EXPLAINABILITY AS A TRUST INFRASTRUCTURE: XAI FRAMEWORKS FOR AI-SOAR ANALYST DECISION SUPPORT
DOI:
https://doi.org/10.56238/rcsv16n6-004Keywords:
Explainable Artificial Intelligence, SOC, AI-SOAR, Analyst Trust, CybersecurityAbstract
The adoption of artificial intelligence in Security Operations Centers has expanded the capacity to correlate, prioritize, and triage alerts in environments integrated with SOAR platforms. However, triage automation does not eliminate a central limitation of contemporary cyber defense: analysts must understand why a given alert was escalated, why similar events were treated differently, and how the behavior of the monitored environment has changed over time. This article proposes a conceptual explainable artificial intelligence framework for AI-SOAR workflows, organized around three interpretable layers: local explanations, contrastive explanations, and temporal explanations. Local explanations support confidence for immediate action; contrastive explanations strengthen pattern recognition between malicious and benign events; and temporal explanations enhance situational awareness by interpreting sequences, baselines, and attack trajectories. As an extension, the article discusses the use of large language models as explanatory interfaces capable of translating structured XAI outputs into plain-language rationales without replacing human judgment. The article argues that explainability can function as an infrastructure for trust, auditability, and supervision in AI-SOAR escalation workflows.
Downloads
References
Ali T, Kostakos P. HuntGPT: integrating machine learning-based anomaly detection and explainable AI with large language models. arXiv. 2023. doi:10.48550/arXiv.2309.16021.
Chhetri MB, Tariq S, Singh R, Jalalvand F, Paris C, Nepal S. Towards Human-AI teaming to mitigate alert fatigue in Security Operations Centres. ACM Trans Internet Technol. 2024;24(3):1-22. doi:10.1145/3670009.
Habibzadeh A, Feyzi F, Atani RE. Large language models for Security Operations Centers: a comprehensive survey. arXiv. 2025. doi:10.48550/arXiv.2509.10858.
Hoff KA, Bashir M. Trust in automation: integrating empirical evidence on factors that influence trust. Hum Factors. 2015;57(3):407-434. doi:10.1177/0018720814547570.
Lee JD, See KA. Trust in automation: designing for appropriate reliance. Hum Factors. 2004;46(1):50-80. doi:10.1518/hfes.46.1.50_30392.
Lundberg SM, Lee SI. A unified approach to interpreting model predictions. In: Advances in Neural Information Processing Systems 30. Red Hook: Curran Associates; 2017. p. 4765-4774.
Nadeem A, Verwer S, Moskal S, Yang SJ. Alert-driven attack graph generation using S-PDFA. IEEE Trans Dependable Secure Comput. 2022;19(2):731-746. doi:10.1109/TDSC.2021.3117348.
Rastogi N, et al. Too much to trust? Measuring the security and cognitive impacts of explainability in AI-driven SOCs. arXiv. 2025. doi:10.48550/arXiv.2503.02065.
Ribeiro MT, Singh S, Guestrin C. "Why should I trust you?" Explaining the predictions of any classifier. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York: ACM; 2016. p. 1135-1144. doi:10.1145/2939672.2939778.
Sadlek L, Yamin MM, Celeda P, Katt B. Severity-based triage of cybersecurity incidents using kill chain attack graphs. J Inf Secur Appl. 2025;89:103956. doi:10.1016/j.jisa.2024.103956.
Sommer R, Paxson V. Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy. Oakland: IEEE; 2010. p. 305-316. doi:10.1109/SP.2010.25.
Trend Micro. Overworked and under-resourced: why 70% of SOC teams feel overwhelmed. Trend Micro Newsroom; 2021. Available from: https://newsroom.trendmicro.com/2021-05-25-70-Of-SOC-Teams-Emotionally-Overwhelmed-By-Security-Alert-Volume
Vectra AI. State of threat detection: SOC analyst survey. Vectra AI Research; 2023. Available from: https://www.devx.com/daily-news/soc-teams-overwhelmed-ignore-most-alerts/
Downloads
Published
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
