{"id":17107,"date":"2026-06-14T15:37:40","date_gmt":"2026-06-14T15:37:40","guid":{"rendered":"https:\/\/dmsretail.com\/RetailNews\/deloitte-japan-advances-security-operations-with-cisco-foundation-ais-open-source-model\/"},"modified":"2026-06-14T15:37:40","modified_gmt":"2026-06-14T15:37:40","slug":"deloitte-japan-advances-security-operations-with-cisco-foundation-ais-open-source-model","status":"publish","type":"post","link":"https:\/\/dmsretail.com\/RetailNews\/deloitte-japan-advances-security-operations-with-cisco-foundation-ais-open-source-model\/","title":{"rendered":"Deloitte Japan Advances Security Operations with Cisco Foundation AI\u2019s Open-Source Model"},"content":{"rendered":"

\"Retail<\/a><\/p>
\n<\/p>\n

\n

Introduction<\/span><\/b>\u00a0<\/span><\/h2>\n

We are excited to announce that Deloitte Japan\u00a0is\u00a0beginning\u00a0production validation of\u00a0Cisco Foundation AI\u2019s Foundation-sec-1.1-8B-Instruct model for its security operations. By using this security-focused, open-source large language model (LLM), Deloitte Japan has automated\u00a0key tasks\u00a0such as security alert analysis, prioritization, and false positive reduction. This adoption highlights\u00a0how\u00a0open-source generative AI\u00a0can\u00a0enhance traditional security operations and offers\u00a0practical\u00a0insight\u00a0into\u00a0implementing purpose-driven workflows with cost-effective LLMs.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

Background<\/span><\/b>\u00a0<\/span><\/h2>\n

As a\u00a0managed\u00a0security service provider, Deloitte Japan receives\u00a0numerous\u00a0security alerts from customer environments every day and must analyze and triage\u00a0them. Some of these tasks are labor-intensive, such as analyzing raw alert logs and\u00a0drafting summaries\u00a0for each alert. Others require specific security knowledge and experience, like\u00a0identifying\u00a0false positives and creating suppression rules to prevent similar issues\u00a0from\u00a0recurring.<\/span>\u00a0<\/span><\/p>\n

By implementing Cisco Foundation AI\u2019s Foundation-sec-1.1-8B-Instruct model, Deloitte Japan has streamlined these tasks\u00a0using\u00a0workflows\u00a0based\u00a0on human analysts\u2019\u00a0expertise. This approach accelerates alert triage\u00a0and improves detection\u00a0quality. Thanks to task-specific prompt tuning and workflow design, Deloitte Japan achieved stable and\u00a0accurate\u00a0results with the Foundation-sec-1.1-8B-Instruct model, matching the performance of models with over 15 times more parameters.<\/span>\u00a0<\/span><\/p>\n

Based on this approach, Deloitte Japan<\/span>\u00a0is now introducing LLM-driven automation into the SOC workflow. The\u00a0objective\u00a0is not full automation of every analyst task, but practical automation of the most repetitive and time-consuming parts of alert handling.<\/span>\u00a0<\/span><\/p>\n


<\/span>\"\"

Workflows<\/span><\/b>\u00a0<\/span><\/h2>\n

Using the Foundation-sec-1.1-8B-Instruct model, Deloitte Japan\u00a0developed three\u00a0core\u00a0workflows.<\/span>
<\/span><\/p>\n

1.\u00a0Alert Analysis Support<\/span>\u00a0<\/span><\/h2>\n

This workflow supports analysts in alert analysis. It analyzes alerts handled by security analysts, assesses the impact of an attack, and provides the results along with the steps leading to the decision.<\/span>\u00a0<\/span><\/p>\n

\"\"

As shown in Figure 2, the agent performs alert ingestion, targeted event collection, grounding, filtering\/deduplication, enrichment, assessment, report generation, and follow-up guidance.<\/span>\u00a0<\/span><\/p>\n

Specifically, it\u00a0performs alert ingestion from SIEM; targeted event collection from IPS and EDR around the alert window; retrieval-augmented grounding against runbooks, prior cases, detection notes, and pre-attached threat intelligence or auxiliary logs; relevance filtering and deduplication; asset\/user\/context enrichment; severity and impact assessment; draft case-note\/report generation; and follow-up guidance.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"\"

Figure 3: Example output of the analysis<\/span>.<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

As shown in Figure 3, the output\u00a0supports\u00a0rationale, key evidence, uncertainty drivers, and an auditable step-by-step analysis trace. It also provides follow-up guidance (next actions and auto-closure criteria for clearly low-risk cases). The next steps are production validation and selective automation for well-bounded low-risk scenarios, with a human in the loop for anything ambiguous.<\/span>\u00a0<\/span><\/p>\n

2. <\/span>Alert Severity Analysis and Prioritization (Alert Triage)<\/span><\/h2>\n

\"\"

This workflow analyzes EDR alerts using alert details and related telemetry to support prioritization and\u00a0identify\u00a0likely false\u00a0positives. As shown in Figure\u00a04, the agent performs alert retrieval, event collection, relevance filtering, severity assessment, report\u00a0drafting, and follow-up guidance.<\/span><\/p>\n

To improve output quality, the workflow uses surrounding EDR activity in addition to the alert itself, while controlling event scope to avoid excessive context. It also separates severity assessment, report drafting, and next-step guidance to reduce context drift and improve\u00a0output\u00a0stability.<\/span>
As shown in Figure\u00a05, the output includes not only a severity label but also\u00a0supporting\u00a0rationale\u00a0and uncertainty-related information that can guide analyst review.\u00a0The next step is production validation and selective automation for clearly low-risk cases.\u00a0The remaining\u00a0challenge is robust evaluation of low-severity and false-positive scenarios.<\/span>\u00a0<\/span><\/p>\n

\"\"

Figure 5:\u00a0<\/span>Example output<\/span>\u00a0of the triage.<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n

3. Alert Suppression Rule Creation based on False Positive Cases<\/span>\u00a0<\/span><\/h2>\n

In this workflow, the agent uses incident data recorded in tickets. Based on that data, it produces a suppression rule that suppresses only alerts linked to events determined to be false positives. It also outputs the reasoning behind the rule. When a false positive involves misuse of legitimate tools, such as Living off the Land attacks, the suppression rule needs to reflect how the tools\u00a0were\u00a0used.<\/span>\u00a0<\/span><\/p>\n

\"\"

Figure 6: Agent workflow for Alert Suppression Rule Creation based on False Positive Cases.\u00a0<\/strong><\/p>\n

As shown in Figure 6, this workflow runs in several phases. To support\u00a0accurate\u00a0decisions, the process is broken down so that each task\u00a0maps\u00a0to a single node, and the graph structure enables branching based on each decision outcome.\u00a0As shown in Figure 7, the workflow outputs the suppression rule. Rather than having the model generate the rule conditions directly, it first selects the necessary conditions from incident-related entities and then assembles them. This is intended to improve the consistency and reproducibility of the conditions and increase the success rate of assembling the rule.<\/span>\u00a0<\/span><\/p>\n

\"\"

Figure\u00a07:\u00a0Agent workflow for Alert Suppression Rule Creation based on False Positive Cases\u00a0\u00a0<\/strong><\/p>\n

These workflows\u00a0can support\u00a0security operations by providing summarized analysis for each alert,\u00a0determining\u00a0severity to\u00a0identify\u00a0critical or false positive cases, and generating effective\u00a0suppression\u00a0rules to filter out false positives in the future.\u00a0With these outputs,\u00a0security\u00a0analysts can quickly understand the content of each alert. Severity scores help analysts focus on the most critical alerts. By applying suppression rules, analysts avoid being overwhelmed by insignificant alerts and can focus on what matters most.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

Optimizations<\/span><\/b>\u00a0<\/span><\/h2>\n

The Foundation-sec-1.1-8B-Instruct model is a\u00a0relatively small\u00a0LLM with only 8 billion parameters, which keeps inference costs low\u00a0and makes practical deployment easier. To match the performance of much larger models, Deloitte Japan applied several optimization techniques.<\/span>\u00a0<\/span><\/p>\n

One effective technique was to break tasks into multiple steps within a workflow, rather than using a single, complex prompt. Workflows were designed based on human analysts\u2019 experience, with steps such as extracting key information from alerts, reasoning over extracted values and patterns, and generating outputs based on\u00a0previous\u00a0steps. This allows the model to focus on each step with sufficient context and leverage organization-specific logic to ensure outputs are useful in production.<\/span>\u00a0<\/span><\/p>\n

Another technique was to use structured outputs during intermediate steps. By specifying JSON-formatted output, the workflow can pass\u00a0important information\u00a0between steps more reliably, reduce ambiguity, and support smoother integration with downstream processing.<\/span>\u00a0<\/span><\/p>\n

RAG is also used to improve the accuracy of the analysis. By using a combination of the security analyst\u2019s analytical knowledge,\u00a0monitored\u00a0asset information, and historical response history, the agent can\u00a0suggest\u00a0actions\u00a0more closely aligned with an analyst\u2019s judgment.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

Conclusion<\/span><\/b>\u00a0<\/span><\/h2>\n

The integration of Cisco Foundation AI\u2019s Foundation-sec-1.1-8B-Instruct model into Deloitte Japan\u2019s security operations marks a significant milestone in using open-source, security-focused AI models to accelerate and streamline security tasks.\u00a0This helps reduce SOC analyst workload and improve productivity. We extend our sincere gratitude to the Deloitte Japan team for their outstanding implementation and for sharing the details of this use case.<\/span>\u00a0<\/span><\/p>\n

Customer Testimonials<\/h2>\n

\u201cThrough this PoV, Deloitte Japan confirmed that Cisco Foundation AI\u2019s security-focused open-source model can support practical SOC automation, including alert analysis, prioritization, and false-positive reduction. By turning analyst\u00a0expertise\u00a0into structured workflows, we achieved explainable outputs with rationale and evidence. The results show that even an 8B model can deliver stable outcomes when combined with workflow design and structured outputs.\u201d<\/span><\/i>\u00a0<\/span><\/p>\n

\u2014 Kohei Sato, Partner, Head of Cyber Intelligence Center, Deloitte Tohmatsu Cyber LLC<\/span>\u00a0<\/span><\/p>\n<\/p><\/div>\n

\"Retail<\/a><\/p>
<\/p>\n","protected":false},"excerpt":{"rendered":"

Introduction\u00a0 We are excited to announce that Deloitte Japan\u00a0is\u00a0beginning\u00a0production validation of\u00a0Cisco Foundation AI\u2019s Foundation-sec-1.1-8B-Instruct model for its security operations. By using this security-focused, open-source large […]<\/p>\n","protected":false},"author":1,"featured_media":17108,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-17107","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/posts\/17107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/comments?post=17107"}],"version-history":[{"count":0,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/posts\/17107\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/media\/17108"}],"wp:attachment":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/media?parent=17107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/categories?post=17107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/tags?post=17107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}