A
AI & Agents#automation#detection#siem

Defensive AI: Using LLMs for Threat Detection and Response

A
Amit Nepal
Security Engineer · Linux & Infrastructure · Offensive Security
·Jun 1, 2026·1 min read
AI & Agents

Defensive AI: Using LLMs for Threat Detection and Response

Jun 1, 2026 · 1 min read

Defensive AI: Using LLMs for Threat Detection and Response

The same capabilities that make AI useful for attackers are powerful for defenders. Pattern recognition at scale, natural language reasoning about alerts, automated triage — here's how to apply them operationally.

LLM-assisted SIEM triage

The biggest win I've found is using an LLM as a first-pass triage analyst. Feed it your SIEM alerts and let it cluster, prioritize, and explain them in plain English.

import anthropic

client = anthropic.Anthropic()

def triage_alerts(alerts: list[dict]) -> str:
    prompt = f"""You are a SOC analyst. Triage these security alerts:
    {json.dumps(alerts, indent=2)}
    
    For each alert:
    1. Assign severity (CRITICAL/HIGH/MEDIUM/LOW)
    2. Explain what the attacker is likely trying to do
    3. Recommend immediate action
    4. Flag any that correlate across different source IPs
    """
    
    response = client.messages.create(
        model="claude-opus-4-8",
        max_tokens=2048,
        messages=[{"role": "user", "content": prompt}]
    )
    return response.content[0].text

AI-generated detection rules

Feed an incident to an LLM, ask it to write Sigma rules. This is genuinely useful:

def incident_to_sigma(incident_description: str) -> str:
    response = client.messages.create(
        model="claude-sonnet-4-6",
        messages=[{"role": "user", "content": f"""
        Based on this incident: {incident_description}
        Write a Sigma rule that would detect this behavior.
        Include false positive filters. Output valid YAML only.
        """}]
    )
    return response.content[0].text

Automated threat intel enrichment

When an IOC hits your SIEM, automatically enrich it: search threat intel feeds, summarize context, produce a brief for the analyst. An LLM can synthesize multiple sources into a coherent picture in seconds.

What to watch out for

  • Prompt injection in logs: attackers can embed instructions in log data. Sanitize before feeding to LLMs.
  • Hallucinated threat intel: LLMs sometimes invent threat actor attribution. Always verify against actual feeds.
  • Over-reliance on AI triage: AI misses novel techniques. Keep human analysts in the loop for high-priority alerts.
Keep going

Get the next writeup in your inbox

New posts delivered when I publish. No spam.

automationdetectionsiemllmdefensive-ai

Keep reading

all posts →
AI & Agents
AI & Agents · 1 min

Securing AI Systems: Hardening Your LLM Infrastructure

AI & Agents
AI & Agents · 1 min

AI-Powered Reconnaissance: OSINT Automation with Language Models

AI & Agents
AI & Agents · 1 min

Agentic AI in the SOC: From Alert Queue to Autonomous Response