LLMs are being adopted in Security Operations Centers (SOCs), mostly as copilots, for summarizing alerts, querying logs, or drafting reports. However, when used for end-to-end investigations, their core limitations become blockers: variable responses, hallucinations, and lack of traceability.

This session starts with a concrete example. We run the same alert multiple times through an LLM SOC analyst and observe their outputs: inconsistent. This is not a bug, but a feature of how generative models work: they're probabilistic, not deterministic. That makes them unreliable for high-stakes workflows like triage or correlation.

To address this, we present a hybrid architecture that embeds LLMs within a graph-based orchestrator. This orchestrator models the investigation as a dyna ...