What started as a simple idea, exploring how AI could support a modern Security Operations Center, has grown into a structured series that documents both real solutions and the learning journey behind them. This collection of articles is intended to walk through the evolution from traditional, deterministic automation toward more adaptive, agent-driven approaches, while sharing the practical steps, challenges, and insights encountered along the way.
At its core, this series is both a technical blueprint and a personal chronicle. I didn’t begin this process with deep expertise across every tool involved. Each step required study, testing, and iteration. What you’ll find here is not just the end result, but the path it took to get there, with the goal of helping others ramp up more quickly and apply these concepts in their own environments.
The direction is intentional. Today, most AI capabilities in the SOC act as assistants, advisors, or copilots. The longer-term goal is to responsibly move toward a model where, with strong guardrails and human-in-the-loop controls, AI can take on more direct action. This is not about removing humans from the process, but about enabling faster, more consistent response at scale, especially as threats themselves become more automated. Over time, this shift allows security teams to focus less on repetitive tasks and more on higher-value analysis and decision making.
While the implementations in this series are Microsoft-centric, the concepts extend beyond a single platform. At the same time, it’s important to recognize that Microsoft Security Copilot already delivers many of the capabilities explored here and continues to evolve rapidly as a core component of Microsoft-based security operations. For organizations invested in that ecosystem, Security Copilot represents a powerful foundation.
This series is designed to complement that foundation. It explores how teams can extend, customize, or build alongside existing capabilities, whether to address specific integration needs, experiment with new patterns, or operate in environments where certain features may not yet be available. In other cases, it provides a path for building similar concepts using native Azure services, or even translating these ideas into other platforms.
The Core Series
These are the articles that walk through the actual build-out of an AI-enabled SOC, starting from foundational APIs and moving toward more advanced orchestration and agent-based designs.
- Building a SOC AI API with Azure AI Foundry
- SOC AI Series, Part 2: Using Logic Apps
- SOC AI Series, Part 3: Using Foundry Agents (In Progress)
This progression reflects a natural evolution. It starts with a model-driven API, moves into structured orchestration with Logic Apps, and is now heading toward agent-based systems that can reason, choose tools, and adapt.
Understanding the Building Blocks
Alongside the core series, I’ve been writing supporting articles to break down the concepts that make this architecture possible. These are less about a single solution and more about helping you understand how the pieces fit together.
- Building a MCP Service using Azure Functions (In Progress)
- Intro to Foundry Agents & Logic App Agent Loop (In Progress)
- Intro and Initial Deployment of a Foundry Agent
- Using Sentinel MCP in VS Code
- Sentinel MCP and the Evolution of Automation
- Deterministic vs. Agentic Incident Response
- Are Public Endpoints Risky?
If there’s a common thread here, it’s the shift from explicit, rule-based workflows to agentic systems that operate with intent and context. That transition isn’t just technical. It changes how you think about control, trust, and how decisions are made inside the SOC.
Related Projects and Supporting Work
Some of the ideas in this series didn’t stay theoretical. They turned into full projects, tools, and experiments that support or extend the broader vision.
- Global Threat Atlas – Public Release
- Introducing KQL Event Viewer!
- Building a Sentinel Cost Estimator
- Sentinel TVM Snapshot Data Connector – Part 1
- Sentinel TVM Snapshot Data Connector – Part 2 (In Progress)
These projects reinforce an important point. An AI-powered SOC depends on more than just AI. Data quality, cost visibility, ingestion strategy, and usable interfaces all play a critical role in making these systems effective.
Where This Is Going
This series is still evolving, and that’s intentional. Each article builds on the last, reflecting a deeper understanding of what an AI-enabled SOC can become.
The direction is toward a model where AI becomes an increasingly active participant in security operations, supported by clear guardrails, strong observability, and deliberate human oversight. As confidence in these systems grows, so does the opportunity to safely expand their role.
This work is very much in progress. Over the next several weeks, I’ll be continuing to publish additional articles and supporting GitHub repositories as I build out and refine these concepts further. The goal is to move quickly while keeping everything grounded in real, working implementations.
Ultimately, this series is intended to provide practical examples, reusable patterns, and a clear path forward for anyone looking to explore what an AI-empowered SOC can look like in the real world.