Agentic SOC Pilot Kit (30 days) Goal: deploy one bounded, high-ROI security workflow where an agent can (1) collect evidence, (2) recommend or take actions under policy, and (3) produce an audit-ready case file. 1) Choose the first playbook (Day 1–3) - Pick ONE workflow with high volume + low ambiguity. Good starters: • Phishing triage (classify, extract IOCs, open ticket, quarantine email) • Suspicious login / impossible travel (enrich, session revoke, force reset) • Leaked secrets rotation (detect in Git, rotate key, notify owner) - Define “done” in one sentence (example): “Agent auto-closes 60% of phishing reports with evidence and zero link-clicking.” 2) Define success metrics (Day 1–5) Track baseline for 2 weeks of historical cases: - Median handling time per case (minutes) - Auto-closure rate (%) and human review time (minutes) - Escalation rate to Tier 2/IR (%) - False positive impact count (incidents where action was wrong) - MTTR for containment (minutes) Set targets (realistic for 30 days): - 30–50% reduction in handling time - 20–40% reduction in escalations - 0 “high-impact” wrong actions (lockouts, outages) 3) Integrations checklist (Day 3–10) Minimum required: - Identity: Okta or Microsoft Entra ID - Ticketing: ServiceNow or Jira - ChatOps: Slack or Teams - Evidence store: S3/GCS/Azure Blob with retention policy Optional by playbook: - EDR: CrowdStrike or Microsoft Defender for Endpoint - Email: M365 or Google Workspace + gateway 4) Guardrails & permissions (Day 5–12) - Create an action allowlist (only approved APIs) - Add risk tiers: • Low risk: create ticket, tag user, gather logs (auto) • Medium: revoke sessions, rotate keys (auto with notifications) • High: disable accounts, quarantine endpoints (require approval) - Add blast-radius caps (max users disabled/hour; exclude VIP/admin) - Add rollback steps for each action (how to undo within 5 minutes) 5) Evidence & audit requirements (Day 7–15) Every case file must include: - Source event IDs + timestamps (links to raw logs) - Enrichment sources used (whois, asset inventory, identity context) - Policy matched (why the agent chose the action) - Actions executed + API responses - Analyst overrides (who approved/denied and why) Export format: JSON + human-readable narrative. 6) Run the pilot (Day 15–30) - Start in “recommend-only” mode for 3–5 days. - Move to “approve-to-act” mode for 1–2 high-value actions. - Graduate ONE action to autonomous only after: • ≥50 cases observed • 0 critical mistakes • Analysts agree evidence quality is sufficient 7) Executive readout (Day 30) Include: - Before/after metrics (time saved, escalations reduced) - Top 3 failure modes and mitigations - Permission expansion plan (next playbook + next action) - Estimated annual ROI: (hours saved/month * fully loaded analyst cost) – software cost Use this kit to keep your agentic SOC pilot measurable, safe, and expansion-ready.