Module Summary

What you learned in this module

Section 1.1 — What AI Actually Does (and Does Not Do). You learned the three categories of "AI" in security products: rule-based systems, traditional ML, and large language models. You examined how LLMs work at the level a security practitioner needs: token prediction, context windows, training cutoffs, and non-determinism. You learned why hallucinations are architectural properties of probabilistic text generation, not bugs that future updates will fix. You mapped hallucination risk by output type: low for common KQL syntax, moderate for less common tables and recent schema changes, high for threat attribution, CVE details, and statistics.

Section 1.2 — The AI Capabilities Matrix for Security Operations. You assessed AI capabilities across six core SOC functions: alert triage (3.5 hours per day recovered, low verification overhead), investigation (30 to 45 minutes saved per case, high verification required), detection engineering (advisory-to-rule workflow compressed from 6 hours to 90 minutes), IR documentation (report writing compressed from 3 hours to 30 minutes), compliance (moderate AI effectiveness, high legal review overhead), and automation (highest risk due to production execution). You formalized the investigation feedback loop as a five-step methodology: context loading, generation, validation, execution, iteration.

Section 1.3 — The AI Security Literature. You mapped five frameworks to the specific operational questions they answer. OWASP LLM Top 10 v2.0 for application security risks (prompt injection, system prompt leakage, excessive agency). MITRE ATLAS v5.1.0 for adversary tactics and techniques targeting AI systems (16 tactics, 84 techniques, agent-focused updates). NIST AI RMF 1.0 with the GenAI Profile for governance structure (Govern, Map, Measure, Manage). SANS Secure AI Blueprint for implementable security controls. EU AI Act for legal compliance obligations (phased enforcement through August 2026).

Section 1.4 — Evaluating AI Tools for Security Operations. You built a five-dimension evaluation framework: capability fit (five-task test against your actual environment), data handling (training policies, retention periods, ZDR availability), integration depth (native vs external vs API), cost analysis (total 12-month deployment cost including hidden costs), and governance readiness (audit logging, SSO, configurable retention mapped to NIST AI RMF functions).

Section 1.5 — Data Handling, Privacy, and Operational Security. You built the four-tier data classification matrix defining what data can be processed through which AI platforms: Tier 1 (public, any platform), Tier 2 (anonymized, commercial plans), Tier 3 (raw PII, Enterprise with contractual protections), Tier 4 (never process externally). You deployed a shadow AI detection query against CommonSecurityLog to identify unauthorized AI usage. You established sanitization as a default workflow and mapped regulatory requirements across GDPR, CCPA, HIPAA, and PCI DSS.

Section 1.6 — Building Your AI Operations Foundation. You formalized the investigation feedback loop as a repeatable methodology with quality gates at each step. You architected a prompt library organized by SOC function (Triage, Investigation, Detection, Documentation, Automation). You established a measurement framework with three weekly metrics: time-to-resolution, verification overhead, and output quality. You verified operational readiness across five checklist items before proceeding to the operational modules.

What's next

Module 2 takes the methodology you formalized here and applies it to six investigation types: endpoint compromise, email-based attacks, identity compromise, insider threat, cloud infrastructure incidents, and ransomware. Each investigation type produces tested prompt templates that populate the Investigation category of your prompt library. The investigation feedback loop you learned in section 1.6 is the operational pattern for every investigation in Module 2. The five-check validation discipline is applied to every AI-generated query and analysis. The data classification matrix governs what evidence you can process through which tools.