Introduction
We are excited to announce that Deloitte Japan is beginning production validation of Cisco Foundation AI’s Foundation-sec-1.1-8B-Instruct model for its security operations. By using this security-focused, open-source large language model (LLM), Deloitte Japan has automated key tasks such as security alert analysis, prioritization, and false positive reduction. This adoption highlights how open-source generative AI can enhance traditional security operations and offers practical insight into implementing purpose-driven workflows with cost-effective LLMs.
Background
As a managed security service provider, Deloitte Japan receives numerous security alerts from customer environments every day and must analyze and triage them. Some of these tasks are labor-intensive, such as analyzing raw alert logs and drafting summaries for each alert. Others require specific security knowledge and experience, like identifying false positives and creating suppression rules to prevent similar issues from recurring.
By implementing Cisco Foundation AI’s Foundation-sec-1.1-8B-Instruct model, Deloitte Japan has streamlined these tasks using workflows based on human analysts’ expertise. This approach accelerates alert triage and improves detection quality. Thanks to task-specific prompt tuning and workflow design, Deloitte Japan achieved stable and accurate results with the Foundation-sec-1.1-8B-Instruct model, matching the performance of models with over 15 times more parameters.
Based on this approach, Deloitte Japan is now introducing LLM-driven automation into the SOC workflow. The objective is not full automation of every analyst task, but practical automation of the most repetitive and time-consuming parts of alert handling.
Figure 1: SOC workflow and target areas for LLM-based automation.
Workflows
Using the Foundation-sec-1.1-8B-Instruct model, Deloitte Japan developed three core workflows.
1. Alert Analysis Support
This workflow supports analysts in alert analysis. It analyzes alerts handled by security analysts, assesses the impact of an attack, and provides the results along with the steps leading to the decision.
Figure 2: Agent workflow for alert analysis support.
As shown in Figure 2, the agent performs alert ingestion, targeted event collection, grounding, filtering/deduplication, enrichment, assessment, report generation, and follow-up guidance.
Specifically, it performs alert ingestion from SIEM; targeted event collection from IPS and EDR around the alert window; retrieval-augmented grounding against runbooks, prior cases, detection notes, and pre-attached threat intelligence or auxiliary logs; relevance filtering and deduplication; asset/user/context enrichment; severity and impact assessment; draft case-note/report generation; and follow-up guidance.
Figure 3: Example output of the analysis.
As shown in Figure 3, the output supports rationale, key evidence, uncertainty drivers, and an auditable step-by-step analysis trace. It also provides follow-up guidance (next actions and auto-closure criteria for clearly low-risk cases). The next steps are production validation and selective automation for well-bounded low-risk scenarios, with a human in the loop for anything ambiguous.
2. Alert Severity Analysis and Prioritization (Alert Triage)
Figure 4: Agent workflow for alert severity analysis and prioritization.
This workflow analyzes EDR alerts using alert details and related telemetry to support prioritization and identify likely false positives. As shown in Figure 4, the agent performs alert retrieval, event collection, relevance filtering, severity assessment, report drafting, and follow-up guidance.
To improve output quality, the workflow uses surrounding EDR activity in addition to the alert itself, while controlling event scope to avoid excessive context. It also separates severity assessment, report drafting, and next-step guidance to reduce context drift and improve output stability.
As shown in Figure 5, the output includes not only a severity label but also supporting rationale and uncertainty-related information that can guide analyst review. The next step is production validation and selective automation for clearly low-risk cases. The remaining challenge is robust evaluation of low-severity and false-positive scenarios.
Figure 5: Example output of the triage.
3. Alert Suppression Rule Creation based on False Positive Cases
In this workflow, the agent uses incident data recorded in tickets. Based on that data, it produces a suppression rule that suppresses only alerts linked to events determined to be false positives. It also outputs the reasoning behind the rule. When a false positive involves misuse of legitimate tools, such as Living off the Land attacks, the suppression rule needs to reflect how the tools were used.
Figure 6: Agent workflow for Alert Suppression Rule Creation based on False Positive Cases.
As shown in Figure 6, this workflow runs in several phases. To support accurate decisions, the process is broken down so that each task maps to a single node, and the graph structure enables branching based on each decision outcome. As shown in Figure 7, the workflow outputs the suppression rule. Rather than having the model generate the rule conditions directly, it first selects the necessary conditions from incident-related entities and then assembles them. This is intended to improve the consistency and reproducibility of the conditions and increase the success rate of assembling the rule.
Figure 7: Agent workflow for Alert Suppression Rule Creation based on False Positive Cases
These workflows can support security operations by providing summarized analysis for each alert, determining severity to identify critical or false positive cases, and generating effective suppression rules to filter out false positives in the future. With these outputs, security analysts can quickly understand the content of each alert. Severity scores help analysts focus on the most critical alerts. By applying suppression rules, analysts avoid being overwhelmed by insignificant alerts and can focus on what matters most.
Optimizations
The Foundation-sec-1.1-8B-Instruct model is a relatively small LLM with only 8 billion parameters, which keeps inference costs low and makes practical deployment easier. To match the performance of much larger models, Deloitte Japan applied several optimization techniques.
One effective technique was to break tasks into multiple steps within a workflow, rather than using a single, complex prompt. Workflows were designed based on human analysts’ experience, with steps such as extracting key information from alerts, reasoning over extracted values and patterns, and generating outputs based on previous steps. This allows the model to focus on each step with sufficient context and leverage organization-specific logic to ensure outputs are useful in production.
Another technique was to use structured outputs during intermediate steps. By specifying JSON-formatted output, the workflow can pass important information between steps more reliably, reduce ambiguity, and support smoother integration with downstream processing.
RAG is also used to improve the accuracy of the analysis. By using a combination of the security analyst’s analytical knowledge, monitored asset information, and historical response history, the agent can suggest actions more closely aligned with an analyst’s judgment.
Conclusion
The integration of Cisco Foundation AI’s Foundation-sec-1.1-8B-Instruct model into Deloitte Japan’s security operations marks a significant milestone in using open-source, security-focused AI models to accelerate and streamline security tasks. This helps reduce SOC analyst workload and improve productivity. We extend our sincere gratitude to the Deloitte Japan team for their outstanding implementation and for sharing the details of this use case.
Customer Testimonials
“Through this PoV, Deloitte Japan confirmed that Cisco Foundation AI’s security-focused open-source model can support practical SOC automation, including alert analysis, prioritization, and false-positive reduction. By turning analyst expertise into structured workflows, we achieved explainable outputs with rationale and evidence. The results show that even an 8B model can deliver stable outcomes when combined with workflow design and structured outputs.”
— Kohei Sato, Partner, Head of Cyber Intelligence Center, Deloitte Tohmatsu Cyber LLC