This study addresses the limitations of traditional Security Operations Centers, which rely on rule- or signature-based detection and generate excessive technical alerts devoid of business context, leading to analyst fatigue and delayed response. To bridge this gap, the authors propose the first security governance framework integrating a large reasoning model (QWQ-32B) with a multi-agent architecture. The framework employs human-in-the-loop interaction, integrated risk assessment, and automated remediation agents, leveraging the ReAct reasoning paradigm and a hybrid planning mechanism to enable end-to-end risk investigation aligned with business objectives. Evaluated on scenarios such as data exfiltration and privilege escalation, the approach achieves a 97.8% tool invocation success rate, 95% accuracy in risk judgment, and reduces manual workload by 92.7%, while demonstrating robust resilience against adversarial interference and prompt injection attacks—thereby establishing the first closed-loop integration between technical detection and business-aligned risk governance.

The rapid evolution of sophisticated cyberattacks has strained modern Security Operations Centers (SOC), which traditionally rely on rule-based or signature-driven detection systems. These legacy frameworks often generate high volumes of technical alerts that lack organizational context, leading to analyst fatigue and delayed incident responses. This paper presents LiaisonAgent, an autonomous multi-agent system designed to bridge the gap between technical risk detection and business-level risk governance. Built upon the QWQ-32B large reasoning model, LiaisonAgent integrates specialized sub-agents, including human-computer interaction agents, comprehensive judgment agents, and automated disposal agents-to execute end-to-end investigation workflows. The system leverages a hybrid planning architecture that combines deterministic workflows for compliance with autonomous reasoning based on the ReAct paradigm to handle ambiguous operational scenarios. Experimental evaluations across diverse security contexts, such as large-scale data exfiltration and unauthorized account borrowing, achieve an end-to-end tool-calling success rate of 97.8% and a risk judgment accuracy of 95%. Furthermore, the system exhibits significant resilience against out-of-distribution noise and adversarial prompt injections, while achieving a 92.7% reduction in manual investigation overhead.