New LLM Framework Aims to Enhance Security Operations Center Reporting

Global: New LLM Framework Aims to Enhance Security Operations Center Reporting

Researchers from an international team have introduced a large‑language‑model (LLM) based system called MESSALA to improve the creation and evaluation of security incident analysis reports in security operation centers (SOCs). The work, posted on arXiv in January 2026, seeks to align automated report generation with the expectations of veteran SOC analysts. By incorporating practitioner feedback, the authors aim to produce reports that are both technically accurate and operationally useful.

Analyst‑wise Checklist Development

The authors first compiled an analyst‑wise checklist that captures SOC practitioners’ criteria for evaluating incident reports. The checklist was derived from a literature review and a user study involving SOC analysts, ensuring that the resulting evaluation framework reflects real‑world operational priorities.

MESSALA Conceptual Framework

Building on the checklist, the team designed MESSALA, a novel conceptual framework that leverages LLMs to generate and assess analysis reports. MESSALA integrates the checklist as a set of evaluation metrics, allowing the model to produce feedback that mirrors veteran analysts’ perspectives.

Granularization Guideline and Multi‑Perspective Evaluation

Two new techniques underpin MESSALA’s approach: a granularization guideline that breaks down report components into finer elements, and a multi‑perspective evaluation that assesses each element from several analytical angles. These techniques are intended to enhance the precision of the model’s feedback.

Experimental Comparison with Existing LLM Methods

Extensive experiments compared MESSALA’s output with that of existing LLM‑based methods. According to the authors, MESSALA’s evaluations most closely matched those of veteran SOC practitioners, suggesting improved alignment with expert judgment.

Key Insights and Actionable Feedback

The study reports two primary insights: first, that incorporating practitioner‑derived checklists can significantly narrow the gap between automated and human evaluations; second, that the granularization and multi‑perspective techniques enable the model to suggest actionable items for report improvement.

Implications for Future SOC Practices

If adopted, MESSALA could streamline the reporting workflow in SOCs by providing consistent, expert‑level feedback on incident analyses. The authors propose that further integration of such frameworks may reduce analyst workload while maintaining report quality.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.