.svg)
By: Deb Banerjee, Co-Founder and Chief Technology Officer at Anvilogic
Modern security operations face a paradox: an explosion of telemetry and threat vectors, yet persistent blind spots in detection and triage. As enterprises scale, security teams struggle not just with noise, but with context, specifically the contextual glue needed to connect signals, surfaces, and systems into coherent threat narratives.
The Anvilogic Platform uses a set of AI and ML techniques to adapt, customize and automate its threat detection, hunt, and triage workflows to the enterprise customer’s environment. Anvilogic’s Agentic AI workflows are engineered on this foundation of analytics, workflows, and content that we have developed since our founding, with—and for the needs of—our demanding enterprise customers.
The Anvilogic platform automations include discovery, classification, and normalization of data feeds; modelling the enterprise attack surface; identifying, customizing, and auto-deploying detection logic and tuning them; and, finally, prioritization of alerts. This automated collection of enterprise-specific state and event data—including the entities, their relationships, and data models—is managed as an enterprise security graph in the Anvilogic platform.
This security graph that has been engineered over the past five years drives the detection, hunt, and triage automations built into the Anvilogic platform. As we transition into agentic AI, building out natural language-based automations, this enterprise security graph is foundational to improve accuracy of LLMs for usage in enterprise security environments, which LLMs have no visibility into.
We will describe this enterprise security graph and how it is foundational to engineering Antilogic’s Agentic AI systems that integrate with the enterprise environment.
The Anvilogic Automation Platform: Foundations
These are the core concepts that the enterprise security graph in the Anvilogic Platform is organized around:
1. It starts with classification and analysis of data feeds in enterprise security data lakes and SIEMs.
Anvilogic has developed significant automation capabilities for deeply understanding enterprise logs that have been collected in the variety of data lakes that enterprise SOCs use. Enterprises often have thousands of data feeds collected over many years; Anvilogic has developed AI automation to analyze and classify enterprise datasets to make them easily consumable for detection and threat hunting logic. For example, Anvilogic’s AI automation classifies every data feed into the specific domain of detections it can support—such as endpoint, network, or authentication—by auto-classifying them using MITRE Data Sources and Data Categories. By quickly identifying the specific feeds that have the greatest impact towards detection maturity, and categorizing them into the appropriate domains, we set the foundation for detection and hunt automation.
Further, Anvilogic does not require that enterprises’ datasets be stored in an exact data model, unlike many other vendors. Anvilogic’s detection engineering framework normalizes on read and also contains several integrations to normalize on ingest, if required by the enterprise. Since Anvilogic detection and hunting does not require data feeds to be pre-normalized at ingest time, and can dynamically normalize at read time, this lets Anvilogic threat detection and hunt rules execute against the datasets you have today without requiring any re-coding, or re-normalization. The corpus of Anvilogic normalization code developed and deployed across our enterprise base is an excellent basis for Agentic AI systems to generate new normalization code.
As a specific example, enterprise customers may collect a variety of authentication logs such as Okta, Microsoft Entra, Auth0, Crowdstrike, and so on. Anvilogic detects and classifies these feeds for detecting authentication events amongst the thousands of feeds that might exist. Next, it generates and manages the normalizations-as-code for each of these logs. The normalization code maps each of the logs to the Anvilogic data model so that the same detection code can execute against all of these log feeds. Finally, the platform implements detection use cases (e.g., detecting anomalous authentication events) by reusing the normalization code specific to each data feed. This approach ensures that a single piece of detection logic can run effectively across multiple, differently structured log sources.
2. The second feature of Anvilogic customization for the enterprise account environment is customizing for its specific attack surface. We have developed extensive AI automations for recognizing the core platforms and threat actors and Tactics, Techniques, and Procedures (TTPs) that enterprises prioritize for detection. The MITRE framework is used to indicate the dynamic state of prioritized TTPs which can be updated rapidly as threat actors evolve their techniques and targets. For example, is anomalous authentication a critical priority for detections? And only for cloud platforms?
3. Finally, these capabilities, including comprehensive knowledge of the enterprise attack surface and auto-classification data feeds, are the foundation for the detection rule recommender systems. Anvilogic Armory has thousands of battle-tested detection rules that have been deployed and tuned by many enterprise customers over the last five years. The recommender system uses data classification and threat prioritization to ensure that only the detection rules from our Armory that align with your data sets and target attack surfaces are deployed into your environment—whether that’s Snowflake, Databricks, Azure Log Analytics, or Splunk.
4. In addition to the investments made in the front end of detection and threat hunting, Anvilogic has developed AI-powered automation on the back end—specifically for detection tuning and alert prioritization. A persistent challenge in detection engineering is the high volume of false positives, often resulting from detection logic that has not been tailored to the enterprise’s specific environment. To address this, all alerts are normalized into the Anvilogic data model using our normalization-as-code framework. AI analytics continuously review event and alert data, generating dynamic allowlists for rules identified as noisy within a given environment. These tailored allowlists reduce alert fatigue by suppressing benign activity. Finally, our AI capabilities also analyze contextual indicators across alerts to identify and prioritize those that most warrant investigation, enabling incident response teams to focus on high-impact threats.
The Enterprise Security Graph Powering Anvilogic Automation
The Anvilogic Security Graph consists of the following entities, their associated relationships, and data models. Anvilogic automation constructs this graph by using entity extraction, entity linking, and entity enrichments based on a common data model from the following objects.
1. Data Feeds and their classifications and enrichments. Anvilogic has developed a collection of ML techniques that assist in automating the classification of data feeds that exist in a wide variety of data lakes including Snowflake, Databricks, Splunk and Azure Log Analytics. These feeds are classified and mapped to MITRE Data Categories which link to the next set of nodes. E.g. A windows event feed would be mapped to an endpoint domain, and to the MITRE data sources such as Process, Command, File, Registry based on the event code being collected.
2. Events and normalization-as-code. Anvilogic has developed normalization logic for hundreds of event types, deployed across dozens of enterprise-grade environments. This logic extracts security-relevant entities from a wide variety of raw events and maps them to a standard data model based on the Common Information Model (CIM). The normalization process includes regex-based field extractions, field renaming, and coalescing operations. Each event is associated with a specific data feed, which in turn is mapped to relevant MITRE ATT&CK framework nodes based on the feed’s content.
Anvilogic’s normalization logic can be flexibly deployed either at detection runtime—executed on events as they are queried—or at ingest time, for enterprises that use Anvilogic’s data onboarding pipeline.
3. Detections and their mappings to threat intel frameworks. Detections—whether developed by Anvilogic or third-party security vendors—are key entities in the Anvilogic semantic graph. Each detection is connected to multiple components of the security ecosystem, including mappings to threat intelligence frameworks such as MITRE ATT&CK, associated data feeds, relevant normalization logic, and required enrichment sources (e.g., identity and asset data).
For example, a detection for suspicious PowerShell execution may be linked to any number of telemetry sources—such as Sysmon, Windows Event Logs, or CrowdStrike FDR—which in turn are tied to the appropriate normalization rules. Each detection is also connected to threat intelligence nodes, including TTPs, known threat actors that employ those techniques, and exploit tools that implement them.
4. Alerts and their enrichment and relationships to feeds, events, and detections.
Alerts are emitted from detection objects and form a central node in the Anvilogic security graph. Each alert is linked to the originating detection logic, the triggering event, the source feed, and related threat intelligence entities. Indicators of Compromise (IoCs) are extracted from alert content and enriched with external and internal threat intel to assess severity and context.
For example, the Anvilogic Triage Analyzer processes normalized alert data that includes extracted enterprise entities—such as hostnames, users, IP addresses, and applications—as well as enriched IoCs. This enriched and normalized structure forms the alert graph object, which is used by the Triage Analyzer agent to summarize the end-to-end attack story.
5. Allowlists, rule exclusions, and adaptive tuning.
Allowlists and rule exclusions are critical constructs in the Anvilogic security graph that enable dynamic tuning of detection fidelity. These elements are associated with specific detection rules and are continuously generated by the Tuning Insight module. Based on observed alert patterns and environmental baselines, allowlists suppress benign behaviors, while rule exclusions modify detection logic to better fit the enterprise’s usage context. Some exclusions may have finite lifetimes, allowing for flexible adaptation as behaviors evolve.
As the enterprise environment changes, the graph updates dynamically to reflect new patterns and tuning decisions. This adaptive tuning is implemented efficiently across modern data platforms such as Snowflake and Databricks, leveraging their scalability and flexibility to support high-throughput querying and automation at scale.
Enterprise-Aware Agentic AI With The Security Graph
LLMs are very knowledgeable of threats, exploits, and events based on public data sources. However, there is a significant gap in their understanding of enterprise security context—an LLM has no direct visibility into enterprise data models, detections, and enrichment including assets and identities.
This limitation often manifests as hallucinations or overly generic responses, rooted in assumptions made by the underlying LLMs powering Agentic AI systems. To generate high-fidelity responses, these models must be grounded in enterprise-specific context, drawn from key components of the security graph such as assets, identities, detections, and data models. Integrating the enterprise security graph improves reasoning accuracy and reduces hallucinations by narrowing the model’s attention to relevant operational details.
Grounding is the core approach for providing this context. It involves supplementing LLMs with structured enterprise data, typically through Retrieval-Augmented Generation (RAG) and tool integrations. RAG pipelines retrieve specific documents, schema samples, or detection rules to inform model responses. For example, a query like “anomalous user accesses” may be grounded against existing detection rules in the Anvilogic Armory. From there, the system can provide relevant rule examples or sample queries to guide the LLM. A subsequent reasoning step might interrogate the enterprise’s data model—also via RAG—to extract field names and values needed to construct valid, context-aware detection logic.
Anvilogic agents use both semantic search (via embeddings) and traditional keyword search to extract the most meaningful slices of the security graph during this process.
Tool use complements RAG by allowing LLMs to interact with live enterprise systems or APIs. This enables the LLM to ask precise questions like whether a host is a jumpbox, a user is privileged, or an IP address has been associated with suspicious activity. These tool calls let agents retrieve structured answers grounded in the organization’s actual environment.
In the Anvilogic Agent architecture, RAG, search, and tools work together under the direction of LLM-based planning and reasoning. Anvilogic is actively developing best-in-class agents for detection, hunting, and triage. Each agent is capable of ingesting a natural language query—whether initiated by an analyst or another agent—reasoning over it, and generating a sequence of planning steps that invoke RAG, call tools, or chain to additional agents.
These agents are customizable by enterprise teams, who can integrate their own tools into Anvilogic workflows using the Model Context Protocol (MCP). Additionally, we continue to explore fine-tuning hosted LLMs to further improve their reasoning capabilities in security-specific domains, offering flexibility and precision to meet diverse customer needs.
Looking Forward
Anvilogic has already released agents focused on threat intelligence, triage analysis, and detection engineering, with an aggressive roadmap to expand agentic capabilities across detection, hunting, and triage. These agents are built on the foundation of the enterprise security graph and leverage a library of workflows and curated content that have been rigorously battle-tested in production environments across leading enterprise customers.
.svg)
