Kick off your book project in 2 hours, get started with GhostAI in 2 hours, or do both! Free live workshops, on Zoom. You’ll leave with a real book project and a clear plan to keep going. Saturday, June 27, 2026.

Leanpub Header

Skip to main content
Go to Leanpub.com

BROWFIELD AGENTIC SOC

Modernize Without Replacing

Zsolt L. Kocsis

After more than twenty years at IBM — including roles as Regional Technical Leader for Security Technologies and Tivoli Software across Central and Eastern Europe — I have seen many SOC modernization projects. Organizations consistently face the same dilemma: substantial existing investments in SIEM, SOAR, processes, and human expertise versus the urgent need to keep pace with AI-powered threats.

Most vendors pushed rip-and-replace cloud solutions. I took a different path.

The Brownfield Agentic SOC concept was born from the realization that modernization does not require replacement. It is possible — and often far more effective — to intelligently augment existing infrastructure with multi-level AI agents, dynamic business context, structured investigation, and strong governance, while preserving data sovereignty and human judgment.

This book is intentionally practical and conceptual. Certain advanced techniques (self-healing patterns, zero-visible-downtime adaptation, tamper-evident intelligent audit) are subject to pending patent protection and are presented here at architectural level only.

I wrote this book for three audiences:

  • CISOs and SOC leaders in regulated industries seeking realistic modernization
  • Security architects responsible for next-generation operations
  • Teams that prioritize sovereignty, compliance, and human-AI collaboration

My goal is to provide a clear, actionable blueprint that respects real-world constraints while delivering measurable improvement.

I hope this book inspires and equips you to build more resilient, intelligent, and sovereign Security Operations Centers.

Zsolt L. Kocsis, M.Sc., MBA Associate Professor honoris causa Budapest University of Technology and Economics (BME) May 2026

Minimum price

$19.90

$29.90

You pay

Author earns

$

Also available for 1 book credit with a Reader Membership

PDF
EPUB
About

About

About the Book

In 2025–2026, AI-powered adversaries operate at machine speed while traditional Security Operations Centers struggle with massive alert volumes, false-positive rates above 90 %, lack of real-time business context, and analyst burnout. Most organizations have already made substantial investments in SIEM and SOAR platforms — investments they cannot afford to discard. Strict regulatory requirements and data sovereignty concerns make “rip-and-replace” projects unacceptable. 

Brownfield Agentic SOC offers the smarter path. 

This book delivers a complete, high-level blueprint for evolving your existing SOC into a next-generation, intelligent, and sovereign security operations capability — without replacing what already works. Discover how to: • Dramatically reduce false positives with real-time Dynamic Business Context Integration (AOC) 
• Build true human-AI partnership through a multi-level agent hierarchy

• Enable structured, hypothesis-driven investigations using the Diamond Model

• Implement tamper-evident audit, closed-loop governance, and continuous self-learning. 

Share this book

Categories

Artificial IntelligenceResiliencyComputer Security

Feedback

Email the Author

Author

About the Author

Zsolt L. Kocsis

Zsolt L. Kocsis, M.Sc., MBA Associate Professor honoris causa at Budapest University of Technology and Economics (BME)

Zsolt L. Kocsis is a seasoned cybersecurity leader with over 15 years of experience in security technology, SOC design, and large-scale security transformation projects. During his tenure at IBM as Regional Technical Leader for Security Technologies, he supported numerous enterprise clients across Central and Eastern Europe in building and modernizing their Security Operations Centers.

His expertise spans SIEM and SOAR platform implementation, threat detection strategy development, incident response process optimization, and the integration of emerging technologies into operational security environments. Zsolt has led multiple complex SOC modernization initiatives, helping organizations transition from reactive, alert-heavy operations to more intelligent, business-aligned security capabilities.

He holds an M.Sc. in Computer Science and an MBA degree. In recognition of his contributions to cybersecurity education and research, he was awarded the title of Associate Professor honoris causa at the Budapest University of Technology and Economics (BME).

Zsolt is passionate about bridging the gap between advanced technology and practical, human-centered security operations. Through this book, he shares the lessons learned from real-world projects and presents a comprehensive blueprint for building the next generation of intelligent Security Operations Centers — one that modernizes existing infrastructure while preserving human expertise and data sovereignty.

Contents

Table of Contents

Brownfield Agentic SOC - Table of Contents

Executive Summary

Preface

About the Author

Chapter 1: The Crisis of Traditional Security Operations

1.1 The Limitations of Legacy SOC Architectures 1.2 The 2025-2026 Cyber Attack Landscape: The AI Arms Race 1.3 Why Traditional SOCs Are No Longer Enough 1.4 The Vision of the Agentic SOC

Chapter 2: Understanding the Evolution and Limitations of Traditional SOCs

2.1 The Traditional SOC Model – A Historical Perspective 2.2 Why the Traditional Model Is Breaking Down 2.3 The Need for a New Paradigm 2.4 From Reactive to Agentic

Chapter 3: Evolution from Traditional SIEM/SOAR SOC to Agentic SOC

Chapter 4: Core Building Blocks of the Agentic SOC

4.1 The Four Pillars of the Agentic SOC 4.2 Brownfield Design Philosophy 4.3 Integration with Existing Technologies

Chapter 5: Use Cases and Detection Strategies

5.1 What Makes a Use Case Effective? 5.2 Use Case Development Lifecycle 5.3 Practical Use Case Examples 5.4 Maintaining and Evolving the Use Case Library 5.5 How Use Cases Operate in the Agentic SOC 5.6 From Static Rules to Intelligent, Context-Aware Detection 5.7 Getting Started with Use Cases

Chapter 6: Agent Architecture and Collaboration

6.1 The Agent Hierarchy 6.2 Human-AI Collaboration Model 6.3 Closed-Loop Self-Learning 6.4 Practical Implications for SOC Teams

Chapter 7: SOAR as Central Orchestrator

7.1 The New Role of SOAR 7.2 Orchestration Patterns 7.3 Integration with the Agent Hierarchy and Human Oversight 7.4 Practical Implications for SOC Operations

Chapter 8: Dynamic Business Context Integration

8.1 What is Dynamic Business Context Integration? 8.2 How Dynamic Business Context Integration Works 8.3 Benefits and Measurable Impact 8.4 Practical Implementation Considerations 8.5 Strategic Importance

Chapter 9: Structured Investigation Using the Diamond Model

9.1 The Diamond Model – A Foundation for Structured Investigation 9.2 The Role of Dedicated Investigation Capabilities 9.3 Integration with Business Context 9.4 Practical Benefits 9.5 From Reactive to Proactive Investigation

Chapter 10: Dual Portal System Architecture

10.1 The Two Portals 10.2 Key Design Principles of the Dual Portal System 10.3 Benefits of the Dual Portal Approach 10.4 Implementation Considerations

Chapter 11: Audit, Governance and Self-Learning in the Agentic SOC

11.1 The Governance Imperative in Agentic Environments 11.2 Architecture of the Tamper-Evident Protected Audit Repository 11.3 Structured Decision Recording and Explainability 11.4 Closed-Loop Continuous Improvement 11.5 Seamless Integration with the Four Pillars 11.6 Compliance and Regulatory Advantages 11.7 Strategic Importance: From Logging to Intelligent Governance

Chapter 12: On-Premise Implementation Architecture

12.1 The Three-Layer Implementation Architecture 12.2 Key Design Principles 12.3 Security Boundaries and Log Flow 12.4 Implementation Roadmap 12.5 LLM Operational Challenges in Production Agentic SOC Environments 12.6 Conclusion and Forward Path

Chapter 13: SOC Maturity Model and Transition Roadmap

13.1 Why We Need Both Models: Generations vs. Maturity Levels 13.2 The Agentic SOC Maturity Model 13.3 Mapping Maturity Levels to Architecture and Generations

Chapter 14: Educational and Research Applications of the Agentic SOC

14.1 Educational Use Cases 14.2 Research Opportunities 14.3 Capture The Flag (CTF) and Cyber Range Competitions 14.4 Integration into Academic Curricula

Chapter 15: Vision of a Mature Intelligent SOC

15.1 Characteristics of a Level 5 Mature Agentic SOC 15.2 The Evolved Role of the Human Analyst 15.3 Benefits Realized at Maturity 15.4 The Journey Matters More Than the Destination 15.5 Final Thought

Appendices

Appendix A: Use Case Catalog

Appendix B: Index of Figures

Appendix C: Glossary

Appendix D: References

Appendix E: Demonstrative Scenarios: Analysis of the Same Incident from Different Perspectives

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub