logo
Mika Ayenson

Beyond Prescribed Intelligence: Toward Self-Directed Skill Acquisition in LLM-Based Cybersecurity Agents

AESOPHuman ReviewApprove / reject /give feedbackSelf-ExploringLLM AgentRead-only accessSkill LibraryVerified, versioned,human-approvedSOC Environment(Sandbox / Test / Read-Only)SIEM, EDR, SOARpropose skillsfeedbackuse skillsapprovedread-only queriesdata & schemasExplore → Propose → Review → Deploy → Improve

AESOP architecture. The self-exploring agent reads the SOC environment through strictly read-only access, proposes skills as executable code, and submits them for human review.

The dominant paradigm for integrating Large Language Models (LLMs) into Security Operations Centers (SOCs)—what this paper terms prescribed intelligence (human-engineered skills, hardcoded tool integrations, and prompt templates)—is structurally insufficient for replicating the adaptive workflows of expert SOC analysts.

This paper identifies five limitations of that paradigm and proposes credentialed self-exploration as an alternative: provision an LLM agent with strictly read-only access to a sandboxed or test SOC environment, describe its role, and let it autonomously discover data sources, learn tool relationships, and propose executable skills for human review. During exploration, the agent takes no action on production systems; only skills that pass human review are deployed.

The paper introduces AESOP (Agent-driven Exploration for Security Operations Proficiency), a conceptual framework for this self-directed architecture, and outlines a research agenda for empirical validation. Supporting evidence draws on cross-domain advances in tool learning, autonomous agents, and offensive security (penetration testing), demonstrating patterns transferable to defensive SOC operations.

Read the full paper on ResearchGate.