What is a Learning SOC?
A Learning SOC is a security operations center where every ratified analyst decision is captured as it happens and compounds into governed, auditable memory (doctrine, detections, playbooks) so that every incident makes the next one cheaper.
Term introduced in the whitepaper The Learning SOC · Eno Pezaku, WarlogEvery SOC pays for the same understanding twice
On Tuesday, an analyst spends three hours untangling an encoded PowerShell case, closes it, and moves on. On Thursday, an alert from the same family fires, a colleague picks it up, and starts from zero. The reasoning from Tuesday sleeps in a closed ticket that nobody will reopen.
That is systemic amnesia: triage calls, investigations, and handoffs evaporate at closure, and when an analyst leaves, their judgment leaves with them. The adversary, meanwhile, reuses tooling and improves with every campaign. A Learning SOC is the operating model built to close that gap: it treats every decision as an asset, asks what remains of it, and compounds the answer.
What a Learning SOC is not
Not an autonomous SOC. Autonomous agents reprocess every alert from scratch, with no memory of the previous run, and act on confident guesses. A Learning SOC keeps ratified decisions as doctrine and treats autonomy as something earned: a loop acts alone only after it has proven itself under human ratification, capability by capability.
Not a SOAR. SOAR executes static rules with no model of the service and no memory of judgment. A Learning SOC captures why a decision was made and feeds that judgment back into the pipeline as detections, playbooks, suppression rules, and doctrine.
Not a knowledge base. An evidence archive is memory you can read. A Learning SOC is memory that acts: past decisions re-enter triage priors, coverage maps, and response, instead of waiting in a wiki nobody updates. Only the second kind compounds.
How a Learning SOC works
Follow one alert. Triage arrives with a prior learned from how your team judged similar alerts before, and the analyst's correction is itself learned. The alert maps to a MITRE ATT&CK technique, which immediately exposes the real coverage state. The investigation is captured as it happens, in the notebook, not through a post-incident form nobody fills in. A recurring benign trigger becomes a proposed suppression rule. An escalation carries a full handoff bundle instead of a "see ticket". And at resolution, the uncovered technique becomes a detection, the containment path becomes a playbook, and the repeated judgment becomes doctrine.
Every one of those outputs is propose-only: the machine proposes, a signed human commits. And every one keeps its lineage, so you can always trace why the SOC believes what it believes.
Judgment is captured while the analyst works, never through discipline-dependent documentation.
Nothing deploys on its own. AI proposes; only signed humans commit.
Every capability traces back to the case, the analyst, and the date that produced it.
Nearby rules merge into meta-rules without losing coverage. Memory stays dense, not obese.
Learning SOC, in questions
Is a Learning SOC the same as an autonomous SOC?
No. Autonomous agents reprocess every alert from scratch and act on confident guesses. A Learning SOC keeps ratified decisions as doctrine and earns autonomy loop by loop, under an explicit human approval gate.
Is a Learning SOC a product?
It is an operating model. Warlog OS is the reference implementation, and the underlying contract, warlog-spec, is open source under Apache 2.0, so the model can be implemented independently: pip install warlog-spec.
Who coined the term?
The term was introduced by Eno Pezaku in the Warlog whitepaper The Learning SOC, which defines the memory-led, doctrine-gated model of security operations.
Does a Learning SOC replace analysts?
No. It captures and compounds their judgment. No destructive action runs without an explicit human signature, and the value of the system is precisely that analyst expertise becomes an asset the whole team inherits.
Build one, or test ours
The full thesis is in the whitepaper. The reference implementation ships self-hosted, inside your perimeter, through a founder-led design-partner program for three teams. One email is enough: [email protected].