From classroom to command center: USF students test AI in real-world cybersecurity

By Paul Guzzo, University Communications and Marketing

The statistic is nearly as daunting as the job.

"Surveys show about 70% of cybersecurity professionals in security operations centers are disgruntled or worn out," said Faayed Al Faisal, a doctoral student studying computer science at the University of South Florida.

That's a serious concern as cyber threats keep growing.

Al Faisal is part of a USF team testing how artificial intelligence can improve analysts' work while easing the mental grind.

To do so, they're embedded in USF's Student Operations Center Apprenticeship Program - SOCAP - where students from any major train as industry-ready analysts, solving real security issues for the university and public-sector partners.

"AI is something you can't get away from in today's world, right?" Al Faisal said. "So why not learn how to best implement it? This research is not looking for ways to replace workers, but for ways to enhance their work. You need to learn how to embrace AI or you may get left behind."

SOCAP: A Hands-On Training Ground

USF's SOCAP is a paid apprenticeship that trains students to detect and respond to real cyber threats. Participants work inside the Cyber Florida Security Operations Center (SOC) - a student-operated center that augments cybersecurity services for USF and partners with other public sector organizations for cybersecurity services.

The students help protect USF from cyberattacks, as well as entities within the off-campus public sector.

"We have MOUs with, and have worked with, the 12th Judicial Circuit of Pinellas County, the Orange County Comptroller and others," said SOCAP manager Ryan Irving. "Our main goal is to hire students with little to no experience, really from any degree program, and give them practical, hands-on experience that bridges the gap between academia and industry. They accelerate their learning well past their peers, and the proof is in the pudding. We've had students go on to work for the university all the way up to Google."

Guarding Against Burnout

Unlike other SOCs, Cyber Florida's provides safeguards to prevent burnout, such as limited hours and workload.

"It's a little softer here because it is still a learning environment," Irving said. "There is a bit more leeway here."

That's not always the case.

Burnout in SOCs isn't just about workload, it's also about monotony.

SOC work falls into two main categories: ticketing and triage, or incident response. The former can often be a steady stream of low-stakes alerts: a user clicks a suspicious link, a virus pings a firewall, or an automated scan flags an anomaly.

"A lot of times, you're stuck at a desk all day, triaging alerts that take very little creativity," Al Faisal said. "The tickets aren't interesting."

Not only can this become mundane, but it prevents analysts from coming up with ways to address potential higher-level threats.

"When one step becomes low-creativity, the brain checks out," said Simon Ou, a professor in the Bellini College of Artificial Intelligence, Cybersecurity and Computing. "So, how can AI help?"

Research Through Immersion

To answer that question, Ou challenged computer science doctoral students Al Faisal and Kritan Banstola with taking an anthropological approach.

"They need to build a pathway to their research, and for them to do that efficiently, they need domain experience," said Duy Dao, SOCAP's assistant manager. "They must understand what cybersecurity analysts are going through and they must understand the workflow. The only way to know that is to do that."

Beginning in June, Al Faisal and Banstola joined SOCAP's 21-student team, working 20 hours a week alongside the other interns as equals, not just researchers. They will remain embedded for as long as it takes.

But their intent is clear: Whatever AI options they consider must be used to enhance workflow and not just to produce publications.

"I don't want AI to take over," Irving said. "We don't want people to say, 'Well, this is what AI said to do, so that must be right.' AI is not always accurate or accurate enough. So instead, the tools should be used as a starting point that humans can validate or use to validate."

It's hoped that the cybersecurity industry will then use this research as a blueprint for what to do next.

"Our research aims at discovering effective approaches of integrating AI into SOC operations," Ou said. "Findings from the research can inform industry where companies need scientifically verified guidance on how to build AI solutions for cybersecurity."

AI Findings

The research is still in its early stages, so the students do not yet have definitive answers, but their early analysis is leaning toward using AI to filter out irrelevant alerts before they hit an analyst's queue and combining multiple related alerts into a single case file.

Then, instead of wading through 10 separate alerts about the same IP address, an analyst could get one neatly packaged report - freeing time for higher-level analysis.

"Level 1 triage is a good candidate for AI," Al Faisal said. "It's not about replacing the analyst - it's about letting them focus on the work that matters."

AI would also improve upon current SOC software that is typically too bound by rules. Programs follow strict logic: if X, then Y. But threats evolve faster than static rules can keep up.

"With traditional tools, you have to write very precise instructions," Ou said. "They become unwieldy and break easily. Hackers change tactics all the time, and your tool becomes stale."

AI, by contrast, learns from past data - how analysts handled previous alerts, what outcomes they followed, and what context matters.

"It can learn the nuances," Ou said. "Once again, AI is not replacing analysts. It's the opposite - AI needs the creativity of the human analysts in order to improve."

To learn more about Tampa Bay cybersecurity

Join the innovators shaping the future at CyberBay 2025, where technology, creativity and strategy converge on the cutting edge of cybersecurity.

Powered in part by the University of South Florida's world-class research and talent pipeline, this event puts Tampa Bay at the forefront of cyber innovation.

Reserve a spot to connect with top minds, gain hands-on experience, and discover breakthrough solutions before they hit the mainstream.

For tickets, visit cyberbay.org.