> ## Documentation Index > Fetch the complete documentation index at: https://threatbasis.io/llms.txt > Use this file to discover all available pages before exploring further. # AI Orchestration for Security Operations > Learn how to implement AI agents and automated workflows for security operations. Reduce alert fatigue by 70%, accelerate incident response with multi-agent architectures, and build SOAR integrations with human-in-the-loop controls. Includes code examples and implementation patterns. AI orchestration for security leverages autonomous agents and coordinated workflows to automate complex security tasks that traditionally required significant human effort. Security engineers design AI-powered systems that can triage alerts, investigate incidents, and execute response actions while maintaining appropriate human oversight and control. Modern AI orchestration goes beyond simple automation by enabling adaptive, context-aware decision-making. Agents can reason about security events, correlate information across multiple sources, and take actions based on organizational policies and threat intelligence. This capability transforms security operations from reactive alert processing to proactive threat management. According to the [SANS 2024 SOC Survey](https://www.sans.org/white-papers/), security operations centers handle an average of 11,000 alerts daily, with analysts spending 25-30% of their time on false positives. AI orchestration can reduce this burden by automating initial triage, enrichment, and response for routine incidents. ## Why AI Orchestration Matters for Security Security operations face unique challenges that make AI orchestration essential: | Challenge | Impact on SOC Operations | AI Orchestration Solution | | -------------------------- | ------------------------------------- | ----------------------------------------------- | | Alert fatigue | 70% of analysts report burnout | Automated triage and prioritization | | Skill shortage | 3.5M unfilled cybersecurity positions | Amplify analyst capabilities with AI assistance | | Dwell time | Average 204 days to detect breaches | Continuous automated threat hunting | | Manual enrichment | 15-30 minutes per alert investigation | Parallel automated data gathering | | Inconsistent response | Playbook adherence varies by analyst | Standardized AI-driven response execution | | 24/7 coverage requirements | Staffing gaps during off-hours | Always-on automated monitoring and response | | Tool sprawl | Average SOC uses 25+ security tools | Unified orchestration layer across tools | ## Core Concepts AI orchestration in security contexts involves several key architectural patterns defined by security frameworks including [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) and [MITRE ATT\&CK](https://attack.mitre.org/): | Pattern | Description | Security Application | Autonomy Level | | ------------------- | ----------------------------------------- | ------------------------------------------ | -------------- | | Single Agent | Autonomous AI handling specific tasks | Alert triage, log analysis | High | | Multi-Agent | Coordinated agents with specialized roles | Complex incident investigation | Medium-High | | Human-in-the-Loop | AI recommendations with human approval | High-impact response actions | Low-Medium | | Workflow Automation | AI-enhanced SOAR playbooks | Automated enrichment and response | Configurable | | Continuous Learning | Feedback-driven improvement | Detection tuning, false positive reduction | Medium | | Supervisor-Worker | Hierarchical agent coordination | Large-scale threat hunting campaigns | Medium-High | | Consensus-Based | Multiple agents voting on decisions | Critical security classifications | Medium | ## Agent Architecture Patterns Designing effective security AI agents requires careful consideration of autonomy levels, tool access, and safety constraints. The [OWASP AI Security Guidelines](https://owasp.org/www-project-ai-security-and-privacy-guide/) recommend implementing defense-in-depth for AI systems. ### Single-Agent Systems Single-agent systems excel at focused, well-defined security tasks where context is limited and actions are bounded. **Best suited for:** * Alert classification and prioritization * Log parsing and anomaly detection * IOC extraction and enrichment * Vulnerability scanning orchestration * Compliance checking automation ```python theme={null} from anthropic import Anthropic from datetime import datetime import json class SecurityTriageAgent: """Single agent for automated alert triage and classification.""" def __init__(self): self.client = Anthropic() self.severity_thresholds = { "critical": 9.0, "high": 7.0, "medium": 4.0, "low": 0.0 } def triage_alert(self, alert: dict) -> dict: """Analyze and classify a security alert.""" prompt = f"""Analyze this security alert and provide triage assessment. ALERT DATA: {json.dumps(alert, indent=2)} Provide your analysis in JSON format: {{ "classification": "true_positive|false_positive|suspicious", "severity": "critical|high|medium|low", "confidence": 0.0-1.0, "attack_technique": "MITRE ATT&CK technique ID if applicable", "recommended_actions": ["list of immediate actions"], "enrichment_needed": ["list of additional data sources to query"], "reasoning": "brief explanation of classification" }}""" response = self.client.messages.create( model="claude-sonnet-4-20250514", max_tokens=1000, messages=[{"role": "user", "content": prompt}] ) return json.loads(response.content[0].text) def batch_triage(self, alerts: list[dict]) -> list[dict]: """Process multiple alerts with priority ordering.""" results = [] for alert in alerts: triage = self.triage_alert(alert) triage["original_alert"] = alert triage["triaged_at"] = datetime.utcnow().isoformat() results.append(triage) # Sort by severity and confidence severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3} results.sort(key=lambda x: (severity_order[x["severity"]], -x["confidence"])) return results ``` ### Multi-Agent Coordination Multi-agent systems distribute complex security tasks across specialized agents, enabling parallel processing and domain expertise per [MITRE ATT\&CK's detection methodology](https://attack.mitre.org/resources/getting-started/). **Architecture patterns:** | Pattern | Coordination Method | Use Case | Complexity | | ------------- | --------------------- | ----------------------------- | ---------- | | Pipeline | Sequential handoff | Staged incident investigation | Low | | Parallel | Concurrent execution | Multi-source enrichment | Medium | | Hierarchical | Supervisor delegation | Complex threat hunting | High | | Blackboard | Shared knowledge base | Collaborative analysis | High | | Auction-based | Task bidding | Dynamic workload distribution | Medium | ```python theme={null} from enum import Enum from dataclasses import dataclass from typing import Callable import asyncio class AgentRole(Enum): TRIAGE = "triage" ENRICHMENT = "enrichment" THREAT_INTEL = "threat_intel" RESPONSE = "response" SUPERVISOR = "supervisor" @dataclass class AgentMessage: sender: AgentRole recipient: AgentRole content: dict priority: int = 0 class SecurityAgentOrchestrator: """Coordinate multiple specialized security agents.""" def __init__(self): self.agents = {} self.message_queue = asyncio.Queue() self.investigation_state = {} def register_agent(self, role: AgentRole, handler: Callable): """Register a specialized agent handler.""" self.agents[role] = handler async def investigate_incident(self, incident: dict) -> dict: """Orchestrate multi-agent incident investigation.""" # Phase 1: Initial triage triage_result = await self.agents[AgentRole.TRIAGE](incident) # Phase 2: Parallel enrichment enrichment_tasks = [ self.agents[AgentRole.ENRICHMENT](incident, triage_result), self.agents[AgentRole.THREAT_INTEL](incident, triage_result) ] enrichment_results = await asyncio.gather(*enrichment_tasks) # Phase 3: Supervisor synthesis combined_context = { "incident": incident, "triage": triage_result, "enrichment": enrichment_results[0], "threat_intel": enrichment_results[1] } # Phase 4: Response recommendation response = await self.agents[AgentRole.SUPERVISOR](combined_context) return response ``` ### Human-in-the-Loop Design Human oversight is essential for high-impact security decisions per [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework) guidelines. **Approval thresholds by action type:** | Action Category | Example Actions | Approval Required | Timeout Behavior | | ----------------------- | ---------------------------------- | ----------------- | -------------------- | | Read-only enrichment | WHOIS lookup, reputation check | None | Auto-proceed | | Low-impact containment | Block IP at edge firewall | Optional | Auto-proceed | | Medium-impact response | Disable user account temporarily | Recommended | Queue for review | | High-impact remediation | Isolate production server | Required | Block until approved | | Critical actions | Wipe endpoint, revoke all sessions | Dual approval | Escalate to on-call | ```python theme={null} from enum import Enum from dataclasses import dataclass import asyncio class ApprovalLevel(Enum): NONE = "none" OPTIONAL = "optional" RECOMMENDED = "recommended" REQUIRED = "required" DUAL_REQUIRED = "dual_required" @dataclass class PendingAction: action_id: str action_type: str target: str reasoning: str approval_level: ApprovalLevel timeout_seconds: int approvals: list = None class HumanInTheLoopController: """Manage human approval workflows for AI-recommended actions.""" def __init__(self, notification_service, approval_store): self.notifications = notification_service self.approvals = approval_store self.action_policies = self._load_policies() async def request_approval(self, action: PendingAction) -> bool: """Request human approval for a security action.""" if action.approval_level == ApprovalLevel.NONE: return True # Store pending action await self.approvals.store(action) # Notify appropriate approvers await self.notifications.send_approval_request( action=action, channels=["slack", "pagerduty", "email"] ) # Wait for approval with timeout try: approved = await asyncio.wait_for( self._wait_for_approval(action), timeout=action.timeout_seconds ) return approved except asyncio.TimeoutError: return self._handle_timeout(action) def _handle_timeout(self, action: PendingAction) -> bool: """Handle approval timeout based on policy.""" if action.approval_level in [ApprovalLevel.REQUIRED, ApprovalLevel.DUAL_REQUIRED]: self.notifications.escalate(action) return False return action.approval_level == ApprovalLevel.OPTIONAL ``` ## Security Operations Use Cases AI orchestration enables automation across the security operations lifecycle, from initial detection through containment and recovery. These patterns align with [NIST SP 800-61 Computer Security Incident Handling Guide](https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final). ### Alert Triage and Prioritization Automated alert triage reduces analyst workload by 60-80% while improving detection accuracy. ```python theme={null} from anthropic import Anthropic import json class AlertTriageOrchestrator: """Orchestrate alert triage across multiple data sources.""" def __init__(self): self.client = Anthropic() self.enrichment_sources = [] async def triage_with_enrichment(self, alert: dict) -> dict: """Full triage workflow with parallel enrichment.""" # Parallel enrichment queries enrichment_data = await self._gather_enrichment(alert) # AI-powered classification with full context prompt = f"""You are a security analyst performing alert triage. ALERT: {json.dumps(alert, indent=2)} ENRICHMENT DATA: {json.dumps(enrichment_data, indent=2)} Classify this alert considering: 1. Is this a true positive, false positive, or requires investigation? 2. What is the business impact if this is a real attack? 3. What MITRE ATT&CK techniques are indicated? 4. What immediate actions should be taken? Respond in JSON format with classification, severity (critical/high/medium/low), confidence (0-1), mitre_techniques, and recommended_actions.""" response = self.client.messages.create( model="claude-sonnet-4-20250514", max_tokens=1000, messages=[{"role": "user", "content": prompt}] ) result = json.loads(response.content[0].text) result["enrichment"] = enrichment_data return result ``` ### Automated Incident Investigation AI agents can conduct thorough investigations that would take analysts hours, completing them in minutes. This follows the [SANS Incident Handler's Handbook](https://www.sans.org/white-papers/33901/) methodology. **Investigation workflow phases:** | Phase | AI Actions | Human Touchpoints | Time Savings | | ------------------ | --------------------------------------------- | ---------------------------- | ------------ | | Identification | Correlate alerts, identify scope | Confirm incident declaration | 80% | | Scoping | Query all relevant logs, map affected systems | Review scope assessment | 70% | | Evidence Gathering | Collect logs, memory dumps, network captures | Approve forensic actions | 60% | | Timeline Building | Reconstruct attack sequence | Validate timeline accuracy | 75% | | Attribution | Match TTPs to threat actors | Confirm attribution | 50% | | Reporting | Generate incident report draft | Review and finalize | 85% | ```python theme={null} class IncidentInvestigationAgent: """Automated incident investigation with evidence collection.""" def __init__(self, siem_client, edr_client, ti_client): self.siem = siem_client self.edr = edr_client self.threat_intel = ti_client self.client = Anthropic() async def investigate(self, incident_id: str, initial_indicators: list) -> dict: """Conduct comprehensive incident investigation.""" investigation = { "incident_id": incident_id, "timeline": [], "affected_assets": set(), "iocs": set(), "ttps": [], "recommendations": [] } # Phase 1: Expand IOCs through pivoting expanded_iocs = await self._pivot_on_indicators(initial_indicators) investigation["iocs"].update(expanded_iocs) # Phase 2: Query all relevant data sources siem_results = await self.siem.search(expanded_iocs, hours=72) edr_results = await self.edr.hunt(expanded_iocs) ti_matches = await self.threat_intel.lookup(expanded_iocs) # Phase 3: Build investigation timeline timeline = self._build_timeline(siem_results, edr_results) investigation["timeline"] = timeline # Phase 4: AI analysis and recommendation analysis = await self._analyze_investigation(investigation, ti_matches) return analysis ``` ### Threat Hunting Assistance AI-powered threat hunting enables proactive detection of threats that evade traditional detection methods, aligned with [MITRE ATT\&CK-based hunting](https://attack.mitre.org/resources/getting-started/). ```python theme={null} class ThreatHuntingAgent: """AI-assisted threat hunting across enterprise data.""" def __init__(self): self.client = Anthropic() self.hunt_hypotheses = self._load_hunt_library() def generate_hunt_queries(self, hypothesis: str, data_sources: list) -> list: """Generate hunting queries for a given hypothesis.""" prompt = f"""Generate threat hunting queries for this hypothesis: HYPOTHESIS: {hypothesis} AVAILABLE DATA SOURCES: {json.dumps(data_sources)} For each data source, provide: 1. Query syntax appropriate for that platform 2. Expected indicators if the hypothesis is true 3. False positive considerations 4. MITRE ATT&CK technique coverage Format as JSON array of hunt queries.""" response = self.client.messages.create( model="claude-sonnet-4-20250514", max_tokens=2000, messages=[{"role": "user", "content": prompt}] ) return json.loads(response.content[0].text) async def execute_hunt(self, queries: list) -> dict: """Execute hunting queries and analyze results.""" results = [] for query in queries: query_results = await self._execute_query(query) if query_results: analysis = await self._analyze_hunt_results(query, query_results) results.append(analysis) return {"findings": results, "summary": self._summarize_hunt(results)} ``` ### Response Automation Automated response orchestration executes containment and remediation actions based on playbooks and AI recommendations, integrating with SOAR platforms like [Splunk SOAR](https://www.splunk.com/en_us/products/splunk-security-orchestration-and-automation.html), [Palo Alto XSOAR](https://www.paloaltonetworks.com/cortex/xsoar), and [IBM QRadar SOAR](https://www.ibm.com/products/qradar-soar). ```python theme={null} from dataclasses import dataclass from enum import Enum from typing import Optional class ResponseAction(Enum): BLOCK_IP = "block_ip" ISOLATE_HOST = "isolate_host" DISABLE_USER = "disable_user" QUARANTINE_FILE = "quarantine_file" RESET_PASSWORD = "reset_password" REVOKE_SESSIONS = "revoke_sessions" @dataclass class ResponsePlan: actions: list[ResponseAction] targets: list[str] reasoning: str approval_required: bool rollback_plan: Optional[str] = None class ResponseOrchestrator: """Execute automated response actions with safety controls.""" def __init__(self, action_handlers: dict, approval_controller): self.handlers = action_handlers self.approvals = approval_controller self.executed_actions = [] async def execute_response_plan(self, plan: ResponsePlan) -> dict: """Execute a response plan with appropriate approvals.""" results = {"success": [], "failed": [], "pending_approval": []} for action, target in zip(plan.actions, plan.targets): # Check if approval is needed if plan.approval_required: approved = await self.approvals.request_approval(action, target) if not approved: results["pending_approval"].append({"action": action, "target": target}) continue # Execute action with rollback capability try: result = await self.handlers[action](target) self.executed_actions.append({ "action": action, "target": target, "result": result, "rollback": plan.rollback_plan }) results["success"].append({"action": action, "target": target}) except Exception as e: results["failed"].append({"action": action, "target": target, "error": str(e)}) return results ``` ## Implementation Considerations ### Tool and API Integration Effective AI orchestration requires robust integration with security tools across the enterprise. Follow [OWASP API Security Top 10](https://owasp.org/API-Security/editions/2023/en/0x00-header/) guidelines for secure API integration. **Common integration targets:** | Tool Category | Integration Method | Data Format | Authentication | | -------------------------------------------------------------------------------------------------- | ------------------ | -------------- | -------------- | | [Splunk](https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTprolog) | REST API | JSON | Token/OAuth | | [Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources) | REST API/SDK | JSON | Azure AD | | [CrowdStrike Falcon](https://falcon.crowdstrike.com/documentation/46/crowdstrike-api-quick-start) | REST API | JSON | OAuth2 | | [Elastic Security](https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html) | REST API | JSON | API Key | | [VirusTotal](https://docs.virustotal.com/reference/overview) | REST API | JSON | API Key | | [MISP](https://www.misp-project.org/openapi/) | REST API | STIX/MISP JSON | API Key | ```python theme={null} from dataclasses import dataclass from typing import Protocol import httpx class SecurityToolClient(Protocol): """Protocol for security tool integrations.""" async def query(self, query: str) -> dict: ... async def execute_action(self, action: str, target: str) -> dict: ... @dataclass class ToolCredentials: api_key: str base_url: str timeout: int = 30 class SecurityToolOrchestrator: """Unified interface for security tool integrations.""" def __init__(self): self.tools: dict[str, SecurityToolClient] = {} def register_tool(self, name: str, client: SecurityToolClient): self.tools[name] = client async def parallel_query(self, query: str, tools: list[str]) -> dict: """Execute query across multiple tools in parallel.""" async with httpx.AsyncClient() as http_client: results = {} for tool_name in tools: if tool_name in self.tools: results[tool_name] = await self.tools[tool_name].query(query) return results ``` ### Safety and Guardrails AI agents operating in security contexts require strict guardrails to prevent unintended harm. These align with [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework) principles. **Essential guardrails:** | Guardrail Category | Implementation | Example | | --------------------- | ------------------------------------- | ---------------------------------------- | | Action boundaries | Allowlist of permitted actions | Block actions not in approved list | | Rate limiting | Throttle automated actions | Max 100 IP blocks per hour | | Blast radius limits | Restrict scope of automated responses | Cannot isolate more than 5 hosts at once | | Rollback requirements | Require reversibility for all actions | Store undo commands for each action | | Escalation triggers | Force human review for anomalies | Unusual action patterns trigger review | | Audit logging | Complete audit trail of all decisions | Log reasoning for every AI decision | ```python theme={null} from dataclasses import dataclass from datetime import datetime, timedelta @dataclass class GuardrailConfig: max_actions_per_hour: int = 100 max_concurrent_isolations: int = 5 require_rollback_plan: bool = True high_impact_threshold: float = 0.8 class SafetyGuardrails: """Enforce safety constraints on AI agent actions.""" def __init__(self, config: GuardrailConfig): self.config = config self.action_log = [] self.permitted_actions = set() def validate_action(self, action: str, target: str, context: dict) -> tuple[bool, str]: """Validate action against all guardrails.""" # Check action is permitted if action not in self.permitted_actions: return False, f"Action {action} not in permitted list" # Check rate limits recent_actions = self._count_recent_actions(hours=1) if recent_actions >= self.config.max_actions_per_hour: return False, "Rate limit exceeded" # Check blast radius if action == "isolate_host": current_isolations = self._count_active_isolations() if current_isolations >= self.config.max_concurrent_isolations: return False, "Maximum concurrent isolations reached" # Check rollback plan exists if self.config.require_rollback_plan and "rollback_plan" not in context: return False, "Rollback plan required but not provided" return True, "Validation passed" ``` ### Observability and Audit Complete observability is essential for security AI systems per [SOC 2 Type II](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2) requirements. Every decision must be traceable and explainable. ```python theme={null} import json from datetime import datetime import structlog class AISecurityAuditLogger: """Comprehensive audit logging for AI security operations.""" def __init__(self, log_backend): self.logger = structlog.get_logger() self.backend = log_backend def log_decision(self, decision: dict): """Log an AI decision with full context for audit.""" audit_record = { "timestamp": datetime.utcnow().isoformat(), "decision_id": decision.get("id"), "decision_type": decision.get("type"), "input_context": decision.get("context"), "reasoning": decision.get("reasoning"), "output": decision.get("output"), "confidence": decision.get("confidence"), "model_version": decision.get("model"), "human_override": decision.get("overridden", False) } self.logger.info("ai_decision", **audit_record) self.backend.store(audit_record) def log_action(self, action: dict): """Log an executed action with rollback information.""" action_record = { "timestamp": datetime.utcnow().isoformat(), "action_id": action.get("id"), "action_type": action.get("type"), "target": action.get("target"), "triggered_by": action.get("decision_id"), "result": action.get("result"), "rollback_available": action.get("rollback") is not None } self.logger.info("ai_action", **action_record) self.backend.store(action_record) ``` ## Metrics and Evaluation Track these metrics to measure AI orchestration effectiveness, aligned with security operations KPIs from [SANS SOC Metrics](https://www.sans.org/white-papers/): | Metric | Description | Target | Measurement Method | | --------------------------- | ------------------------------------------------------- | ------------------ | -------------------- | | Mean Time to Triage (MTTT) | Time from alert to initial classification | \< 5 minutes | Timestamp delta | | Mean Time to Respond (MTTR) | Time from detection to containment | \< 30 minutes | Incident lifecycle | | Automation Rate | Percentage of alerts handled without human intervention | > 70% low severity | Action attribution | | False Positive Reduction | Decrease in analyst time on false positives | > 50% reduction | Before/after compare | | Investigation Completeness | Percentage of relevant context gathered automatically | > 80% | Checklist coverage | | Human Override Rate | Frequency of analyst corrections to AI decisions | \< 10% | Override tracking | | Mean Time to Detect (MTTD) | Time from attack start to detection | \< 1 hour | Timeline analysis | | Cost per Incident | Total cost including AI and human effort | 40% reduction | Resource tracking | | Agent Accuracy | Precision and recall of AI classifications | > 95% precision | Confusion matrix | ## Anti-Patterns to Avoid Security AI orchestration introduces unique risks that require careful mitigation: * **Unconstrained autonomy** — AI agents must operate within defined boundaries with appropriate oversight. Define explicit action allowlists and implement circuit breakers per [NIST SP 800-53 AC-6](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) (Least Privilege). * **Opaque decision-making** — All AI actions must be explainable and auditable. Implement structured reasoning logs that capture the decision context, evidence considered, and confidence levels. * **Single point of failure** — AI systems should degrade gracefully when unavailable. Implement fallback workflows that route to human analysts when AI systems are unavailable or confidence is low. * **Insufficient testing** — AI workflows require extensive testing with adversarial scenarios. Test against [MITRE ATLAS](https://atlas.mitre.org/) adversarial ML techniques and red team AI decision-making. * **Alert flooding attacks** — Adversaries may attempt to overwhelm AI systems with false positives. Implement rate limiting and anomaly detection on alert volumes. * **Feedback loop manipulation** — If AI learns from analyst feedback, adversaries may attempt to poison the training data. Validate feedback sources and implement anomaly detection on model drift. * **Over-reliance on automation** — Maintain analyst skills by ensuring meaningful human involvement. Rotate automated alert categories to keep analysts engaged with diverse incidents. ## Tools and Libraries | Tool | Purpose | Integration Type | | ------------------------------------------------------------------------------------------------------ | -------------------------------------- | ---------------- | | [LangChain](https://python.langchain.com/docs/get_started/introduction) | Agent framework and tool orchestration | Python SDK | | [LangGraph](https://langchain-ai.github.io/langgraph/) | Multi-agent graph workflows | Python SDK | | [AutoGen](https://microsoft.github.io/autogen/) | Multi-agent conversation framework | Python SDK | | [CrewAI](https://docs.crewai.com/) | Role-based multi-agent orchestration | Python SDK | | [Anthropic Claude](https://docs.anthropic.com/) | LLM for reasoning and analysis | REST API | | [Splunk SOAR](https://www.splunk.com/en_us/products/splunk-security-orchestration-and-automation.html) | SOAR platform integration | REST API | | [Palo Alto XSOAR](https://www.paloaltonetworks.com/cortex/xsoar) | SOAR platform integration | REST API | | [TheHive](https://thehive-project.org/) | Incident response platform | REST API | | [MISP](https://www.misp-project.org/) | Threat intelligence platform | REST API | | [OpenCTI](https://www.opencti.io/) | Threat intelligence management | GraphQL API | | [Velociraptor](https://docs.velociraptor.app/) | Endpoint visibility and collection | gRPC/REST API | | [Shuffle](https://shuffler.io/) | Open-source SOAR automation | REST API | ## References * [OWASP AI Security and Privacy Guide](https://owasp.org/www-project-ai-security-and-privacy-guide/) * [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework) * [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) * [NIST SP 800-61 Rev. 2: Computer Security Incident Handling Guide](https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final) * [NIST SP 800-53 Rev. 5: Security and Privacy Controls](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) * [MITRE ATT\&CK Framework](https://attack.mitre.org/) * [MITRE ATLAS (Adversarial Threat Landscape for AI Systems)](https://atlas.mitre.org/) * [SANS 2024 SOC Survey](https://www.sans.org/white-papers/) * [SANS Incident Handler's Handbook](https://www.sans.org/white-papers/33901/) * [OWASP API Security Top 10](https://owasp.org/API-Security/editions/2023/en/0x00-header/) * [LangChain Documentation](https://python.langchain.com/docs/get_started/introduction) * [LangGraph Documentation](https://langchain-ai.github.io/langgraph/) * [Microsoft AutoGen Documentation](https://microsoft.github.io/autogen/) * [Anthropic Claude Documentation](https://docs.anthropic.com/) * [Splunk SOAR Documentation](https://docs.splunk.com/Documentation/SOAR) * [TheHive Project Documentation](https://docs.thehive-project.org/) * [MISP Documentation](https://www.misp-project.org/documentation/) * [SOC 2 Compliance Framework](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2)