LLMs in the SOC: An Empirical Study of Human-AI Collaboration in Security Operations Centres, September 2025

representative citing papers

citing papers explorer

Showing 5 of 5 citing papers.

• A Sociotechnical, Practitioner-Centered Approach to Technology Adoption in Cybersecurity Operations: An LLM Case cs.CR · 2026-04-23 · unverdicted · none · ref 34

  A six-month ethnographic co-creation project in a real SOC demonstrates that practitioner involvement in LLM tool design can overcome typical adoption barriers in cybersecurity operations.

• Like a Hammer, It Can Build, It Can Break: Large Language Model Uses, Perceptions, and Adoption in Cybersecurity Operations on Reddit cs.CR · 2026-04-11 · unverdicted · none · ref 14

  Security practitioners use LLMs independently for low-risk productivity tasks while showing interest in enterprise platforms, but reliability, verification needs, and security risks limit broader autonomy.

• Retrieval-Augmented LLMs for Security Incident Analysis cs.CR · 2026-03-18 · accept · none · ref 1

  A RAG system with query-based log filtering achieves up to 94% recall in malware incident analysis and 96% attack-step detection, with ablation studies confirming the filtering step is essential.

• Can SOC Operators Explain their Decisions while Triaging Alarms? A Real-World Study cs.CR · 2026-04-23 · unverdicted · none · ref 49

  SOC analysts triage alarms correctly most of the time but rarely justify their decisions with the actual root cause.

• AI-Driven Security Alert Screening and Alert Fatigue Mitigation in Security Operations Centers: A Comprehensive Survey cs.CR · 2026-05-08 · unverdicted · none · ref 135

  A literature survey synthesizes 119 studies on AI-driven alert screening into a four-stage taxonomy of filtering, triage, correlation, and generative augmentation while identifying gaps in deployment realism and robustness.