A curated, practitioner-maintained reference of AI and machine learning use cases for detection engineering and SOC operations.
The AI + cybersecurity space is flooded with vendor marketing. Most "AI for SOC" content is product positioning dressed up as thought leadership, and it rarely answers the questions practitioners actually have: What does this do? What data does it need? How hard is it to build? Is AI even the right tool here?
This repo is a practical, detection-engineer-authored reference that catalogs actual use cases with enough detail to evaluate feasibility and start building. No vendor alignment. No hype. Just structured, honest documentation of where AI and ML add real value to detection engineering workflows.
Many things marketed as "AI for SOC" are actually SIEM correlation, SOAR automation, and data engineering problems. Slapping an LLM on a workflow that needs a lookup table or a threshold doesn't make it intelligent — it makes it slow and expensive.
This repo draws a hard line between what should be done deterministically and where AI genuinely adds value. Before diving into use cases, read:
- Prerequisites — foundational capabilities that must exist before AI adds value
- Where AI Fits (And Doesn't) — the decision framework for deterministic vs. AI approaches
- Where AI Fails — the failure taxonomy and per-use-case mitigations once you've crossed the boundary
The use cases below describe what the AI does. Before deploying any of them in production, you also need to decide how and in what order:
- Deployment Roadmap — phased adoption by SOC size, dependency DAG, pilot → production gates
- Cost Models — token economics, per-use-case spend at current pricing, ROI framing
- Validation Harness — golden sets, calibration measurement, regression gates
- Adversarial AI Considerations — prompt injection, evasion, feedback poisoning
- Privacy and Data Handling — what leaves your environment and how to control it
- Governance Mapping — the artifacts your CISO/Privacy/Audit team will ask for
- Examples — working prompts, golden sets, and eval scaffolding for selected use cases
If these aren't in place, start here before looking at AI use cases.
AI use cases in detection engineering depend on mature foundational capabilities. The prerequisites section covers five pillars that must be operational first:
- Structured Alert Data — normalized, queryable alert logs with consistent field schemas
- Detection-as-Code — version-controlled rule files with metadata (MITRE tags, severity, descriptions)
- Entity Resolution — reliable mapping of observables to business entities (users, hosts, services)
- Baseline Metrics — established true/false positive rates, alert volumes, and triage timing
- Automation Foundation — working SOAR or scripted enrichment pipelines for deterministic tasks
31 documented use cases organized by category. Each links to a detailed write-up covering what AI actually does, required data inputs, architecture patterns, and implementation guidance.
| # | Use Case | What AI Actually Does | Primary Data Input | Complexity |
|---|---|---|---|---|
| 01 | Detection Performance Analytics | Synthesizes metrics into prioritized narratives; identifies cross-rule patterns | SIEM alert logs | Medium |
| 02 | Entity Cardinality Noise Analysis | Interprets entity patterns in detection context; clusters by semantic similarity | SIEM alert logs | Medium |
| 03 | Automated Rule Tuning Recommendations | Generates contextual tuning proposals with safety assessment | SIEM alert logs, rule files | Medium |
| 04 | Detection Drift Monitoring | Diagnoses likely cause of rule silence or behavioral changes | SIEM alert logs, rule files | Medium |
| 05 | Temporal Pattern Detection | Identifies complex temporal patterns and explains their business context | SIEM alert logs | Low-Medium |
| 30 | Self-Optimizing Closed-Loop Tuning | Closes the loop on UC-03: dispositions auto-generate, validate, deploy, monitor with rollback | Disposition stream, rule corpus, validation harness | Very High |
| # | Use Case | What AI Actually Does | Primary Data Input | Complexity |
|---|---|---|---|---|
| 06 | MITRE ATT&CK Posture Scoring | Generates health narratives; assesses observable diversity; executive summaries | Alert logs, rule files | High |
| 07 | Threat-Informed Gap Prioritization | Synthesizes CTI reports into structured technique lists; risk-ranks gaps | Rule files, CTI reports | Medium-High |
| 08 | Kill Chain Completeness Analysis | Assesses operational meaningfulness of detection at each attack stage | Alert logs, rule files | Medium |
| 09 | Cross-Domain Detection Coverage | Evaluates quality and complementarity of cross-domain coverage | Alert logs, rule files | Medium |
| 10 | Executive Posture Reporting | Transforms technical metrics into leadership-consumable narratives | Posture scores | Medium |
| 28 | Detection Coverage Mapping for Compliance | Maps detection content to compliance frameworks (NIST, CSA AICM, ISO, PCI, EU AI Act) with cross-regime prioritization | Rule corpus, control libraries, signal quality scores | Medium-High |
| # | Use Case | What AI Actually Does | Primary Data Input | Complexity |
|---|---|---|---|---|
| 11 | LLM Triage Verdicts | Weighs ambiguous signals; produces structured verdicts with reasoning | Enriched alerts | High |
| 12 | Alert Cluster Narrative Synthesis | Generates coherent attack narratives from pre-correlated alert clusters | Correlated alerts | Medium-High |
| 13 | Natural Language Alert Query | Translates natural language to SIEM queries; summarizes results | Alert indices | Medium |
| 14 | Agentic Investigation Execution | Dynamic investigation with reasoning-driven pivot decisions | Multiple APIs | Very High |
| # | Use Case | What AI Actually Does | Primary Data Input | Complexity |
|---|---|---|---|---|
| 15 | LLM Investigation Guide Generation | Generates structured triage guides by reasoning about detection logic | Rule files | Medium |
| 16 | Observable Artifact Extraction | Extracts and classifies observables from complex query logic | Rule files | Low-Medium |
| 17 | Rule Comparison & Gap Analysis | Semantic comparison of rules across formats and query languages | Rule files, CTI reports | Medium |
| 18 | Rule Quality Assessment | Assesses semantic quality, MITRE accuracy, and evasion gaps | Rule files | Medium |
| 19 | Detection Rule Generation | Generates candidate detection rules from threat intel or technique descriptions | CTI reports, ATT&CK | Medium-High |
| 23 | Synthetic Detection Testing Data Generation | Generates diverse, schema-compliant synthetic log events for testing detection rule logic | Rule files, ATT&CK data, log schemas | Medium |
| 24 | Cross-SIEM Rule Migration & Semantic Translation | Bulk corpus migration via semantic dedup against target's prebuilt library + intent-aware translation | Source + target rule corpora, schema mappings | High |
| 25 | AI Agent & MCP Activity Detection | Detection content for AI agents, MCP servers, A2A telemetry; OWASP Agentic Top 10 / ATLAS coverage | Agent telemetry, MCP logs, identity context | High |
| 26 | Continuous Detection Validation (Atomic Test CI) | Orchestrated execution of Atomic / Caldera / Stratus tests + diagnosis of failures + evasion variant generation | Rule corpus, test library, isolated test env | High |
| 27 | AI-Driven Log Source Onboarding & Parser Generation | Generates ingest configs from vendor docs + samples; suggests schema mappings; monitors field-population drift | Vendor docs, sample logs, schema reference | Medium-High |
| 31 | Detection Content Provenance & Supply Chain Integrity | Cryptographic signing, attribution chains, modification anomaly detection, AI-generation tracking | DaC repo, signing infra, AI-gen metadata | Medium-High |
| # | Use Case | What AI Actually Does | Primary Data Input | Complexity |
|---|---|---|---|---|
| 20 | Analyst Workflow Optimization | Identifies investigation patterns and generates improvement proposals | Triage workflow data | Medium |
| 21 | Threat Intelligence Synthesis | Extracts TTPs from reports; compares against posture; generates actionable briefs | CTI reports, posture data | Medium |
| 22 | Detection Program Health Reporting | Synthesizes all metrics into narrative program health reports | All metrics | Medium |
| 29 | SIEM Cost & Data Tiering Optimization | Per-source cost vs. coverage analysis; hot/warm/cold tier recommendations with detection-impact modeling | Cost data, ingest volume, dependency map | Medium |
Shared frameworks referenced across multiple use cases.
| Concept | Description |
|---|---|
| Domain-Aware Entity Framework | Structured approach to entity resolution that maps raw observables to business-context entities across identity, network, endpoint, and cloud domains |
| Signal Quality Scoring | Quantitative scoring model for evaluating the analytical value of individual alert signals based on fidelity, specificity, and enrichment completeness |
| Detection Confidence Scoring | Framework for assigning and maintaining confidence scores on detection rules based on testing depth, tuning maturity, and real-world validation |
| Entity Cardinality as FP Proxy | Using the ratio of unique entities triggering a rule as a lightweight, pre-triage indicator of false positive rate |
| Where AI Fits (And Doesn't) | Decision framework for distinguishing deterministic automation problems from genuine AI/ML opportunities in detection workflows |
| Alert Correlation Patterns | Industry survey of alert correlation architectures (entity-centric, kill-chain-centric), weighted scoring models (Splunk RBA, Elastic Entity Risk), temporal windowing, UEBA integration, and building block rule patterns across major platforms |
| Agentic SOC Architecture | Reference architecture for multi-step, tool-using AI agents that execute investigation workflows with human-in-the-loop controls |
| Where AI Fails | Failure taxonomy (hallucination, calibration drift, anchoring, prompt injection, data quality regression, cost blow-up, feedback poisoning, model drift) with per-use-case mitigations |
| Adversarial AI Considerations | Threat model and engineering controls for AI-augmented SOCs: prompt injection, evasion, tool abuse, feedback poisoning, threat-intel poisoning |
| Validation Harness | Specification for golden sets, eval runners, regression gates, and continuous production monitoring per use case |
| Document | Description |
|---|---|
| Correlation Rule Framework | Guide to designing a multi-tier ES|QL correlation framework: entity-centric correlation (user + host), kill chain progression, identity-endpoint chains, lateral movement detection, risk score accumulation, and campaign detection — with production-ready ES|QL example rules for each tier |
| Cross-Rule Deduplication | Spec for consolidating overlapping correlation-rule fires into single incidents — expected overlap patterns, tier-priority headline selection, consumption by UC-11/UC-12/UC-14, vendor implementations (Sentinel graph, Splunk RBA, Elastic Attack Discovery) |
| Identity Resolution Pattern | Reference design for the lookup-identity-resolution index that fixes silent false negatives in cross-domain rules (CORR-5E, CORR-1A, CORR-2B, CORR-3A) caused by mismatched user-name formats across domains. Foundational for UC-25 typed-entity treatment of agent identities. |
Specifications for the data structures referenced across use cases.
- Alert Log Fields — required and recommended fields for SIEM alert log data used as AI input
- Rule File Formats — supported detection rule formats (Sigma, SPL, KQL, YARA-L) and required metadata fields
- Domain Entity Mapping — schema for mapping raw observables to resolved entities across security domains
Documentation that turns the use cases above from designs into operating systems:
| Document | Description |
|---|---|
| Deployment Roadmap | Phased adoption by SOC size archetype (Small / Medium / Large), use-case dependency DAG, per-use-case pilot → production promotion criteria, rollback triggers, build-vs-buy matrix |
| Cost Models | Per-use-case token economics at current Claude / GPT pricing, total cost envelopes by SOC size, cost levers (caching, model tiering, on-prem breakeven), budget template |
| Privacy and Data Handling | What leaves your environment per use case, redaction patterns, vendor/region considerations, when to insource inference, per-use-case recommended posture |
| Governance Mapping | NIST IR 8596 Cyber AI Profile mapping for detection engineering, NIST 800-53 COSAiS overlays, CSA AICM, EU AI Act Article 15 (Aug 2026 enforcement), ISO 42001, the six artifact set per use case to satisfy audit |
Working artifacts for selected use cases — production-shaped prompts, golden eval sets, scoring logic.
- Examples Index — what's there and how to use it
- TEMPLATE — starting point for new use case examples
- UC-15: Investigation Guide Generation — recommended starting use case
- UC-01: Detection Performance Analytics — two-pass batch analysis with prompt caching
- UC-11: LLM Triage Verdicts — highest-stakes example with adversarial test gates and calibration measurement
The remaining use cases follow the same template — add as you build them.
- Tools & Projects — open-source tools, libraries, and projects relevant to AI-assisted detection engineering
- Vendor Landscape — factual overview of vendor capabilities mapped to use case categories (no endorsements)
- Reading List — papers, blog posts, and talks worth reading on AI/ML applied to security operations
This repository is scoped to AI for Detection Engineering. The following adjacent AI-for-security categories are intentionally deferred and will be addressed in future companion repositories once this one is mature:
- AI for Threat Intelligence — IOC extraction from unstructured reports, actor profiling, infrastructure pivoting, victimology synthesis, dark-web monitoring
- AI for Threat Hunting — hypothesis generation, iterative hunt-loop agents, anomaly explanation, hunt-to-detection promotion
- AI for Incident Response — containment scoping, exec-comms drafting, post-mortem synthesis, BCP triggers
- AI for Adversary Emulation — scenario generation, atomic-test selection, detection-coverage validation, purple-team retros
- AI for Malware & Forensics — RE assistance, sandbox report synthesis, YARA/Snort/Suricata generation, memory artifact reasoning
UC-21 (Threat Intelligence Synthesis) and UC-23 (Synthetic Detection Testing Data) gesture toward those domains as they intersect with detection engineering. The full categories belong in their own repositories with their own template discipline.
- Detection engineers building or evaluating AI-assisted detection workflows
- SOC managers assessing where AI can realistically improve analyst efficiency and detection quality
- Security architects designing platforms that integrate AI capabilities into security operations
- DevSecOps / SOAR engineers implementing the automation and data pipelines that AI use cases depend on
Jay Tymchuk
- GitHub: InfoSecJay
- LinkedIn: jay-tymchuk
This project is licensed under the MIT License.