Building a Real-Time SOC Copilot With DeltaStream and OpenAI Agents

Why Real-Time Context Is the Missing Ingredient for AI-Driven Cybersecurity

Generative AI is entering the security operations center (SOC), promising intelligent copilots that can reason, summarize attacks, triage alerts, and guide analysts through investigations. But there’s a fundamental problem: AI models do not understand real-time security events unless you feed them the full, live context.

And the security world moves fast, far faster than most data platforms can handle. Attackers probe, escalate, pivot, and exfiltrate within seconds. Traditional SIEMs and databases simply can’t create or maintain the kind of live, correlated context required for an agent to make high-quality decisions.

This is exactly where DeltaStream becomes critical.

In this blog post we’ll walk through a practical (but intentionally simplified) example of building a Real-Time SOC Copilot using:

• Kafka to transport cyber events
• DeltaStream to build and maintain real-time security context
• DeltaStream’s built-in MCP server to expose that context to agents
• OpenAI Agent Builder to create the AI SOC Copilot

We’ll also discuss how this simplified example compares to real-world SOCs, and why DeltaStream is designed to handle production-scale complexity with ease.

Why Cybersecurity Agents Need Real-Time Context

You can build a chatbot for a SOC analyst today. You can even give it access to APIs from SIEM tools, EDR platforms, or ticketing systems. But without real-time context, the agent is blind.

Here’s why:

1. Security data is streaming, not static

Auth events, network flows, IDS alerts, cloud activity logs, DNS queries and everything arrives in real-time. Agents cannot poll dozens of sources every time the user asks a question. They also cannot stitch the context together reliably on-demand.

2. Threat actors act in minutes or seconds

Successful defense requires instantaneous awareness of things like:

• Burst of failed logins
• Sudden high-volume data transfers
• Elevated IDS alert patterns
• Suspicious IP–identity correlations

Without continuously updated context, an agent might answer:

“No major risk detected.”

when in fact a small cluster of events in the last 60 seconds indicates an active breach.

3. LLMs don’t build state; they consume state

Models are stateless. They depend entirely on the tools we give them. You must maintain the real-time state outside the model and expose it through a tool.

DeltaStream is that state builder.

Introducing the SOC Copilot (Powered by DeltaStream)

In our example, we built a security copilot that detects suspicious behavior across:

• Auth events
• Network flows
• IDS alerts

The pipeline looks like this:

Kafka → DeltaStream (joins, HOP windows, enrichment)

                    → Materialized View exposed as a tool via MCP

                    → OpenAI Agent queries it in real-time

DeltaStream does the heavy lifting:

• Ingests all events in real-time
• Performs multi-stream joins
• Aggregates behavior in 5-minute rolling windows
• Computes a real-time risk score per entity
• Exposes the result via a Materialized View
• Serves it to the agent via MCP in milliseconds

The SOC Copilot can now answer:

“Show me the highest-risk users right now.”

“Explain why risk spiked for 10.0.0.25 in the last 3 minutes.”

“Which IPs show signs of brute force + suspicious outbound flows?”

The agent does not query Kafka, a SIEM, or storage directly.
It queries DeltaStream’s real-time view, which already computed the security context.

This is precisely the “Real-Time Context Engine” pattern described by DeltaStream:
stream → context → agent tool.

But Why Can’t We Just Query the Raw Data Directly?

There are three reasons:

1. Query-on-demand destroys latency

An agent requesting “what’s happening right now?” needs context now.

If you attempt to:

• Pull data from Kafka
• Filter
• Join
• Aggregate
• Score
• Summarize

every time the agent answers, it’s too slow. By the time the model responds, the threat has moved on.

2. You cannot reliably reconstruct correlations in real-time

Multi-stream, time-bounded joins require:

• Event-time alignment
• Late event handling
• Deduplication
• Sessionization
• Sliding windows
• Stateful aggregations

No LLM agent workflow can execute that level of streaming logic on demand. But DeltaStream can, continuously.

3. Agents need a single, trusted, continuously updated source of truth

The agent should not reason:

“Maybe from this API I get auth failures…
and from this one I get flows…
let me merge them and see…”

Instead, the agent should simply ask:

“What is the current risk context for user X?”

And DeltaStream answers with a real-time MV.

What We Built (Simplified Yet Realistic)

Our example SOC Copilot uses:

Java Data Generator

Simulates auth events, flows, and IDS alerts and streams them into Kafka.

DeltaStream Streams

Ingests each topic as a structured stream.

Real-Time Join

Auth events + network flows + IDS alerts, joined within a 30-second window to build a unified security event stream.

Real-Time Context View (MV)

A continuous HOP-window aggregation (5 minutes with 30-second advance):

• Failed logins
• MFA usage
• Bytes sent
• IDS alerts
• A simple rule-based risk score

OpenAI Agent Builder + DeltaStream MCP Tool

We connected the MV to the agent so the model can query:

• “Top risky users”
• “Context for this IP/user”
• “Recent suspicious activity”

All in real-time.

Why This Example Is Simplified

We intentionally simplified the scenario:

• Only 3 event types, whereas real SOCs use 20–50+
• Very clean JSON schemas, not production-scale messy logs
• Low event rate (few events per second), not enterprise-scale (100K–2M EPS)
• Simple windowed aggregations, not multi-hop, multi-hour correlation
• Basic risk scoring, not full UEBA or ML models
• No enrichment (GeoIP, CMDB, threat intel)
• No incident workflow (ticketing, SOAR actions)

This keeps the example:

• Easy to reason about
• Perfect for illustrating the Real-Time Context Engine pattern

How Real SOC Workloads Compare

Real SOCs include:

1. Dozens of data sources

Okta, Azure AD, EDR telemetry, DNS, firewall, VPC logs, email security, SIEM alerts, cloud audit logs, etc.

2. Massive volumes

100,000 – 2,000,000 events per second across the enterprise.

3. Complex pipelines

Real detection requires:

• Multi-hour state
• Cross-entity graphs
• Threat-intel enrichment
• Baseline computation
• Multi-hop joins
• Anomaly detection
• Rule evaluation
• ML scoring

DeltaStream can handle these in real-time using:

• Continuous SQL
• Materialized views
• Stateful stream processing
• UDFs (including LLM-based UDFs via call_model)

4. SOC Playbooks

Once risk emerges, agents should:

• Create incidents
• Notify teams
• Trigger SOAR automations
• Block IPs
• Disable accounts
• Request MFA

Agent Builder can orchestrate these workflows through tools.

The Key Point: DeltaStream Makes Agents Operationally Useful

Without DeltaStream, an AI SOC Copilot would:

• Operate on stale data
• Miss correlated signals
• Misinterpret partial context
• Generate misleading answers
• Produce slow investigations
• Overwhelm the agent with raw data it must interpret

DeltaStream elevates the agent from “chatbot” to “real operator.”

It continuously transforms raw events into real-time security context, exactly what a human Tier-2 SOC analyst would maintain mentally, but at machine speed and scale.

Final Thoughts: AI-Driven Security NEEDS Real-Time Context

The SOC Copilot example shows the fundamental shift happening in cybersecurity:

Real-time context is the new compute for AI systems.

LLMs can reason, but only if you feed them the right state that is fresh, correlated, enriched, continuous, trustworthy.

DeltaStream acts as the Real-Time Context Engine that makes this possible:

• Continuous joins and aggregations
• Materialized views updated millisecond-by-millisecond
• Built-in MCP to expose context directly to agents
• Strong access control and governance
• High throughput with low latency
• SQL-first real-time modeling

Our example is deliberately simplified, but the architecture scales seamlessly into:

• Enterprise SOCs
• Cloud-scale telemetry
• Multi-cloud logs
• Identity security
• Threat detection pipelines
• Automated incident response

If you want to build a production-grade SOC copilot, the foundation is the same, just add more data, more enrichment, and more logic. DeltaStream handles the rest.

If you want to try this yourself, try DeltaStream free trial at www.deltastream.io. You can run the end to end scenario using the code and implementation details in DeltaStream examples repository here: https://github.com/deltastreaminc/examples/tree/main/SOC_CoPilot

This blog was written by the author with assistance from AI to help with outlining, drafting, or editing.