Download Paper
Abstract

Security operations faces a scaling crisis driven by workforce shortages, analyst burnout, and alert overload. While AI and automation have improved parts of detection, triage, and response, the industry still lacks a broadly adopted, vendor-neutral framework for classifying degrees of SOC autonomy — leading to vendor confusion, misaligned buyer expectations, and unfocused research investment. This paper introduces the SOC Autonomy Framework (SAF), defining six levels of security operations autonomy (L0 through L5), analogous to the SAE J3016 standard for automated driving.

The Framework

SOC Autonomy Framework

LevelNameAI decision scopeHuman roleAction rate
L0Manual SOCNoneEverything0%
L1Assisted DetectionSurface, prioritize alertsInvestigate, decide0%
L2Automated TriageTriage, enrich, correlate, filter FPsValidate, investigate, respond0-10%
L3Conditional AutonomyInvestigate, recommend, execute low-riskApprove high-impact, supervise20-50%
L4High AutonomyFull lifecycle within governed boundariesMonitor, exceptions, policy updates70-90%
L5Full AutonomyEntire SOC lifecycleSet policy only99-100%
Key Insights
The trust threshold

L2 to L3 Transition

The transition from automated triage to conditional autonomy requires the system to reason about novel situations, not just follow playbooks. This is the hardest architectural leap.

The trust threshold

L3 to L4 Transition

Moving from human approves to system acts autonomously is primarily a trust challenge requiring calibrated confidence, governed boundaries, and auditable decision traces.

The trust threshold

Full Autonomy

Full autonomy may be technically achievable but ethically undesirable. The value of human judgment in security is not processing speed, it's moral reasoning about proportional response.

About The Author

Faiz Shuja is the Co-Founder and CEO of SIRP Labs, where he created the OmniSense Autonomous SOC platform. A system designed to autonomously understand signals, reason in real-time, and take action based on evolving context. His career in cybersecurity spans two decades.

He founded Rewterz in 2006 from a small room on a rooftop in Karachi, Pakistan, with a single goal: build something meaningful in cybersecurity. That company grew into one of the Middle East's leading cybersecurity firms, now protecting 50+ enterprises across the globe with a 200-member team and a state-of-the-art SOC in Riyadh. He served as CEO of The Honeynet Project (2016-2021), the international non-profit dedicated to investigating cyber attacks and developing open-source security tools. He holds CISSP, GCIH, and GSEC certifications.

Experience the Self-Driving SOC

SARA Open is the free AI security analyst powered by OmniSense — the architecture described in this paper.