Cisco decides its homegrown AI model is ready to power its products

Apparently you’re about to get better advice on any identity issues lurking in your infrastructure

Cisco has decided its homegrown AI models are ready to power its products, starting with its Duo Identity Intelligence offering.

The model Cisco will use is called “Foundation-Sec-1.1-8B-Instruct”. As described on the Hugging Face model-mart, it’s an open-weight, 8-billion-parameter instruction-tuned “Auto-regressive language model that uses an optimized transformer architecture,” namely Meta Llama-3.1-8B backbone.

Cisco tuned the model for cybersecurity applications and optimized it for three uses:

• SOC Acceleration: Automating triage, summarization, case note generation, and evidence collection.
• Proactive Threat Defense: Simulating attacks, prioritizing vulnerabilities, mapping TTPs, and modeling attacker behavior.
• Engineering Enablement: Providing security assistance, validating configurations, assessing compliance evidence, and improving security posture.

In a Tuesday post, Cisco revealed it’s using the model with Duo Identity Intelligence, a service that analyzes who logs on to networks, where they log on from, and which devices they use.

“By examining post authentication signals, the system identifies patterns that traditional access controls often miss, including unusual geographic activity, abnormal privilege usage, and indications of MFA fatigue attempts or session hijacking,” Cisco explained.

The product alerts users to potential identity issues in a weekly email digest that Cisco will now compose with help from its new model.

“Producing such a digest requires an artificial intelligence model that understands identity behavior, can interpret long chains of events, and communicates insights in a way that aligns with how security administrators make decisions,” Cisco’s post states, adding that general-purpose models “are not always tuned for the nuance and precision required for identity security and often introduce external dependencies.”

Using its own model, Cisco says, will deliver “summaries that are more accurate, more readable, and more aligned with real security workflows.”

The company also says the content of the digests will become “noticeably stronger … clearer and more consistent. Prioritization improves, making it easier to identify what demands immediate attention. Insights feel more relevant to each environment, and recommendations are expressed in a more actionable way.” Cisco reckons you’ll therefore end up using Identity Intelligence more often, because the model will produce info that demands action.

The improved digest is the result of collaboration between the teams that develop Duo and Cisco’s foundation models.

“Both groups created a tuned prompt stack that significantly improved output quality and aligned the model with the analytical style expected in the digest,” Cisco’s post states.

Over 2,000 Cisco customers receive the digest. If you’re one of them, let us know if the weekly email has improved!

The model can run on-prem or in the cloud, and do much more than write nice email digests. Cisco says its downstream uses include:

• Prioritizing vulnerabilities based on contextual risk
• Extracting compliance evidence from documents
• Generating red-team attack plans and threat models
• Predicting attacker next steps in active investigations

In early November, Cisco told The Register it’s working on a 17-billion parameter foundation model, and “a whole phalanx” of other AI. Foundation-Sec-1.1-8B-Instruct seems to come from the phalanx, as while it is a foundation model it is nine billion parameters short of the forthcoming model Cisco mentioned.®