![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 550 251" xmlns="http://www.w3.org/2000/svg"><g d="M 275 0 C 123.122 0 0 112.377 0 251 L 550 251 C 550 112.377 426.878 0 275 0 Z" fill="transparent" height="251px" id="dJQfeWdKw" width="550px"><path d="M 275 0 C 123.122 0 0 112.377 0 251 L 550 251 C 550 112.377 426.878 0 275 0 Z" fill="rgb(142, 45, 255)" height="251px" id="hiop_AtSC" width="550px"/></g></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 550 251" xmlns="http://www.w3.org/2000/svg"><g d="M 275 0 C 123.122 0 0 112.377 0 251 L 550 251 C 550 112.377 426.878 0 275 0 Z" fill="transparent" height="250.9999782649012px" id="WrGweI9E5" width="550px"><path d="M 275 0 C 123.122 0 0 112.377 0 251 L 550 251 C 550 112.377 426.878 0 275 0 Z" fill="rgb(142, 45, 255)" height="250.9999782649012px" id="ydfzMbSNH" width="550px"/></g></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 624 251" xmlns="http://www.w3.org/2000/svg"><g d="M 312 0 C 139.687 0 0 112.377 0 251 L 624 251 C 624 112.377 484.313 0 312 0 Z" fill="transparent" height="251px" id="HgoSWLVCz" width="624px"><path d="M 312 0 C 139.687 0 0 112.377 0 251 L 624 251 C 624 112.377 484.313 0 312 0 Z" fill="rgb(255, 255, 255)" height="251px" id="YYeMjMncw" width="624px"/></g></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 12 12" xmlns="http://www.w3.org/2000/svg"><defs ><linearGradient id="T0ffW2sej-4268478831-linear-gradient" x1="1" x2="0" y1="0.4974874371859296" y2="0.5025125628140704"><stop offset="0" stop-color="rgb(255, 255, 255)"/><stop offset="1" stop-color="rgb(185, 138, 255)"/></linearGradient></defs><path d="M 5.075 1.158 C 5.288 0.769 5.846 0.769 6.059 1.158 L 7.672 4.106 C 7.723 4.2 7.801 4.277 7.895 4.328 L 10.843 5.941 C 11.232 6.154 11.232 6.713 10.843 6.926 L 7.895 8.537 C 7.801 8.589 7.723 8.667 7.672 8.761 L 6.059 11.708 C 5.846 12.097 5.288 12.097 5.075 11.708 L 3.463 8.761 C 3.411 8.667 3.333 8.589 3.239 8.537 L 0.292 6.926 C -0.097 6.713 -0.097 6.154 0.292 5.941 L 3.239 4.328 C 3.333 4.277 3.411 4.2 3.463 4.106 Z M 10.374 0.146 C 10.48 -0.049 10.76 -0.049 10.866 0.146 L 11.176 0.712 C 11.201 0.759 11.241 0.799 11.288 0.824 L 11.854 1.134 C 12.048 1.24 12.048 1.519 11.854 1.626 L 11.288 1.936 C 11.241 1.961 11.201 2.001 11.176 2.048 L 10.866 2.614 C 10.76 2.809 10.48 2.809 10.374 2.614 L 10.064 2.048 C 10.039 2.001 9.999 1.961 9.952 1.936 L 9.386 1.626 C 9.191 1.52 9.191 1.24 9.386 1.134 L 9.952 0.824 C 9.999 0.799 10.039 0.759 10.064 0.712 Z" fill="url(%23T0ffW2sej-4268478831-linear-gradient)" height="12.000028678629624px" id="T0ffW2sej" transform="translate(0 0)" width="11.999960088412966px"/></svg>)
Security operations faces a scaling crisis driven by workforce shortages, analyst burnout, and alert overload. While AI and automation have improved parts of detection, triage, and response, the industry still lacks a broadly adopted, vendor-neutral framework for classifying degrees of SOC autonomy — leading to vendor confusion, misaligned buyer expectations, and unfocused research investment. This paper introduces the SOC Autonomy Framework (SAF), defining six levels of security operations autonomy (L0 through L5), analogous to the SAE J3016 standard for automated driving.
Level
Name
AI DECISION SCOPE
HUMAN ROLE
ACTION RATE
L0
Manual SOC
None
Everything
0%
L1
Assisted Detection
Surface, prioritize alerts
Investigate, decide
0%
L2
Automated Triage
Triage, enrich, correlate, filter FPs
Validate, investigate, respond
0-10%
L3
Conditional Autonomy
Investigate, recommend, execute low-risk
Approve high-impact, supervise
20-50%
L4
High Autonomy
Full lifecycle within governed boundaries
Monitor, exceptions, policy updates
70-90%
L5
Full Autonomy
Entire SOC lifecycle
Set policy only
99-100%
L2 to L3 Transition
The transition from automated triage to conditional autonomy requires the system to reason about novel situations, not just follow playbooks. This is the hardest architectural leap.
L3 to L4 Transition
Moving from human approves to system acts autonomously is primarily a trust challenge requiring calibrated confidence, governed boundaries, and auditable decision traces.
Full Autonomy
Full autonomy may be technically achievable but ethically undesirable. The value of human judgment in security is not processing speed, it's moral reasoning about proportional response.
Shuja, F. (2026).
"The Autonomous SOC Manifesto: A Framework for Classifying Levels of Security Operations Autonomy."
SIRP Labs. April 2026. Available at: https://sirp.io/manifesto
ORCID: 0009-0008-3106-2972
