Threat Research

Why 2026 is the Year to Upgrade to an Agentic AI SOC

Elastic.co
Why 2026 is the Year to Upgrade to an Agentic AI SOC

Agentic AI is moving from pilots to production in enterprise SOCs in 2026, enabling automated triage, correlated attack discovery, and auditable response while governance and tooling mature. Elastic positions its platform — including Attack Discovery, Agent Builder, and Workflows — to operationalize agentic SOCs that detect LOLBins activity (e.g., certutil.exe) and automatically investigate and remediate threats. #Elastic #certutil.exe

Keypoints

  • Agentic AI systems can autonomously plan, act, and adapt across triage, investigation, and response, shifting SOCs from “copilot” assistance to driver-like autonomy.
  • 2026 is identified as the practical inflection point for moving from pilot projects to production agentic SOC platforms as governance, standards, and defenses mature.
  • Agentic SOCs prioritize attacks over alerts by correlating multi-modal telemetry into unified attack chains and providing transparent, evidence-backed reasoning traces.
  • Operational challenges include least-privilege for Non-Human Identities (NHIs), prompt/version control, cost management, and red-team testing to defend agents against prompt injection.
  • Elastic’s blueprint covers enterprise scalability, attack prioritization, behavioral detection, a custom Agent Builder, flexible LLM integration, transparent reasoning (RAG), and guarded autonomy.
  • Example automation: an agent detects certutil.exe fetching a base64 payload, confirms a malicious DLL (cdnver.dll) via VirusTotal, opens a case, maps to MITRE ATT&CK, and notifies stakeholders.
  • Recommended practices: focus automation on high-volume repetitive tasks, enforce RBAC and human approval for high-impact actions, version-control prompts, and implement per-agent budgets and rate limits.

MITRE Techniques

  • [T1218 ] Signed Binary Proxy Execution – Use of trusted system binaries (LOLBins) like certutil.exe to execute attacker-controlled payloads (‘a stealthy process is running certutil.exe to download a base64-encoded payload from a suspicious domain’).
  • [T1105 ] Ingress Tool Transfer – Downloading of tools/payloads from external infrastructure to a host (‘certutil.exe to download a base64-encoded payload from a suspicious domain’).
  • [T1059 ] Command and Scripting Interpreter – Use of scripting and system interpreter binaries as living-off-the-land tools (example references: ‘LOLBins, or Living off the Land Binaries, are legitimate system tools such as certutil.exe or powershell.exe that attackers weaponize’).
  • [T1566 ] Phishing – Initial delivery or linking of malicious activity to phishing emails (‘Attack Discovery links with the originating phishing email’).
  • [T1071 ] Application Layer Protocol – Use of DNS and other application protocols to resolve and contact command-and-control infrastructure (‘querying DNS logs to determine the IP resolution for the command-and-control domain’).

Indicators of Compromise

  • [File Name ] payload and artifact examples – cdnver.dll (malicious DLL confirmed via VirusTotal), other suspicious DLLs referenced during enrichment.
  • [Process Name ] living-off-the-land binaries observed – certutil.exe (used to download base64 payload), powershell.exe (noted as an example LOLBin).
  • [Domain ] network infrastructure context – “suspicious domain” used to host the base64-encoded payload, “command-and-control domain” observed during DNS enrichment.
  • [Service/Lookup ] reputation checks – VirusTotal used to confirm cdnver.dll as malicious (and other artifact lookups performed during automated enrichment).

Read more: https://www.elastic.co/security-labs/why-2026-is-the-year-to-upgrade-to-an-agentic-ai-soc