SOC-in-a-Box: One LLM, Eight Hats, A Production-Bar AI SOC on a Single GPU

TL;DR A real SOC runs 24×7 with eight or nine distinct roles — alert triage, deeper...

domenica 7 giugno 2026 New tab

2,497 words~11 min read

TL;DR

A real SOC runs 24×7 with eight or nine distinct roles — alert triage, deeper investigation, incident response, threat intel, detection tuning, hunting, shift management, and a human approver for any destructive action. We built an AI version of that whole org chart, coordinated over a Redis Streams bus, with one local LLM (GLM-4.7-Flash on a Mac M1) wearing every hat. v1 is read-only against real systems; the only writes are XSOAR notes and Webex cards, plus a human-approval gate on every proposed containment action.

8 roles

Sentinel · Tier 2 · IR Lead · Threat Intel · SOC Manager · Detection Eng · Threat Hunter · HITL

1 LLM

SOC-in-a-Box: One LLM, Eight Hats, A Production-Bar AI SOC on a Single GPU

SOC-in-a-Box: One LLM, Eight Hats, A Production-Bar AI SOC on a Single GPU

Other newsrooms on this story

Related reading

Building a Local AI SOC Analyst on an M1 MacBook Pro

Critical Start Delivers SOC AI: A Production-Proven Agentic Architecture Built…

How I Run 7 AI Models 24/7: Multi-Agent Architecture in Practice

Virtual SOC Analyst

I built an autonomous SRE that lets an LLM diagnose incidents — but never touch…

Multimodal AI for Cybersecurity Operations: Practical Use Cases, Local…

Other newsrooms on this story

Related reading

Building a Local AI SOC Analyst on an M1 MacBook Pro

Critical Start Delivers SOC AI: A Production-Proven Agentic Architecture Built…

How I Run 7 AI Models 24/7: Multi-Agent Architecture in Practice

Virtual SOC Analyst

I built an autonomous SRE that lets an LLM diagnose incidents — but never touch…

Multimodal AI for Cybersecurity Operations: Practical Use Cases, Local…