AI in the SOC: A 27-Minute Conversation with Darius Iakabos

LLMs are non-deterministic by design. Same alert, same context, two different verdicts thirty seconds apart. That's tolerable for summarization. It's a problem for decisions you're going to act on.

Darius makes the case that what SOCs actually need is reproducibility, not raw intelligence. A decision engine that changes its mind can't be audited. A decision engine that doesn't know your environment, your policies, or your team's prior judgments can't be trusted with operational decisions. The architectural answer is decision models trained on your team's actual verdicts — narrow, deterministic, grounded in your data.

The canonical SOC workload, walked through end-to-end. A phishing alert arrives. A decision model handles initial triage and clears the noise. For the alerts that need investigation, agentic workflows dynamically gather what's missing — DNS lookups, endpoint logs, execution traces. A second decision model grounds the final verdict based on impact and affected entities.

The point isn't speed. The point is that the architecture combines two complementary patterns: deterministic decisions where they matter, agentic investigation where context is missing. SOAR was never built to do either of these well.

Decision models in Arcanna are deep neural networks trained entirely on your team's data. A senior analyst defines what the decision points are — what data actually matters when making a verdict — and trains the model with examples. Through iteration, the model learns to behave the way the team behaves.

The result is a model that's unique to each organization. Same behavior in two different environments could yield two different decisions, because there's no universal truth in security operations. There's only your team's truth, your environment, and your policies. That's the opposite of dropping a general-purpose LLM into your pipeline.

Three layers of guardrails. First, controlling what data goes into the model — the decision points are explicit, not inferred. Second, confidence scores and outlier detection on every prediction, so analysts know which decisions to consume and which need more training. Third, similarity tracking — when a new alert produces a verdict, you can see which historical alerts most influenced that decision, and correct mistakes in the training data when needed.

This is what auditability looks like in practice. Not "we log things." Structured traceability that maps every decision back to the team's prior judgments and the data that shaped it.

The cleanest articulation of the architectural spine. If we have the data and we need a decision, the Decision Layer is the answer. If we don't have the data and getting it traditionally is hard, the Investigation Layer dispatches agents to gather it. Once the data exists, the Decision Layer returns the verdict.

In production, this means threat hunts that took two or three hours collapse to ten or fifteen minutes. Detection engineering tasks that required iterative testing become single-shot. Reporting becomes consistent and structured. The economic model shifts from linear headcount growth to flat scaling — same team, more customers or more alert volume.

Most SOCs scale by adding people. Adding analysts, adding playbook maintainers, adding tier-two specialists. That math works at smaller volumes and breaks at scale.

Darius lays out a different model. With grounded decision models handling the high-volume work and agentic investigations handling the dynamic work, analysts move from running operations to supervising them. They specialize in the work that's actually hard — custom detections, threat hunting, reverse engineering, forensics. The day-to-day boring stuff that couldn't be automated before now is. The team doesn't grow with alert volume. It grows with capability depth.