PostHole
Compose
Login
Black Hat Europe: Enhancing Security Operations With Cisco XDR and Foundation-sec-8b-Instruct LLM
Manual triage often slows down incident response. Learn how we integrated an 8-billion parameter security LLM into Cisco XDR to summarize alerts and trace attack paths in real time.
February 9, 2026 Leave a Comment
Security
Black Hat Europe: Enhancing Security Operations With Cisco XDR and Foundation-sec-8b-Instruct LLM
2 min read
Modern security operations centers (SOCs) frequently contend with an overwhelming volume of alerts, necessitating extensive manual triage and time-consuming investigations. This challenge often impedes efficient incident response and deeper analytical work.
To address these critical issues, the Cisco Foundation AI team developed and open-sourced the Llama-3.1-FoundationAI-SecurityLLM-1.1-8B-Instruct (Foundation-sec-8b-instruct). This 8-billion parameter Large Language Model (LLM) is specifically engineered to augment complex security workflows with advanced analytical capabilities. Trained on a comprehensive, offline cybersecurity-specific dataset, the model empowers SOC teams to:
- Summarize security alerts efficiently
- Accurately map MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs)
- Trace intricate attack paths
- Draft incident reports, thereby freeing up valuable analyst time for in-depth investigations
Our team successfully deployed and tested this innovative solution within the Black Hat Europe NOC/SOC in London, demonstrating its efficacy under real-world conditions.
The NOC leadership enabled Cisco and other partners to introduce additional pre-approved software and hardware solutions, enhancing our internal efficiency and expanding our visibility capabilities; however, Cisco is not the official provider for Extended Detection & Response, Security Event and Incident Management, Firewall, Network Detection & Response or Collaboration.
The Foundation-Sec model was seamlessly integrated into Cisco XDR through two primary mechanisms:
- Workflow Integration: A dedicated XDR workflow was established to facilitate API queries to our Foundation-sec compute server, transmitting incident content for analysis.
- Playbook Integration: The model was further integrated into XDR as an identification playbook. This allowed Black Hat security analysts to initiate an immediate analysis of any incident by selecting “Ask Cisco Foundation AI to Analyze the incident” directly from the incident view.
Upon execution, the model delivers a comprehensive analysis, including:
- A concise summary report detailing various detections, correlations, and analytical data
- A summary of work logs
[Incident report of malicious activity]
- Detailed recommendations for further investigation, outlining actionable next steps
[Recommendation and next steps]
Furthermore, the model was leveraged as a recovery playbook to generate incident summaries prior to incident closure, streamlining the post-incident review process.
For additional information, please refer to the following resources:
You can read the other blogs from our colleagues at Black Hat Europe.
About Black Hat
Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Authors
Piotr Jarzynka
Principal Architect
Customer Experience (CX)