CTI and agentic SOC FAQ, 2026

An AI threat intel agent is a software system that autonomously performs threat intelligence tasks - collecting, enriching, correlating, and actioning indicators - using a large language model (LLM) as the reasoning engine. Unlike traditional rule-based automation, an agent can interpret unstructured data (forum posts, vendor bulletins, raw OSINT) and produce structured output (STIX reports, MISP events, TheHive cases). The most capable agents as of April 2026 (Dropzone AI, Prophet Security, Pathfinder) combine LLM reasoning with SIEM API access and pre-built playbooks, enabling semi-autonomous investigation workflows.

Agentic SOC refers to a security operations centre architecture where AI agents perform defined layers of the detection and response workflow autonomously or semi-autonomously, rather than acting purely as copilot assistants. The four established layers are: triage agents (first-pass alert filtering), enrichment agents (IoC context and ATT&CK mapping), hunting agents (proactive hypothesis generation and search), and response agents (SOAR playbook execution). ISACA's April 2026 survey found 89% of CISOs were accelerating agentic security investment. Microsoft, Google, CrowdStrike, and Palo Alto all reorganised product lines around the model in Q1 2026.

Not in 2026, and probably not in the 2026-2028 window for complex investigations. What AI reliably replaces is repetitive Tier 1 triage: false-positive filtering, alert grouping, basic IoC enrichment, and standard playbook execution. A well-implemented agentic stack handles 60-80% of alert volume autonomously, freeing human analysts for Tier 2 investigation, threat hunting, and judgment calls on attribution. The SiliconANGLE RSAC 2026 observation was direct: 'the gap between demo-level autonomy and safe, reliable operational autonomy in production has become the real differentiator.' Human analysts remain essential for novel techniques, political/business-context decisions, and legal hold actions.

AI-augmented SOC means analysts use AI as a productivity tool: copilot features, natural-language queries, LLM-generated summaries. The human initiates every task and the AI assists. Agentic SOC means AI agents initiate tasks autonomously within defined boundaries: an agent detects a pattern, enriches the indicators, reconstructs the attack chain, and creates a TheHive case with a draft response plan - without waiting for a human to trigger each step. The line blurs in practice because most commercial tools in 2026 offer both modes. Alert triage for agentic typically runs fully autonomous; response actions (blocking, isolation) remain human-gated for high-impact actions.

SOAR (Security Orchestration, Automation and Response) is the predecessor pattern: pre-defined playbooks that execute a deterministic sequence of actions when triggered by an alert. SOAR is good at routine, known workflows (phishing triage playbook: extract URL, query VirusTotal, send to sandbox, notify user). Agentic SOC adds LLM reasoning on top, enabling the system to handle novel situations the original playbook author didn't anticipate. An agent can read a new threat report, decide which playbook variant is most appropriate, adapt the sequence, and document its reasoning - something traditional SOAR cannot do. Torq HyperSOC and Tines are bridging this gap from the SOAR side.

For enterprise security teams with 10+ analysts and budget above $75k/yr, Recorded Future Core delivers genuine value: broad OSINT aggregation, strong geopolitical and nation-state tracking, and Pathfinder (the AI investigation layer) that tangibly speeds hypothesis generation. The April 2026 rebrand to Core/Pro/Elite restructured pricing around outcome outcomes vs features, which makes ROI calculation easier. Where it disappoints: criminal underground depth is thinner than Intel 471 or Flashpoint; the UI is dense and requires training investment; Elite pricing ($250k-$400k+) is hard to justify for teams not running 24/7 threat hunts. Read the full Recorded Future comparison.

Mandiant Threat Intelligence (standalone) is estimated at $40k-$100k/yr depending on analyst seat count and module selection, per April 2026 Vendr data. The full Mandiant Advantage suite (intelligence plus digital threat monitoring plus attack surface management) runs $100k-$200k+/yr for mid-enterprise, scaling to $300k+ for the largest implementations. Google acquired Mandiant in 2022 and has been integrating Gemini AI - Gemini-in-TI is included with Advantage subscriptions from 2025 onwards. Mandiant is strongest for nation-state and advanced threat actor intelligence; its M-Trends 2026 annual report (10-day median dwell time, $1.36B DPRK crypto theft) reflects genuine field intelligence. See the full Mandiant analysis.

CrowdStrike rebranded in 2025-2026. Falcon Intelligence Elite is now Falcon Adversary Intelligence Premium - the top tier of the Adversary Intelligence add-on. As of April 2026: Falcon Enterprise (formerly Go/Pro/Enterprise) bundles endpoint plus basic CTI; Falcon Premium adds Adversary Intelligence Pro; Falcon Adversary Intelligence Premium (the legacy Elite replacement) includes Counter Adversary Operations (CAO) access and proactive nation-state tracking. Pricing for Adversary Intelligence Premium runs approximately $180/endpoint/yr total bundle cost on top of the base Falcon tier at around 30% uplift. Charlotte AI (natural-language investigation) is included across tiers from Falcon Enterprise upward. Full breakdown at the CrowdStrike pricing page.

Microsoft Security Copilot (standalone) launched as a pay-as-you-go product in April 2024, priced per Security Compute Unit (SCU) at $4/SCU/hr. An E5 licence is not required to purchase Copilot, but Copilot's value scales heavily with Microsoft product usage - it integrates deepest with Sentinel, Defender XDR, Entra, Intune, and Purview. Teams without M365 E5 or Sentinel will find Copilot significantly less capable than the demos suggest. For Copilot for Security in Sentinel specifically, the Sentinel workspace must be active. The enrichment features (IP/domain analysis, script deobfuscation) work standalone; the investigation and incident summarisation features require Sentinel or Defender incidents to act on.

Charlotte AI is CrowdStrike's natural-language AI interface, available across Falcon tiers from Enterprise upward as of 2025. It enables analysts to query Falcon sensor telemetry in plain English ('show me all PowerShell executions from this host in the last 48 hours'), receive investigation summaries in narrative form, get incident response guidance, and - in the 2026 expansion - run agentic workflows via integration with IBM's ATOM platform. Charlotte AI is strongest within CrowdStrike's telemetry boundary: it degrades noticeably outside Falcon-sourced data. CrowdStrike has not published false-positive or hallucination rates for Charlotte AI attribution claims. It works best for Tier 1 triage acceleration within Falcon-centric SOC environments.

Gemini in Threat Intelligence (Gemini-in-TI) is Google/Mandiant's AI layer built into the Mandiant Advantage platform, powered by Google's Gemini models. Included with Advantage subscriptions from 2025, it offers natural-language querying of Mandiant's threat-actor and campaign database, AI-generated summaries of M-Trends data and threat reports, and investigation assistance within the Advantage portal. The honest verdict: Gemini-in-TI is genuinely useful for rapidly orientating on a new threat actor or campaign - the summaries are coherent and cite Mandiant's underlying intelligence. It is less capable for novel attribution (asks where Mandiant has no prior intelligence) and does not have live threat-feed awareness; it reasons from Mandiant's database, not real-time OSINT.

The production-grade OSS CTI stack in 2026 consists of six core tools: MISP (IoC sharing platform, STIX/TAXII native, maintained by CIRCL), OpenCTI (STIX2 knowledge graph, maintained by Filigran), TheHive (incident response case management), Cortex (analyser and responder orchestration), YARA (file pattern matching for malware identification), and Sigma (generic SIEM detection rule format maintained by SigmaHQ). An LLM orchestrator (Claude Sonnet 4.5, GPT-5, or Llama 4 via MCP bridges) is increasingly part of the stack, providing enrichment synthesis and detection rule drafting. Full reference architecture with infrastructure sizing at /open-source-tools.

If your primary workflow is IoC sharing within a community (ISAC, ISAO, sector sharing group) or consuming external feeds: start with MISP. It is battle-tested, STIX/TAXII native, and has the largest active sharing community. If your team builds its own knowledge graph of threat actors, campaigns, and TTPs with relationship mapping: OpenCTI is the better starting point. Its GraphQL API and STIX2-native graph model support richer relationship analysis. Most mature teams run both: MISP as the IoC exchange layer, OpenCTI as the knowledge graph. OpenCTI's Filigran Enterprise tier adds multi-tenancy and SLA support for MSSP use cases. Full decision guide at /open-source-tools.

Yes, but with significant engineering investment. The pattern: MISP (feeds) + OpenCTI (knowledge graph) + Cortex (analysers) + LLM orchestrator (Claude or Llama 4 via MCP) + TheHive (cases) + n8n or Tines for workflow + SigmaHQ + CI pipeline for detection engineering. The LLM handles enrichment synthesis, Sigma rule drafting, and investigation narrative. Cortex handles the 50+ analyser modules. TheHive manages case lifecycle. Budget 1 FTE engineer to operate the stack and 6-12 months to reach production reliability. Infrastructure on Hetzner runs $800-$1,500/mo. Total year-1 cost for a 5-person SOC: approximately $70k-$100k (hosting + LLM API + analyst time) vs $200k-$400k for equivalent commercial. See the ROI calculator for your specific numbers.

Realistic infrastructure costs on Hetzner (as of April 2026): MISP single instance needs roughly 8 vCPU / 32GB RAM / 500GB storage (AX41: ~$60/mo). OpenCTI is heavier at 12+ vCPU / 64GB RAM / 1TB+ storage (EX44 or two AX41: ~$120-200/mo). TheHive + Cortex on 8 vCPU / 16GB RAM: ~$40-60/mo. Total stack: $220-$320/mo on Hetzner, scaling to $600-$1,500/mo for larger deployments with Elasticsearch for OpenCTI. Add LLM API (Claude Sonnet 4.5 at enrichment workload: $800-$2k/mo). Total annual: $12k-$42k depending on scale - versus $75k-$300k for commercial equivalents at the same coverage level.

Sigma: better than YARA. Sigma's YAML structure is tractable for LLMs, and Claude Sonnet 4.5 / GPT-5 draft plausible detection rules from natural-language descriptions. The main failure mode is hallucinated field names in product-specific schemas (Sentinel AzureActivity vs Splunk sourcetype). Best pattern: LLM drafts the rule, CI pipeline validates against product schema, analyst reviews for business-logic false-positive risk before production promotion. YARA is harder: LLMs produce plausible-looking byte-patterns but hallucination rates are high enough that unreviewed YARA rules cause expensive VirusTotal Retrohunt false-positive noise. Treat LLM YARA output as a draft skeleton that requires expert review. Full analysis at /open-source-tools.

Accuracy varies dramatically by task type. IoC enrichment (IP/domain reputation, malware family identification, MITRE ATT&CK technique mapping) is genuinely improved by AI in 2026 - LLMs can synthesise conflicting signals from 50+ feeds faster and more consistently than manual analysts. Attribution (linking an indicator to a specific threat actor or nation-state) is where accuracy degrades sharply. LLMs hallucinate attribution by pattern-matching forum posts and vendor reports without epistemic grounding. The research (TAM-Eval, Mandiant false-positive disclosures) documents this consistently. Best practice: require cited sources in every attribution claim, flag confidence explicitly, never auto-block on AI-generated attribution above Medium confidence without human review.

Yes, and more than most vendor marketing acknowledges. The failure mode is confident attribution based on pattern-matching: an LLM reads that IP 1.2.3.4 appeared in a 2024 forum post adjacent to Lazarus Group discussion, and confidently states the IP is 'associated with North Korean threat actors' in its enrichment note. The underlying inference is often weak - shared hosting, data co-mingling, or outright confabulation. Mitigations: require LLMs to cite specific sources (MISP event IDs, VirusTotal report URLs); require explicit confidence scores with 'low data' acknowledgement; never auto-escalate or auto-block based on attribution-only signals; keep a human analyst in the approval loop for all Medium and above attribution claims.

EPSS (Exploit Prediction Scoring System) is a daily-updated probability score (0.00-1.00) from FIRST.org that estimates the likelihood a given CVE will be exploited in the wild within 30 days. Unlike CVSS (which scores theoretical severity), EPSS scores actual exploitation likelihood based on threat intelligence signals, dark web chatter, and exploit-kit activity. For patching prioritisation: combine EPSS above 0.10 with CVSS above 7.0 as your trigger for expedited patching windows. CISA KEV should always override EPSS - if a CVE is on KEV, patch regardless of EPSS. The sweet spot for triage: high-EPSS CVEs that haven't yet hit CVSS 10 are often your fastest-moving risk. Full EPSS analysis at /vuln-prioritisation-ai.

CISA KEV (Known Exploited Vulnerabilities catalogue) is CISA's authoritative list of CVEs confirmed exploited in the wild, with mandatory remediation deadlines for US federal agencies and de-facto best practice for everyone else. As of April 2026, KEV contains over 1,000 entries. Integration: pull the KEV JSON feed daily (cisa.gov/known-exploited-vulnerabilities-catalog), ingest into your vulnerability management platform (Tenable, Qualys, Rapid7 all natively support KEV tagging), and route KEV-tagged vulnerabilities to a separate expedited patching SLA (typically 15-30 days vs standard 90-day cycles). LLM orchestrators can automate KEV correlation in MISP - when a new KEV entry matches an active MISP indicator, auto-promote to a TheHive case.

No vendor publishes audited false-positive rates for AI triage in 2026, which is a red flag for procurement. From field reports and analyst community discussions: AI triage systems (Dropzone AI, Prophet Security, commercial SIEM AI assistants) typically reduce alert-to-incident escalation false-positive rates by 40-70% vs fully manual triage for high-volume, well-characterised alert types (phishing, malware, suspicious login). For novel attack techniques and zero-day exploitation, AI triage false-negative rates are higher than vendors admit - the agent doesn't know what it doesn't know. Honest benchmark: measure your own false-positive reduction ratio over 90 days, not the vendor's demo environment metrics.

Start with Vendr's April 2026 benchmark: Core tier $50k-$120k/yr, Professional $120k-$250k/yr, Elite $250k-$400k+/yr. Multi-year deals (2-3 year) typically produce 15-25% discounts from list. Competition from Mandiant or Flashpoint quotes shifts RF toward the low end of the range. Key leverage points: anchor to Core and negotiate Professional features as add-ons; request Pathfinder (AI investigation) as included rather than up-tier; push for contract term flexibility in year 1 before locking a 3-year deal. Avoid signing during quarter-end without a competitive bid in hand - RF sales teams have end-of-quarter targets that create genuine negotiation room. See full Recorded Future analysis at /vs-recorded-future.

Contractually: depends entirely on the vendor. Most commercial CTI vendors (Recorded Future, Mandiant, Intel 471) have explicit MSSP programme terms that permit resale under an MSSP/partner licence at a different pricing tier than enterprise-direct. Sharing a single enterprise licence across multiple clients without an MSSP agreement is a licence violation. Practically: SOCRadar, Cyberint, and Anomali have the most MSSP-friendly commercial terms in 2026, with per-client pricing and white-label options. OSS-first (OpenCTI + MISP) has no licence barrier to multi-tenancy. The right approach for a 5-25 client shop: one commercial feed subscription under an MSSP agreement, OSS stack per-client or shared with TLP data tagging. Full MSSP guide at /for-mssp.

For teams of 2-5 analysts on a sub-$100k budget: the Hybrid OSS+feed approach outperforms either extreme. Start with MISP (free) for IoC ingestion from CIRCL, abuse.ch, and CISA feeds. Add OpenCTI (free community edition) as your knowledge graph. Subscribe to one commercial feed - SOCRadar or Cyberint at $30k-$80k/yr gives solid OSINT augmentation. Add Claude API or Azure OpenAI for enrichment automation ($1k-$2k/mo). Skip Cortex initially if engineering resource is tight - a simple n8n workflow calling VirusTotal + Shodan + urlscan covers the 80% case. Total year-1 platform cost: $45k-$110k. Add analyst headcount at $140k/FTE. The ROI calculator at /roi-calculator will model your specific numbers.