Reskill · SOC
Security Operations
The incident room asks one question first: what did the agent do, and what did the user do?
Attribution is the skill. Until the record separates the two, every autonomous action is unowned.
Start with these skills
- Protect audit logs from tamperinggate
- Monitor and alert on AI-relevant eventsgate
- Control who reads the logs, and log that toogate
- Respond to what the logs say, on a clockgate
- Keep clocks in sync so timelines holdgate
The rung you have to reach
Security Monitoring
Monitoring and logging of AI applications and activity, including prompts, input/output, service usage, agent actions, data access, and other relevant logs and events useful for security and compliance.
L1 · Initial
No AI-specific monitoring. Reliance on cloud and/or AI provider default logging, if enabled. No visibility into prompts, agent actions, or AI service usage. AI activity untracked and unauditable.
L2 · Repeatable
Basic AI service logs collected (model invocations, API calls) and initial token/cost tracking for major AI platforms. Logs retained in the provider but not regularly analyzed for security. No prompt or response capture. AI usage logs reviewed for billing or troubleshooting but not security.
L3 · Defined
Prompt/response logging implemented for key AI applications (with appropriate data handling/masking). Agent action logging captures tool calls and resource access. Initial AI-specific alerting (e.g., guardrail violations, information disclosure). Logs aggregated into central SIEM. MCP and tool invocations logged.
L4 · Capable
Comprehensive AI telemetry across applications, including prompts, responses, agent actions, delegation chains, and data access. AI-specific threat detection in place (prompt injection, jailbreak attempts, anomalous patterns). Delegation chain auditability for multi-agent workflows. Alerts integrated with SOC workflows. Sensitive data detection in key AI inputs/outputs.
L5 · Efficient
Real-time AI security monitoring with automated response capabilities. Full auditability from user intent through agent actions to resource access. AI behavioral baselines with anomaly detection. Proactive threat hunting for AI attack patterns. AI monitoring integrated with incident response playbooks.
This function also touches: AI Supported Development and Supply Chain Security, Incident Response.
our model · calibrated to SAE J3016
Your syllabus
The plays that climb the rung.
Alert triage & enrichment
Disposition the alert queue: enrich each alert with context, close false positives, escalate what matters.
Moves: Time per alert ↓
Show the exact control IDs (for your security & GRC team)
L2 LOG-01, HRS-15, DSP-17 · L3 LOG-15, LOG-16, GRC-15, TVM-13 · L4 LOG-12, IAM-18, MDS-10
Phishing-report handling
Analyse user-reported emails: verdict, user reply, and containment for the true positives.
Moves: Time per reported email ↓
Show the exact control IDs (for your security & GRC team)
L2 SEF-06, HRS-15, DSP-17 · L3 LOG-15, LOG-16, GRC-15 · L4 SEF-07, IAM-18, LOG-12
Incident summarization & comms
Turn a closed incident into the post-incident report and the stakeholder communications.
Moves: Time per incident report ↓
Show the exact control IDs (for your security & GRC team)
L2 SEF-01, SEF-03, DSP-17 · L3 GRC-15, LOG-16 · L4 SEF-05, LOG-12
Detection-rule engineering
Write, test and tune SIEM detections for new threats and noisy rules.
Moves: Time to new detection ↓
Show the exact control IDs (for your security & GRC team)
L2 LOG-03, TVM-05, HRS-15 · L3 LOG-07, GRC-15, TVM-13 · L4 LOG-14, IAM-18
Threat-intel digestion
Read the feeds and advisories; extract what applies to this org; brief the team and update watchlists.
Moves: Time to actionable intel ↓
Show the exact control IDs (for your security & GRC team)
L2 TVM-04, HRS-15, DSP-17 · L3 LOG-16, GRC-15 · L4 TVM-10, LOG-12
Vulnerability triage & prioritization
Rank the scanner backlog by real exploitability and business context; route fixes to owners.
Moves: Critical-vuln backlog age ↓
Show the exact control IDs (for your security & GRC team)
L2 TVM-09, TVM-03, HRS-15 · L3 TVM-08, GRC-15 · L4 TVM-11, IAM-18
Autonomy must not outrun maturity. The gate holds each rung until its controls are evidenced. The gate framework: eight gates, three lanes →