This study addresses the trust and reliability challenges—such as hallucinations, output instability, and misalignment with existing workflows—that hinder the adoption of large language models (LLMs) in Security Operations Centers (SOCs). Through a six-month ethnographic field study embedded within a multinational enterprise SOC, the research identifies core pain points including repetitive tasks, data fragmentation, and tooling bottlenecks. Guided by Nonaka’s SECI model, the authors develop a sociotechnical co-creation framework that deeply integrates frontline practitioners into the design and iterative refinement of LLM-augmented tools. This approach significantly enhances tool interpretability and workflow alignment, reduces operational friction, and fosters sustained LLM adoption in real-world SOC environments, demonstrating that practitioner-centered co-creation can overcome critical barriers to deploying AI in high-reliability security contexts.

Technology for security operations centers (SOCs) has a storied history of slow adoption due to concerns about trust and reliability. These concerns are amplified with artificial intelligence, particularly large language models (LLMs), which exhibit issues such as hallucinations and inconsistent outputs. To assess whether LLM-based tools can improve SOC efficiency, we embedded two PhD researchers within a multinational company SOC for six months of ethnographic fieldwork. We identified recurring challenges, such as repetitive tasks, fragmented/unclear data, and tooling bottlenecks, and collaborated directly with practitioners to develop LLM companion tools aligned with their operational needs. Iterative refinement reduced workflow disruption and improved interpretability, leading from skepticism to sustained adoption. Ethnographic analysis indicates that this shift was enabled by our sociotechnical co-creation process consistent with Nonaka's SECI model. This framework explains the common challenges in traditional SOC technology adoption, including workflow misalignment, rigidity against evolving threats and internal requirements, and stagnation over time. Our findings show that the co-creation approach can overcome these old barriers and create a new paradigm for creating usable technology for cybersecurity operations.