The useful question is not whether to put a large language model in your SOC. It is where the model plugs in. Answer that wrong and you either get a chatbot nobody uses or an agent with enough privilege to become your next incident. Answer it right and you remove real toil from tier-1 without adding a new attack surface.
The short version: the model sits beside your SIEM and SOAR as an enrichment and drafting service, called from your existing pipeline, and it never sits in the critical decision path. This post is about the wiring. For the broader question of what generative AI is and is not good at in security work, see how to use generative AI in security operations.
The Reference Architecture
Do not point analysts at a chat window. Build an event-driven service:
- Your SIEM or SOAR fires a webhook when an alert crosses a threshold.
- An enrichment service you control assembles the fields the model needs (the alert, recent auth history, relevant threat intel), redacting what it should not see.
- The service calls the model API with a fixed output schema.
- It validates the response and writes a draft verdict, confidence, and rationale back to the case.
- A human still decides. State-changing actions stay with the human or with a deterministic SOAR playbook.
The model is a callout in your pipeline, no different in principle from a VirusTotal or GreyNoise lookup. It produces text; your systems remain the source of truth.
Use the API, and Force Structured Output
The consumer ChatGPT and Claude apps give you no retention control, no output contract, and no audit log. For anything touching production alerts, use the API: the OpenAI Chat Completions or Responses API or the Anthropic Messages API.
The important move is to stop parsing prose. Force the model to return a schema that drops straight into case management. On Anthropic, tool use doubles as a structured-output mechanism: define a tool, force the call, get validated JSON. OpenAI’s structured outputs and function calling do the same.
import anthropic
client = anthropic.Anthropic() # reads ANTHROPIC_API_KEY
triage_tool = {
"name": "record_triage",
"description": "Record the triage verdict for a single security alert.",
"input_schema": {
"type": "object",
"properties": {
"verdict": {"type": "string", "enum": ["benign", "suspicious", "malicious"]},
"confidence": {"type": "number", "minimum": 0, "maximum": 1},
"mitre_techniques": {"type": "array", "items": {"type": "string"}},
"rationale": {"type": "string"},
},
"required": ["verdict", "confidence", "rationale"],
},
}
resp = client.messages.create(
model="claude-haiku-4-5-20251001", # cheap model for high-volume queue work
max_tokens=1024,
tools=[triage_tool],
tool_choice={"type": "tool", "name": "record_triage"},
system=(
"You are a SOC tier-1 triage assistant. Classify the alert using only the "
"fields present in the input. Do not invent indicators not in the data."
),
messages=[{"role": "user", "content": alert_json}],
)
verdict = next(b.input for b in resp.content if b.type == "tool_use")
The enum stops the model from inventing a new category. Log the confidence and route anything low-confidence to a human instead of auto-closing it.
Give the Model Tools With MCP, Read-Only First
Static triage on a single alert is worth something. An investigation that pulls related context is worth more, and that means letting the model call your tools. The clean way to standardize this is the Model Context Protocol (MCP), an open standard for exposing tools and data to models. Both the Anthropic API and a growing set of OpenAI clients speak it, so one MCP server serves multiple models.
Start with read-only tools: search_siem, lookup_ip_reputation, get_user_auth_history. A minimal MCP server that wraps a SIEM query looks like this:
from mcp.server.fastmcp import FastMCP
mcp = FastMCP("soc-tools")
@mcp.tool()
def get_user_auth_history(username: str, hours: int = 24) -> list[dict]:
"""Return this user's authentication events (read-only)."""
return siem.query(
f'index=auth user="{username}" earliest=-{hours}h | fields _time, src_ip, action'
)
The rule that keeps this safe: every input the model reads is potentially attacker-controlled. The body of a phishing email, a hostname in a log, a field in a retrieved document; an attacker who can write to any of those can attempt prompt injection. OWASP ranks prompt injection as LLM01 in its Top 10 for LLM Applications, and MITRE ATLAS tracks it as AML.T0054. Constrain the agent the way you constrain a service account:
- Read-only by default. Query, enrich, and summarize tools are safe to grant.
isolate_hostanddisable_userrequire human confirmation or a deterministic playbook, never an unattended model. - Least privilege per tool. The auth-history tool does not need write access to anything.
- Bound the blast radius. Rate-limit tool calls, cap agent turns, and log every invocation as a privileged action.
Route by Severity to Control Cost
A SOC processing tens of thousands of alerts a day cannot send all of them to a frontier model. Route by severity. Tier-1 queue triage goes to a fast, cheap model like Claude Haiku 4.5 (claude-haiku-4-5-20251001). Escalations that a human already cares about (correlating artifacts, drafting an incident timeline) go to Sonnet 5 (claude-sonnet-5) or Opus 4.8 (claude-opus-4-8), or the OpenAI equivalent. Cheap model for volume, capable model for the cases that earn it.
Keep Sensitive Data Out of the Call
The integration is only as safe as its data handling. Send the model the fields the task needs, not raw logs carrying credentials, PII, or full payloads. Redact or hash identifiers before the API call. Use an enterprise tier with a zero-retention, no-training agreement and keep that contract for your auditors. For regulated data, run retrieval locally with pgvector and a self-hosted embedding model and pass only the snippet, or deploy the model inside your own tenant via Amazon Bedrock or Google Vertex. The pattern is the same discipline you already enforce on every other third-party callout.
Roll Out in Shadow Mode
Do not flip this on live. Run it in shadow mode first: the model produces a verdict, a human still decides, and you compare. Track two numbers, agreement rate against your analysts and cost per alert. Promote a task from shadow to assisted only when the agreement rate earns it, and keep a human on every irreversible action indefinitely.
The teams that get value from wiring ChatGPT or Claude into a SOC are the ones who already understood their detection logic and data flows. The model amplifies the pipeline you have; it does not replace the engineering. GTK Cyber’s Applied Data Science and AI for Cybersecurity course is built for exactly that: security practitioners who want to connect LLMs to real workflows, with the judgment to know where the model belongs and where it does not.