How AI-leading Security Teams Are Building the Agentic SOC

Security teams are turning their hardest operational problems into secure-by-design agents on CrowdStrike Charlotte AI™ AgentWorks.

AI-enabled attacks move faster than human analysts can track, at a scale that traditional SOCs weren’t designed to withstand. eCrime breakout times collapsed to 29 minutes on average in 2025, with the fastest clocked at 27 seconds. The rise of frontier AI models is expected to compress the time between vulnerability discovery and exploitation, intensifying pressure on SOC teams. Defending against AI-accelerated adversaries requires a new operating model. 

Enter the agentic SOC, where AI agents are the core operating unit that reason, decide, and act at machine speed to offload the volume of work no human team can absorb alone. Analysts stay in command, directing agent behavior and applying the judgment that complex decisions require. Together, agents and human experts operate as a unified system – resulting in a SOC that moves faster while unlocking a different level of scale, consistency, and precision.

CrowdStrike customers are deploying the agentic SOC today on Charlotte AI AgentWorks, a no-code workspace that enables security teams to build and scale custom security agents on the CrowdStrike Falcon platform. AgentWorks is built on the non-negotiables that separate trustworthy AI from AI that creates new risk: agents that are secure by design, a rich data foundation AI can reason on, the ability for teams to encode their unique context, and ecosystem extensibility. The result is machine-speed response and multiplied team capacity with the appropriate guardrails, and institutional knowledge that scales without limits.

As Mauricio de la Cruz, a threat hunting engineer at Pan-American Life Insurance Group, put it: "The fact that my team can build an agent as easily as writing a prompt completely changed how we think about automation. The hardest part wasn't building the agent – it was deciding which problem to solve first.”

This mindset shift is exactly the point. When building an agent is as simple as describing the problem, the only limit is imagination. The world's most AI-forward security teams are building the agentic SOC now, on AgentWorks. Here's what that looks like in practice.

What AI-Leading Organizations Are Building

From continuous detection engineering to compliance automation, security teams across industries are turning their unique operational expertise into production-ready agents:

Investigation reporting that once took hours now arrives automatically. Pan-American Life Insurance Group’s Detection Analyzer Agent produces structured investigation reports with MITRE ATT&CK® mapping, with technical readouts for SOC and incident response (IR) analysts and plain-language summaries for non-technical stakeholders. 

The expertise of each team’s best threat hunters is codified and always on. A Fortune 500 manufacturer built agents that hunt adversaries targeting OT/ICS environments and automatically generate remediation scripts. 

Detection libraries keep pace with the threat landscape. Kroll’s Detection Engineering Agent identifies coverage gaps, translates SIEM logic from Splunk, Sentinel, and Elastic into CrowdStrike Query Language (CQL), and validates new detections in real time.

Remediation is prioritized by both regulatory exposure and technical severity. A regional health system built a multi-agent pipeline that weighs vulnerability decisions against HIPAA breach thresholds and sector-specific threat actor activity, so their team focuses on the most critical risks.

Compliance work that once took days now runs on-demand. A German municipality built a vulnerability suppression agent aligned to the BSI IT-Grundschutz framework to generate tiered suppression rules, automatic expiration calculations, and structured outputs for public sector reporting.

The AgentWorks Advantage: Optimized for Security Operators

Four design principles set AgentWorks apart: secure-by-design agents, a data foundation AI can reason on, a way for every team to encode their operational context, and ecosystem extensibility that drives outcomes across the full security stack.

1. Secure-by-Design Agents: The Architecture of Trust 

Speed is a defensive requirement, but speed without control is a liability. Security agents access your most sensitive telemetry, trigger real-world responses, and act at a speed no human can audit in real time. An agent that suppresses the wrong alert, acts outside its intended scope, or operates without a traceable decision trail is a new risk. 

Every AgentWorks agent is secure by design: bounded in action scope, versioned for accountability, governed by role-based policies, cost-capped against runaway speed, and fully traceable across its entire decision trail. Teams benchmark agent versions against fixed datasets before promoting to production, ensuring every iteration is measurably better than the last.

For Pegasystems, this governance model is what enables them to deploy machine-speed security, said Steve Tieland, Senior Director of Corporate Security Operations: "The organizations that will lead in agentic security aren't the ones who just move the fastest — they're the ones who also move with control. AgentWorks gives us the governance infrastructure to deploy AI responsibly: testable, traceable, capped, and versioned. This architecture of trust allows us not only to deploy AI, but also to learn continuously from agent activity and adjust controls as needed.”

2. The Falcon Platform: The Foundation of the Agentic SOC 

AI is only as good as the data it operates on, and security is fundamentally a data problem. CrowdStrike brings a structural advantage to the agentic SOC: an AI-ready foundation grounded in the data, intelligence, and frontline expertise required for real-world security operations. 

The Falcon platform has been AI-native from day one. A single lightweight sensor captures high-fidelity telemetry once and reuses it everywhere – unified across endpoint, identity, cloud, browser, SaaS, and the AI models and agents being deployed across customer environments. Trillions of events every day are enriched by frontline expertise from CrowdStrike Falcon® Complete managed detection and response, CrowdStrike Falcon® Adversary OverWatch threat hunting, and CrowdStrike IR teams. Every intrusion they investigate makes the Falcon platform smarter for every customer. That closed loop, where human expertise makes AI more accurate and AI makes human experts faster, can’t be acquired or easily replicated.  

AgentWorks enables every security team to build agents on this foundation. For American Express Global Business Travel, the result was faster innovation at a fraction of the effort, as noted by Dr. Sean Hays, Ph.D., Senior Manager of Cyber Defense: "With AgentWorks, agents immediately access the high-quality data native to the CrowdStrike platform. We can create a reliable, scalable agent with a fraction of the time and effort it takes on other agentic platforms. It has allowed us to rapidly advance select use cases." 

3. Encoding Each Team's Unique Context

Every SOC operates differently, shaped by its own policies, playbooks, asset criticality, escalation paths, and institutional knowledge. That context is each team’s most valuable security asset. It is also the one most at risk of being lost to turnover, burnout, and scale.

AgentWorks gives teams a secure way to codify that expertise into agents through built-in knowledge bases, such as playbooks, SOPs, and environment-specific context. The expertise of your best analyst no longer lives only in their head. It now lives in every agent they build. 

Michael Macy, a cybersecurity engineer at Americas Styrenics, put it directly: "The cybersecurity skills shortage isn't going away. What changes is how effectively we multiply the expertise we do have. AgentWorks lets our senior analysts encode their knowledge into agents that work alongside the entire team, so our best thinking operates at scale, around the clock, without burning out the people behind it."

That advantage compounds when building takes minutes. One analyst compared building the same agent in Microsoft Copilot versus AgentWorks: six to eight hours in Copilot, four minutes in AgentWorks. 

Chris Parker, Manager of CSIRT at Infios, described the experience firsthand: "I used very simple plain language, not even complex prompts, to build a production-ready agent. It built really advanced queries very quickly. I had this thing built in less than an hour, and when I say an hour, I'm getting interrupted every 5 or 10 minutes."

That flexibility also extends to model choice. With access to models from OpenAI, NVIDIA, and Anthropic, teams can match the right model to the task: fast models where latency is the constraint, reasoning models where complexity demands it. If they standardize on a single model, security teams risk either overpaying for simple tasks or under-serving complex ones. 

AgentWorks eliminates that tradeoff, as Mauricio de la Cruz from Pan-American Life Insurance Group explained: "The ability to switch between leading models without rebuilding workflows has saved us a lot of time and cost. We have the flexibility to choose the right model for the task instead of forcing every use case through the same one. Having multiple models available in one place allows us to optimize for both." 

4. Unified Orchestration Across the Entire Security Stack 

The agentic SOC draws on every tool and data source – whether ingested or federated – deployed in a team’s security stack. It plugs into the processes your team has already built, and it executes outcomes across all of them. 

Charlotte Agentic SOAR makes this possible. It connects AgentWorks agents, CrowdStrike’s turnkey agents, and trusted third-party agents into a single, unified orchestration layer. Agents reason over Falcon platform and third-party data, execute actions across built-in connectors and custom API integrations, and reach into virtually any system without custom development. 

ExtraHop demonstrates this in practice: its RDP Surveillance Agent runs periodic Falcon Next-Gen SIEM queries across both Falcon telemetry and ExtraHop Reveal(X) network context via federated search, automatically opening cases and correlating detections when activity crosses a Critical or High threshold. It's a clear example of agents reasoning over unified data no single tool could see alone.

AgentWorks agents can also be invoked from outside the Falcon platform, enabling teams to embed CrowdStrike's intelligence and workflows into the systems and processes organizations already run. The result: every investment your team has already made becomes part of your agentic SOC, rather than requiring you to rebuild from scratch.

Start Building Your Agentic SOC Today

The agentic SOC is the only operating model equipped to match the AI-accelerated adversary. Security teams need an operating model that delivers machine-speed execution paired with enterprise-grade governance, intelligence, extensibility, and their organization’s unique context. That’s what CrowdStrike delivers with AgentWorks. The only question is: what will you build first?

Additional Resources


CrowdStrike Falcon Platform
Ready to protect your business?

Try CrowdStrike free today

Subscribe

Sign up now to receive the latest notifications and updates from CrowdStrike

See CrowdStrike Falcon in action