New “AI SOC LLM Leaderboard” Uniquely Measures LLMs in Realistic IT Environment to Give SOC Teams and Vendors Guidance to Pick the Best LLM for Their Organization
Mountain View, Calif. – June 12, 2025 – Simbian®, on a mission to solve security for businesses using AI, today announced the “AI SOC LLM Leaderboard” – the industry’s most comprehensive benchmark to measure LLM performance in Security Operations Centers (SOCs). The new benchmark compares LLMs across a diverse range of attacks and SOC tools in a realistic IT environment over all phases of alert investigation, from alert ingestion to disposition and reporting. It includes a public leaderboard to help professionals decide the best LLM for their SOC needs.
“SOC analysts and vendors building tools for the SOC are rapidly embracing LLMs to scale their operations, increase accuracy, and reduce costs,” said Ambuj Kumar, Simbian CEO and Co-Founder. “Our industry-first benchmark enables SOC teams and vendors to pick the best LLM for this purpose. This benchmark is made possible by Simbian’s AI SOC Agent, a proven solution leading the industry in end-to-end alert investigation leveraging LLMs.”
Existing benchmarks compare LLMs over broad criteria such as language understanding, math, and reasoning. Some benchmarks exist for broad security tasks or very basic SOC tasks like alert summarization. But prior to today’s announcement, no benchmark existed to comprehensively measure LLMs on the primary role of SOCs, which is to investigate alerts end-to-end. This task involves diverse skills, including the ability to:
- Understand alerts from a broad range of detection sources
- Determine how to investigate any given alert
- Generate code to support that investigation
- Understand data, extract evidence, and map it to attack stages
- Reason over evidence to arrive at a clear disposition and severity
- Produce clear reports and response actions
- Customize investigations for each organization’s context
Simbian’s AI SOC LLM Leaderboard is the industry’s first and only benchmark that measures LLMs on autonomous end-to-end investigation of alerts, utilizing the above skills. To make the benchmark applicable across a range of SOC environments, it leverages 100 diverse full-kill chain scenarios that test all layers of defense. It is also the industry’s first benchmark to measure investigation performance in a lab environment mimicking an enterprise, with investigations autonomously retrieving data from live tools across the environment.
This first LLM benchmark tested today’s top-tier LLM models from Anthropic, OpenAI, Google, and DeepSeek. All tested models were able to complete over half (61%-67%) of the tasks involved in alert investigation, as long as there was a solid framework to break down an investigation into clearly defined tasks for LLMs. For this benchmark, that framework was provided by Simbian’s AI SOC Agent (https://simbian.ai/products/ai-soc-agent). See Simbian’s blog published today for details of the benchmark methodology at https://simbian.ai/blog/the-first-ai-soc-llm-be....
The AI SOC LLM Leaderboard reveals that LLMs are more capable than commonly believed for autonomous alert investigation. Marginal difference was observed between standard LLMs and thinking LLMs for alert investigation. The results showed that the best LLM for cybersecurity is a generalist (like Sonnet 3.5) that knows how to code as well as how to perform logical reasoning, rather than a specialist that excels at code (Sonnet 4.0) or at logical reasoning (Opus 4). Finally, the benchmark highlighted that specialization such as SOC-specific training or a mix of LLMs yields higher performance than any single LLM.
Alert fatigue is common across SOCs and it is only getting worse with AI-powered attacks, requiring SOC teams to scale their capacity rapidly. AI offers a solution, and this benchmark guides the industry on the best LLM for the SOC. Simbian will update the measurement results periodically. Follow the AI SOC LLM Leaderboard page at https://simbian.ai/best-ai-for-cybersecurity.
The AI SOC LLM Leaderboard measures LLMs using Simbian’s AI SOC Agent, a proven framework for leveraging AI within the SOC. The AI SOC Agent is deployed at some of the largest SOCs in the world. Additionally, in a recent AI SOC Championship, the AI SOC Agent performed better than 95% of more than 100 analysts worldwide in correctly investigating alerts with supporting evidence.
About Simbian
Simbian is on a mission to solve security for businesses using AI. Simbian offers AI Agents that work like virtual employees and autonomously complete a variety of security tasks with increased precision and efficiency. The company is venture-backed and headquartered in Mountain View, Calif. For more information, visit www.simbian.ai.