Use Agentic SOC-as-Code to Right-Size Your AI Operations
Sr. Technical Content Strategist
Let’s start by drawing a strong distinction between what LimaCharlie does and what others offer in their AI SOCs. LimaCharlie's Agentic SecOps Workspace is an architecture that integrates AI as part of the security fabric. It's agentic AI security you own and control, not a black box you subscribe to. We introduce an easily deployable SOC-as-code approach that increases your control and capabilities.
Other vendors package AI-assisted triage, automated investigation, and remediation advice as AI SOC products. These are offerings where the logic is hidden, workflows are fixed, AI advises but doesn't act, and customization requires a support ticket.
(For a more detailed breakdown, see our previous blog AI Action > AI Advice.)
LimaCharlie CEO Maxime Lamothe-Brassard took to LinkedIn to announce the company’s major advancement in delivering agentic SOC-as-code. The LimaCharlie project features operational agent logic, coordination rules, and ticketing workflows that are fully inspectable and modifiable.
We have three prebuilt configurations hosted in our public GitHub repo.
With our latest update, it’s easy to quickly stand up an agentic SOC in your own LimaCharlie environment, running on your own API keys. Unlike black box AI SOC products, every rule and agent decision is fully inspectable. AI agents are integrated via API, governable through policy, and leave a transparent audit trail.
If an agent makes a decision you disagree with, you can read the rule that triggered it, understand why, and change it.
Owning the code lets you build the right security architecture for your organization. To see how this flexibility plays out in practice, let's look at three deployment models: Baselining, Lean and Tiered.
Pick your path
Baselining, Lean and Tiered agentic SOC configurations share the same foundation: AI agents that coordinate through LimaCharlie's ticketing system.
When one agent updates a ticket by changing its status, adding a tag, or writing a note:
A webhook fires
A detection and response (D&R) rule matches it
The next agent in the pipeline picks up the work
This process is event-driven, auditable, and loosely coupled. The ticket trail serves as the activity log. What differs between models is depth and complexity.
The Baselining SOC runs seven agents: Bulk Triage, L2 Analyst, Malware Analyst, Containment, Threat Hunter, SOC Manager, and Shift Reporter.
It's designed for newly onboarded organizations with high alert volume and no established false positive (FP) rules. Rather than triaging detections in real time, a single Opus-powered Bulk Triage agent processes all detections hourly and aggressively creates narrow FP rules to reduce noise. The primary output is a cleaner detection environment, not investigated tickets.
A SOC Manager runs hourly and a Shift Reporter tracks baselining progress daily, recommending when the org is ready to migrate.
The Baselining SOC is the right starting point for MSSPs onboarding net-new customer environments. Deploy it before Lean or Tiered, and migrate to Tiered once detection volume stabilizes. The FP rules it creates persist independently through the transition.
The Lean SOC runs four agents: Triage, Investigator, Responder, and Reporter. A single investigator handles the full L1-through-L2 workflow in one session; no handoff, no context loss between tiers.
It's designed for orgs that want fast time-to-value with minimal operational overhead. Four agents means four API keys, four D&R rules, and a coordination surface small enough to debug quickly.
Lean is a good fit for smaller security teams, orgs deploying agentic SOC capabilities for the first time. It can also serve MSSPs whose customers have an established baseline but need immediate coverage without operational complexity.
The Tiered SOC runs eight specialized agents: Triage, L1 Investigator, L2 Analyst, Malware Analyst, Containment, Threat Hunter, SOC Manager, and Shift Reporter.
It mirrors the structure of a mature, full-featured SOC. Each agent has a defined role, minimal permissions, and a clear handoff protocol. Specialist agents like the Malware Analyst and Threat Hunter only trigger when tagged, so you're not paying for forensic depth on every alert.
A SOC Manager runs hourly to catch stuck tickets and SLA violations before they become problems. This is the right configuration for established MSSPs managing high-severity workloads where AI incident response must be documented, auditable, and defensible.
The Cost Reality
Unlike most vendors, LimaCharlie is transparent with its pricing. The prices for the AI operations listed below reflect Claude Code pricing from Anthropic, which are passed on directly to the user.
The Baselining SOC runs on a unique cost model, bulk hourly processing rather than per-detection. For noisy environments with hundreds of FPs per hour, this is significantly cheaper than per-detection triage.
Baselining SOC (hourly, not per-alert):
Scenario | Cost |
Hourly bulk triage (FPs only) | ~$5.00/hr |
Hourly triage + TP with L2 | ~$10.00/hr |
TP with malware analysis | ~$15.00/hr |
TP with containment + threat hunt | ~$16.00/hr |
Daily overhead | ~$13.00/day |
Lean and Tiered categories follow a per-alert model. All costs below reflect per-API-call pricing, but actual daily costs scale directly with alert volume. To illustrate: a 5,000-endpoint environment typically generates around 50 detections per day. Use the per-alert figures below to model against your actual volume:
Per-alert costs:
Scenario | Lean SOC | Tiered SOC |
FP dismissed at triage | ~$0.10 | ~$0.10 |
FP after investigation | ~$1.10 | ~$0.60 |
True positive with containment | ~$2.10 | ~$2.60 |
TP with malware analysis + threat hunt | N/A | ~$8.60 |
Daily overhead:
| Lean | Tiered |
Scheduled agents | ~$1.00/day | ~$13.00/day |
The overhead figures are fixed regardless of alert volume. The SOC Manager and Reporter run on a schedule, not per-detection. Per-alert costs above reflect typical session lengths; complex investigations may run higher. The Lean SOC's $1/day Reporter handles SLA monitoring and shift reporting in a single daily agent. The Tiered SOC's $13/day covers a SOC Manager running every hour plus a dedicated Shift Reporter.
For most environments where the majority of alerts are false positives, the Lean SOC can run 30–50% cheaper than Tiered overall.
MSSP Deployment Steps
For MSSPs evaluating agentic security, the starting point depends on where the customer environment is. For organizations with no established detection baseline, the Baselining SOC is the right starting point. Deploy it first to aggressively suppress FP noise and build a rule library. Once the Shift Reporter signals stabilization, migrate to the Tiered SOC. The FP rules created during baselining persist independently and continue suppressing noise after migration.
For MSSPs onboarding customers with an established baseline, the Lean SOC is the natural fit. The Lean configuration will deploy four agents, provide full coverage, and keep operational complexity low while you analyze the environment.
The Lean SOC is explicitly designed as a foundation that is easy to upgrade. Upgrading to Tiered simply adds specialist agents without touching things that are already working.
As a customer matures, the upgrade is straightforward:
Split the investigator into L1 and L2
Add the Malware Analyst and Threat Hunter
Swap the Reporter for a Shift Reporter
Replace the Responder with the Containment agent, or run both during the transition
Stand up the SOC Manager.
Each addition is independent to ensure nothing breaks when you add it.
MSSPs with mixed portfolios can run Lean and Tiered configurations simultaneously across customer environments.
Choosing Baselining/Lean/Tiered
Choose Baselining if:
You're onboarding a new organization with untriaged, noisy detections
FP rules don't exist yet and need to be built from scratch
Per-detection triage would be cost-prohibitive at current alert volume
You need a documented migration path to Tiered once the environment stabilizes
Choose Lean if:
You're deploying an AI SOC for the first time
You're onboarding an MSSP customer with an established detection baseline
Your environment is FP-heavy and cost efficiency matters more than investigation depth
You want a simple, debuggable system with minimal moving parts
Choose Tiered if:
You're running a mature SOC environment with established alert baselines
Your customers have compliance requirements that demand documented L1/L2/L3 investigation depth
You need specialist capability (malware forensics, proactive threat hunting) not just triage and response
You need hourly SLA monitoring and self-healing ticket management
Get Started
All three of our agentic AI security solutions are available in LimaCharlie's public GitHub repo. The READMEs include full architecture diagrams, per-agent cost profiles, and installation order. If you're evaluating where to start, any of the three configurations can be running in an afternoon.
Explore the Agentic SOC-as-code repo.
Learn more about LimaCharlie.
440 N Barranca Ave #5258
Covina, CA 91723
5307 Victoria Drive #566
Vancouver, BC V5P 3V6
Stay up-to-date on all things LimaCharlie with our monthly newsletter.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
