To address core Security Operations Center (SOC) challenges—including alert overload, cybersecurity expert shortages, and tool fragmentation—this paper proposes an AI-driven human–machine collaborative paradigm for security operations. We innovatively design an LLM-based human–machine co-learning mechanism tailored to SOC workflows, enabling real-time internalization of analysts’ tacit operational knowledge into iterative, upgradable AI capabilities. This supports semantic threat intelligence understanding, dynamic alert prioritization modeling, and explainable, reasoning-based decision-making. Evaluation in a production pilot demonstrates significant improvements in human–machine synergy: average incident response time decreased by 35%, manual false-positive filtering effort reduced by 52%, and cognitive load lowered—while maintaining high analytical accuracy—thereby achieving dual optimization of analyst cognitive efficiency and operational agility.

Security Operations Centers (SOCs) face growing challenges in managing cybersecurity threats due to an overwhelming volume of alerts, a shortage of skilled analysts, and poorly integrated tools. Human-AI collaboration offers a promising path to augment the capabilities of SOC analysts while reducing their cognitive overload. To this end, we introduce an AI-driven human-machine co-teaming paradigm that leverages large language models (LLMs) to enhance threat intelligence, alert triage, and incident response workflows. We present a vision in which LLM-based AI agents learn from human analysts the tacit knowledge embedded in SOC operations, enabling the AI agents to improve their performance on SOC tasks through this co-teaming. We invite SOCs to collaborate with us to further develop this process and uncover replicable patterns where human-AI co-teaming yields measurable improvements in SOC productivity.