Cisco, former Google, Meta experts train cybersecurity LLM
Cisco's new Foundation AI group, which includes engineers from multiple companies, has released a compact AI reasoning model based on Llama 3 for cybersecurity to open source.
A new AI research group within Cisco led an effort to train Meta's Llama 3 large language model on cybersecurity data. The model will be released as open source, including open weights.
The Foundation AI group, unveiled Monday, is led by Yaron Singer, a former Harvard professor of computer science and advanced mathematics and the CEO and co-founder of Robust Intelligence, which Cisco acquired in 2024. Singer is now vice president of AI and security at Cisco and recruited engineers from Meta and Google to train the cybersecurity large language model (LLM).*
The model was released to open source, including open weights, meaning its parameters, but not its source code or data, are publicly available for anyone to download, inspect, fine-tune and use. Cisco plans to integrate the model with AI agents in its extended detection and response (XDR) product. This week, it rolled out AI agents for attack verification, automated forensics and a visualization tool called Attack Storyboard using other LLMs.
Yaron Singer
"Cybersecurity data, by its nature, is not necessarily natural language -- it's often bespoke languages," Singer said. "It's dynamic, so threats and vulnerabilities get updated frequently, and all that makes existing AI tools that we have right now for cybersecurity not sufficient for the [security operations center] SOC to adopt them."
The Foundation AI project distilled open source data from 200 billion tokens, the units of text that the LLM processes, down to 5 billion taken from data most relevant to cybersecurity. This makes the model fast-performing, though Cisco did not disclose specific benchmark numbers. Singer said the model is smaller than most foundation models and can run on a single Nvidia A100 GPU on-premises.
Andy Thurai, an independent analyst at The Field CTO, said IT organizations can add their own retrieval augmented generation data to customize the model further for their specific environments.
"Current general-purpose LLMs are mostly used for security-to-human-understanding translation with varying success, unlike this," Thurai said. "Its ability to run on a single A100 GPU is amazing. This means that even the most cost-conscious customers can run this model at the cheapest possible cost without being price-gouged by big-boy LLMs."
New AI agents that can automate attack verification in Cisco's XDR tool will soon integrate its new cybersecurity LLM.
Agentic AI for cybersecurity: Panacea or Pandora's box?
In March, Trend Micro released an AI reasoning model based on Meta's Llama 3, which was trained on cybersecurity data and has open weights. Increasing specialization of LLMs is an expected evolution now that initial foundation models have been established and reached limited returns for specialized tasks, said Adrian Sanabria, an independent security consultant.
"There is a lot of room for innovation in creating specialized models, without necessarily making any of the models more powerful," Sanabria said. "Reasoning models in an agentic architecture will route tasks to the most appropriate model, API, or service. We're seeing new standards, protocols and architecture emerge to handle all this, [such as] Google's Agent2Agent protocol and [Model Context Protocol] MCP servers."
However, he said, even specialized AI agents that use cybersecurity LLMs are likely to encounter scalability challenges as their use grows.
First, there's the cost -- even a single A100 costs about $8,000, and agentic AI consumes more energy than traditional IT automation workloads, Sanabria said, citing an April 21 analysis by Tim MalcomVetter, CEO and co-founder of Wirespeed, a managed detection and response vendor.
Meanwhile, another security operations startup, Panther, estimates the average SOC receives more than 4,000 alerts per day.
"That's 167 alerts to process per hour. Dropzone AI states it takes AI SOC agents 3 to 11 minutes per alert," Sanabria said. "Cisco would have to be processing 2.7 alerts per minute to keep up with the average."
That's still much faster than the average human SOC analyst, at 20 to 40 minutes, according to Dropzone, but "if each alert is taking Dropzone AI 3 minutes in the best-case scenario, that's a limit of 480 alerts per day, assuming their estimate is for a single GPU," Sanabria said.
"The answer is to be more selective about the alerts you use AI on, because it's expensive and limited," he said. Existing AI-based tools can also perform event correlation and alert reduction -- but don't need LLMs.
The answer is to be more selective about the alerts you use AI on, because it's expensive and limited.
Adrian SanabriaIndependent security consultant
"There are [managed security service providers] automating this at scale without LLMs," he said. "The LLM use seems to be largely driven by hype. My prediction is that if using GenAI to triage alerts and recommend actions works, we'll start seeing acquisitions later this year."
Releasing a cybersecurity LLM to open source also carries potential risks, according to Thurai.
"There are some concerns that bad players can use LLMs like this to scan for vulnerabilities in the enterprise and use it for attacks," he said. "There's always the possibility that if they open source something like this, adversaries can use it to attack things that much faster."
Still, if it performs as advertised, the Cisco Foundation AI model will mostly help enterprises identify vulnerabilities, Thurai said, including during red-teaming exercises.
"There are also already open source tools available that are used by white hats within enterprises," he said.
* Editor's Note: Cisco clarified after publication that it recruited engineers from Meta and Google, rather than leading a collaboration between companies, as was originally reported.
Beth Pariseau, a senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
Dig Deeper on Systems automation and orchestration
Yaron Singer
