Saved in:
Bibliographic Details
Main Authors: Begimher, Daniel, Leo, Cristian, Huang, Jack, Gaw, Pat, Zheng, Bonan
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.12040
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911591327334400
author Begimher, Daniel
Leo, Cristian
Huang, Jack
Gaw, Pat
Zheng, Bonan
author_facet Begimher, Daniel
Leo, Cristian
Huang, Jack
Gaw, Pat
Zheng, Bonan
contents We present SIR-Bench, a benchmark of 794 test cases for evaluating autonomous security incident response agents that distinguishes genuine forensic investigation from alert parroting. Derived from 129 anonymized incident patterns with expert-validated ground truth, SIR-Bench measures not only whether agents reach correct triage decisions, but whether they discover novel evidence through active investigation. To construct SIR-Bench, we develop Once Upon A Threat (OUAT), a framework that replays real incident patterns in controlled cloud environments, producing authentic telemetry with measurable investigation outcomes. Our evaluation methodology introduces three complementary metrics: triage accuracy (M1), novel finding discovery (M2), and tool usage appropriateness (M3), assessed through an adversarial LLM-as-Judge that inverts the burden of proof -- requiring concrete forensic evidence to credit investigations. Evaluating our SIR agent on the benchmark demonstrates 97.1% true positive (TP) detection, 73.4% false positive (FP) rejection, and 5.67 novel key findings per case, establishing a baseline against which future investigation agents can be measured.
format Preprint
id arxiv_https___arxiv_org_abs_2604_12040
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle SIR-Bench: Evaluating Investigation Depth in Security Incident Response Agents
Begimher, Daniel
Leo, Cristian
Huang, Jack
Gaw, Pat
Zheng, Bonan
Cryptography and Security
Artificial Intelligence
Software Engineering
We present SIR-Bench, a benchmark of 794 test cases for evaluating autonomous security incident response agents that distinguishes genuine forensic investigation from alert parroting. Derived from 129 anonymized incident patterns with expert-validated ground truth, SIR-Bench measures not only whether agents reach correct triage decisions, but whether they discover novel evidence through active investigation. To construct SIR-Bench, we develop Once Upon A Threat (OUAT), a framework that replays real incident patterns in controlled cloud environments, producing authentic telemetry with measurable investigation outcomes. Our evaluation methodology introduces three complementary metrics: triage accuracy (M1), novel finding discovery (M2), and tool usage appropriateness (M3), assessed through an adversarial LLM-as-Judge that inverts the burden of proof -- requiring concrete forensic evidence to credit investigations. Evaluating our SIR agent on the benchmark demonstrates 97.1% true positive (TP) detection, 73.4% false positive (FP) rejection, and 5.67 novel key findings per case, establishing a baseline against which future investigation agents can be measured.
title SIR-Bench: Evaluating Investigation Depth in Security Incident Response Agents
topic Cryptography and Security
Artificial Intelligence
Software Engineering
url https://arxiv.org/abs/2604.12040