Full SOC Operations with Claude Code: Fork, Install and Run Agents

Every vendor selling AI for the SOC eventually asks for the same thing: trust. Trust that the model behind the product is the best one, that the prompts are tuned, that the orchestration is sound, all of it sealed inside a SKU you cannot open. Maxime Lamothe-Brassard, LimaCharlie's founder, spent this session arguing the opposite case. If AI is going to run security operations, and he is convinced it already can, then a black box is the worst possible shape for it to take. The interesting question is not which vendor ships the cleverest agent. It is whether you own the thing doing the work.

The agent inherits your governance instead of bypassing it

LimaCharlie describes itself as API-first and now "AI operator first," meaning anything a human can do through the API, an agent can do too. That reads like a feature line until you follow it through. Because the platform was built for service providers running thousands of tenants, machine accounts, role-based access control, and per-tenant scoping already exist. Point an agent at it and the agent does not slip around your governance, it runs inside it. You decide what it can touch, in which tenant, with which permissions. The access model that took years to build for human analysts is the same one that now constrains the AI, which is a far more comfortable starting point than wiring autonomy into a system that was never designed to contain it.

What changes in daily work is the unit of instruction. The weakest version of AI in operations is the copilot in a chat box, useful but boxed in. The version that matters runs Claude Code in a dedicated container for each session, so the agent can pull large datasets to disk, search through them, fetch threat intelligence off the web, and write a Python script to hunt across what it gathered. Lamothe-Brassard keeps returning to one shift: from API thinking to goal thinking. You stop asking for ten detection rules and start handing over an objective. Find every tenant that talked to this IP at nine in the morning six months ago, then go live on the host you find and compare its installed Adobe versions against the CVEs released since. Nobody built that as a workflow. It is intent, executed. There is also a quiet economic point here that an MDR will notice before anyone else: because this runs on Claude Code, an analyst brings their own subscription through a short OAuth handoff, which turns AI spend into a fixed cost per seat rather than an unpredictable per-call meter. When you are pricing a service, predictable beats cheap.

The black box is the problem, not the product

The case against opacity gets concrete the moment the human leaves the keyboard. Headless agents fire on triggers, a detection, a case event, an API call, an external webhook, and every one of them is fully inspectable. Open an agent and you see its actual prompt, the model it uses, its budget ceiling, the MCP servers it can reach. Open a past session and you see what went into the prompt, what the agent reasoned, and which tools it called. This is exactly the layer most products hide, and hiding it is the thing Lamothe-Brassard objects to, because an operator who cannot audit an action cannot defend it to a customer.

It also explains why he is wary of over-harnessing the model. Today's frontier models are strong enough, he argues, that piling on guardrails and scripted direction mostly makes them slower and more expensive without making them smarter. A light harness buys two things at once. Better behavior now, and the freedom to drop in a stronger model the day it ships without rebuilding your workflows around last year's constraints. For a provider whose competitors are also adopting AI, that second point is the real moat. The advantage does not come from a clever one-off integration, it comes from being positioned to absorb every capability gain the labs deliver.

What coordination and ownership actually buy a provider

None of this scales if the agents cannot hand work to each other, and the place they do is ordinary case management. In a simulated multi-stage attack run with Atomic Red Team, a triage agent recognized that a scatter of separate detections was in fact a single kill chain, pulled them into one case, and extracted the entities that automatically correlate against every other case in the system. A second agent built the intrusion timeline and scoped the damage, then tagged a containment agent that isolated the affected host and a threat hunter that checked whether the activity had spread, noticing along the way that a domain controller had no sensor and therefore no visibility. The work moved between agents the same way it would move to a human, and because a case can be marked public and exported, the end of that chain is a customer-ready report.

The agents themselves are open source in LimaCharlie's public repository, which is the point rather than a footnote. They are documented and self-contained, so an operator can read one, point the interactive terminal at it, and fork it in minutes. That is what makes the top of the curve reachable instead of aspirational. A baselining team batches a new customer's alerts and writes narrow rules to suppress the noise. An exposure team discovers internet-facing assets daily and opens cases on anything new. A hunting pipeline profiles each tenant, pulls fresh intelligence every day, writes and unit-tests new detections against the previous week of telemetry, then checks every customer for impact and produces a per-tenant report. That last artifact is quietly important, because it gives a provider something to put in front of each client every day, proof of continuous work whether or not anything was wrong.

Strip away the demonstrations and the argument is about posture, not product. Buying AI as a fixed SKU ties your operations to someone else's release schedule and asks you to trust what you cannot see. Defining it as code you install per tenant, inspect at every step, and upgrade as the models improve turns AI into infrastructure you own. For an MSSP or MDR, that is not a philosophical preference. It decides whether you can apply AI to everything you do across every customer, or only to the few use cases a vendor decided to build.