GenAI: Building a Foundation for AI in Cybersecurity

When I talk about Netenrich's use of large language models and agentic systems, I sometimes get a specific question: how did you move so quickly?

The honest answer is that we didn't move quickly at all. We moved steadily for four years before GenAI became the conversation, and when it arrived, it landed on a foundation that was already prepared for it.

The Infrastructure Core: Getting the Data Foundation Right

Let me be specific about what we had built before LLMs became relevant to our work. To successfully deploy AI in cybersecurity, companies cannot bypass the foundational data tier:

Petabyte-Scale Ingestion (2018):

When we rebuilt Netenrich, we committed to Google Chronicle — now Google SecOps — as the foundation. The reason was architectural: we needed petabyte-scale ingestion, sub-second retroactive search, and a unified data model that could support the analytical workloads we intended to run. BigQuery's infrastructure gave us this. The decision was not made for AI reasons. It was made for data engineering reasons that happened to make AI in cybersecurity applications possible later.

NLP Pipelines & Behavioral Baselines (2019-2020):

We were building NLP pipelines on Vertex AI — processing threat intelligence text to extract structured entities, map techniques to MITRE ATT&CK, and connect new intelligence to our detection coverage automatically. We were building behavioral baseline models using ML. We were building the knowledge graph that would accumulate institutional and domain memory across customer environments.

The Ontology Engine (2021):

By 2021, the ontology engine was working. Entity resolution was reliable across source systems. The enrichment pipeline was adding asset criticality, identity context, and behavioral baseline context to events at ingestion. The data foundation was solid.

Grounding GenAI: Why Our Security Agents Do Not Hallucinate

When GPT-4 class models became accessible in 2022 and 2023, we had something that most companies scrambling to add AI to their products did not have: a clean, normalized, enriched, entity-resolved data foundation that could ground an LLM's reasoning in specific, validated, domain knowledge rather than general training data.

This is why our agents work without hallucination. Not because we found a clever prompting technique. Because the knowledge graph they reason over contains accumulated, validated intelligence about the enterprise's digital tone and the adversary's behavior — built from real operational data across 200-plus customers over years. The LLM is not filling gaps with plausible-sounding inference. It is reasoning over structured knowledge that was engineered to support it.

Shifting to an Agent-First Architecture

Timing felt like fortune. It was actually sequence. Get the data foundation right first. Then get the analytical models right. Then get the ontology and knowledge graph right. Then, when the generative AI capability arrives, it has something worthy to work with.

We are now AI first and agent first in everything we do. Nine production agents run today. The system learns every hour from operational data across our entire customer base. Every day the knowledge graph grows smarter — deeper on each enterprise's specific reality, broader on adversary behavior across the domain.

The foundation made this possible. The foundation always makes everything else possible.

Upgrade to an Agent-First Architecture

Stop spending months fighting with fragile telemetry data models. Deploy a Netenrich Agentic SOC in 30 Days to confidently ground your security operations in context-aware, hallucination-free autonomous defense.

*Part of my ongoing series on data science and the future of security operations.*

 
About the Author