The difference between an AI feature and an AI-led operating model becomes clear the moment a security problem becomes difficult. In real-world security operations — where the signal is ambiguous, the evidence spans multiple domains, and the attacker is behaving in unfamiliar ways — architecture matters much more.
Much of what the industry describes as AI-powered security still centers on a general-purpose model responding to prompts in a console or a copilot layered onto an existing alert queue. Those approaches can be useful in limited ways. But they do not fundamentally change how investigations move. Analysts still act as the connective tissue across tools, domains, and decisions. AI may accelerate parts of the workflow, but the workflow itself, with its manual handoffs, sequential escalation paths, and human-dependent coordination, remains largely intact.
If AI is going to truly change security operations, the change must happen in the operating model, not just on top of it.
The Swarm of Experts™: What It Is and Why We Built It
At Arctic Wolf, we built the Swarm of Experts™, a purpose-built agentic framework that coordinates specialised agents across all functions of the SOC. It is a core pillar of the Aurora® Superintelligence Platform and the primary engine of investigation inside the Aurora® Agentic SOC.
The design principle behind the Swarm of Experts is coordinated specialisation, not generalised autonomy. A trustworthy agent does not simply produce an answer quickly or present it with confidence. It understands what evidence it has, what evidence it still needs, and when the right next step is to escalate to human judgment.
That distinction matters in security operations, where the cost of being wrong is high and the path to the right conclusion is often nonlinear.
How an Investigation Actually Moves
Consider a suspicious authentication event. The Swarm of Experts does not simply execute a static playbook or ask whether the alert matches a known pattern. Instead, it begins with a more useful question: Given this initial signal, what additional evidence would most improve our understanding of whether this represents a real threat?
That is a different approach from traditional correlation logic. Rather than looking only for more indicators that resemble the first one, the Swarm of Experts evaluates a hypothesis and seeks evidence that can meaningfully narrow the field. It favors signals from different sources and different behavioral dimensions over signals that merely repeat what is already known.
So instead of stacking multiple correlated data points from the same domain, which can create the appearance of confidence without adding much new information, the Swarm of Experts may pull an authentication log, a DNS pattern from the endpoint, and a cloud identity event. Each signal tests the hypothesis from a different angle. Each contributes something distinct to the investigation. And together they provide a stronger basis for determining whether the activity is benign, suspicious, or material.
Authoritative agents apply domain-specific reasoning to bounded problems, evaluating evidence within their area of expertise rather than improvising beyond it. Process agents handle the operational work that often fragments investigations in a traditional SOC, including agentic SOAR. The Swarm Orchestrator coordinates activity across all agents, while the Swarm Judge assesses whether an output is strong enough to advance the investigation or whether more evidence, another specialist, or human review is required.
When confidence is high, the system can move quickly toward containment, response, or closure. When confidence is lower, it escalates to a human with structure and context already in place: the working hypothesis, the supporting and conflicting evidence, and the next most relevant areas to examine.
That is what an agent-led operating model should do. It should not simply generate output. It should help move the investigation forward in a disciplined, evidence-based way.
Shared Context, Not Isolated Alerts
Specialisation alone is not enough if each agent is operating from a different slice of reality. Trustworthy agentic systems require shared context.
That is the role of the Security Operations Graph™. It gives the Swarm of Experts a connected view across users, devices, identities, detections, vulnerabilities, and activity over time. Agents can preserve memory across an investigation, build on prior steps, and pass forward context instead of reconstructing the case from scratch at every stage.
This is also where customer context becomes essential. The same alert can mean very different things in different environments. A braille device generating USB alerts may be completely expected in one customer environment and a genuine anomaly in another. The Swarm of Agents can recognise that distinction because it carries customer-specific knowledge, including alerting preferences, escalation paths, environmental norms, and operational history.
That is the difference between generic detection and outcomes shaped to the reality of the customer’s environment.
How the System Improves
The Swarm of Experts benefits from something that matters deeply in real-world security operations: a closed-loop learning system at scale.
It is grounded in data that reflects real operations, not just logs in isolation. The system learns from actual investigative steps and decisions that the Arctic Wolf® Security Teams make when evaluating ambiguity, assembling context, and determining the right course of action. More than 1,000 security engineers review, correct, and validate AI-led investigations every day, creating a continuous feedback loop that improves the system over time. When the system falls short, that correction is not a failure of the model. It is part of how the system gets better, with human oversight built into the operating model by design.
And it improves through scale. Arctic Wolf supports more than 10,000 customers and processes more than 9 trillion security events each week. Every outcome — whether a threat was real, whether the response was appropriate, whether the closure was justified — contributes to the feedback loops that help the next investigation become faster, more accurate, and more consistent.
This is why the operating model matters more than the model alone. AI does not become trustworthy simply because it is powerful. It becomes trustworthy when it is grounded in real data, applied in a structured way, validated continuously, and improved through operational feedback.
Better Agents are More Accountable, Not Just More Autonomous
The market will spend plenty of time debating agent counts, model choices, and interfaces. Those details are visible, but they are not what determines whether AI can be trusted in security operations.
What matters is whether agents can do meaningful security work with the right expertise, shared context across the investigation, and clear boundaries around when to act and when to escalate to a human in the loop. In a real SOC, trustworthy AI is not defined by how confidently it answers. It is defined by whether it helps teams reach the right outcome faster, with the discipline to stay inside validated experience and bring in human judgment when the situation demands it.
That is the design behind the Swarm of Experts. Better agents are not just more autonomous. They are more specialised, more coordinated, and more accountable. They move investigations forward in a structured, evidence-based way. That is why trustworthy AI starts with better agents.
Disclaimer
This blog may include forward‑looking statements. These reflect our current views and are subject to change. They are not guarantees, and actual results may vary.
