-assisted SOC work traceable from raw signal to executive decision.

Research question

Can a SOC use AI to accelerate evidence collection, alert grouping, timeline drafting, and executive reporting without losing auditability, analyst authority, or chain-of-custody discipline?

The project starts from a conservative assumption: AI output is a draft that must remain traceable. It can compress evidence, but it cannot become the only evidence.

Technical method

Cyberpert models every enrichment, generated summary, analyst correction, containment recommendation, approval, and rejected recommendation as an evidence object. Each object points back to source telemetry, system of record, timestamp, analyst, and confidence statement.

The schema is designed to support incident command, legal review, regulator explanation, and after-action analysis. It also allows teams to measure where AI helped and where it introduced risk.

Governance model

The work aligns with NIST AI RMF concepts by defining use cases, boundaries, monitoring expectations, and accountability. The SOC keeps human approval for credential revocation, isolation, public notification, and other irreversible actions.

The research also tests prompt-injection and unsafe-tool-call scenarios because SOC data often includes untrusted text from tickets, logs, emails, and threat-actor communications.

Public output

The public output is an evidence-chain schema, analyst acceptance metric, human approval model, and review checklist for organizations modernizing SOC operations with AI.

The value is practical: faster evidence packages, clearer executive timelines, better auditability, and fewer untraceable automation decisions.

NATO-aligned operating value

Coalition and public-sector cyber operations depend on defensible evidence because decisions may affect public services, classified environments, suppliers, regulators, law enforcement, and political leadership. An AI-assisted SOC therefore needs more than acceleration; it needs provenance that survives scrutiny.

The evidence chain records raw telemetry, enrichment source, generated summary, analyst correction, recommended action, approval, rejection, and final executive statement. This makes AI useful without allowing generated text to replace source facts.

Research experiments

Cyberpert tests alert clustering, entity enrichment, timeline drafting, missing-evidence detection, executive brief generation, prompt-injection resistance, and unsafe-tool-call blocking. Each experiment measures whether the assistant shortened work while preserving analyst authority.

The lab also tests hostile input inside tickets, logs, emails, and intelligence reports. If an attacker can influence a prompt through operational data, the workflow must label sources, restrict tools, and require human approval before disruptive action.