TL;DR

In this blog post, you’ll learn about mnemonic’s approach to using artificial intelligence (AI) in detection and response.

Our use of AI builds on many years of automation and data-driven security operations, and on a long tradition of developing and operating automated processes to support detection, triage, and response. We’ve observed that AI can accelerate detection and response, but also that decision-making still benefits from experience, judgement, and business understanding.

We are guided by a clear principle: AI should strengthen human decision-making and analytical precision through responsible, transparent, and operationally grounded innovation.

We also outline how we apply AI in practice today and where we are heading next. The blog post explains how mnemonic has been conducting extensive machine learning research through projects like AInception and CyberRisk. And how we use AI internally to scale and mature our detection and response capabilities.

One example that is highlighted in this blog is our use of AI models to analyse threat intelligence reports to identify potential detection use cases, summarise key findings, and suggest relevant detection opportunities. These are then matched against our existing detection catalogue (using MCP servers to retrieve internal detection data and mappings to MITRE ATT&CK techniques), helping analysts uncover new and relevant detection opportunities.

A powerful promise

In The Matrix, the Agents are presented as flawless defenders of the system. They appear instantly, know everything, move faster than humans, and neutralise threats without hesitation. They don’t get tired, they don’t doubt, and they don’t miss. If that sounds familiar, it should. Promises of autonomous defence, instant detection, and self-patching systems are everywhere in cybersecurity marketing these days; often position AI as the ultimate agent:

• Seeing every signal across endpoints, networks, and identities
• Acting decisively, without hesitation or error
• Stopping threats before anyone even notices

In theory, this sounds like the end of alert fatigue, skills shortages, and slow response times. The system runs itself. Security becomes automatic, and we remove the need for human analysts.

It’s a powerful promise. And just like in The Matrix, it’s only partly true.

When agents meet reality

Just as in The Matrix, the Agents only work because the world is tightly controlled, predictable, and designed around them. The real world, both for the humans in the movie and for today’s security teams, is far messier. The agents are not intelligent in the human sense. They are fast and consistent, but also ruthless and rigid. When something doesn’t fit their model, they hallucinate.

One of the strongest arguments for AI is reducing analyst fatigue, but if AI helps analysts without them understanding why something happened, confidence drops, decisions slow down and fatigue returns, just in a different form.

In The Matrix, the Agents can enforce rules, but they can’t question them. Humans can. The same applies to security operations. The most important moments in security are not the easy ones with a yes or no answer. They are the uncertain moments that require us to question assumptions and apply business context:

• Is this a real incident or business-as-usual?
• Can we block this without disrupting operations?
• Does this justify escalation right now?

AI can accelerate detection and response, but effective decision-making still benefits from experience, judgement, and business understanding.

Using AI to augment, not replace human expertise

The operational reality presented above shapes how mnemonic applies AI across its services and research. From the technologies we integrate into detection and response, to the internal processes that help scale analyst expertise, and the long-term research efforts that explore new analytical methods, our focus remains consistent: AI is used to augment, not replace, human analytical expertise within our services. We aim to strengthen the efficiency of experienced analysts, ensuring that the deep contextual understanding of systems, threats, and attacker behaviours remains central in our service.

mnemonic’s use of AI builds on many years of automation and data-driven security operations, and on a long tradition of developing and operating automated processes to support detection, triage, and response. Traditional rule-based processes and scripted workflows remain an important part of the operational toolkit, complementing newer AI-driven methods rather than being replaced by them.

Today, we integrate advanced endpoint and threat-detection technologies that apply self-learning models, real-time analytics, and automated response to strengthen customers’ security operations. This approach ensures that detection capabilities remain adaptive, continuously improving, and aligned with an evolving threat landscape.

Examples of such technologies include CrowdStrike Falcon, which builds behavioural AI models for every host to uncover previously unknown threats, and Microsoft Defender for Endpoint, which applies AI-driven detection, predictive analysis, and automated response to protect against malware, ransomware, phishing, and other sophisticated attacks.

Research-driven innovation in machine learning

Over the years, mnemonic has conducted extensive experimentation with machine learning, the area of AI that has shown the most promise for advancing analytical and detection capabilities. By closely following developments in the field and gaining hands-on experience with a wide range of statistical and data-driven techniques, mnemonic has built a strong foundation for applying AI responsibly and effectively.

One example is AInception, a research project funded by the European Defence Fund and implemented by a consortium of eighteen partners, including large industrial organisations, mid-caps, SMEs, RTOs, and defence research institutes from nine European countries. The project is officially supported by seven Ministries of Defence through participation in its Advisory Board.

Within AInception, mnemonic’s focus has been on improving alert aggregation and contextualisation, moving from isolated alerts toward a more coherent understanding of threat scenarios. By using AI-based tools to group and enrich alerts, this research aims to reduce noise and improve situational awareness, enabling faster and more informed response.

Another example is CyberRisk, a research project led by mnemonic in partnership with Norwegian Computing Center (Norsk Regnesentral), Avinor, and DNB. The project is funded by the Research Council of Norway as part of its Innovation Project for the Industrial Sector, supporting business-led innovation that makes extensive use of research and development.

The project aims to semi-automate the digital risk analysis process. To do this, mnemonic uses machine learning to develop predictive models for probability estimation. These include models estimating:

• Probability that a published vulnerability (CVE) is exploited in the next 30 days
• Probability that an asset will be involved in a security incident in the next 4 weeks. This includes looking at both machine-level risks, using historical behaviour and characteristics to forecast potential losses, and group-level risks, quantifying potential impacts across services, business processes, or customer environments.

Augmenting detection and response through AI-supported processes

These years of research and experimentation have provided mnemonic with a clear understanding of where AI methods truly add value, and where traditional automation remains more effective. mnemonic continues to invest heavily in research and experimentation to identify how AI can be applied most responsibly and efficiently within its operational context.

This includes critical reflection on the “human-in-the-loop” paradigm. While often promoted as a safeguard against algorithmic bias, mnemonic’s experience suggests that excessive human oversight can reinforce cognitive bias and contribute to analytical fatigue over time, potentially weakening analysts’ ability to critically assess AI-generated insights.

As a result, mnemonic is developing new forms of collaboration between humans and AI systems that upholds high analytical standards while reducing dependency and fatigue.

A central component of this work is the use of Model Context Protocol (MCP) servers to expose event search capabilities and allow large language models to interact securely with collected event data. By combining MCP with tools such as Ollama, ChatGPT, Claude, LangChain, Ragflow and vector databases such as Qdrant, we are developing a range of AI-supported processes.

We use AI models to analyse threat intelligence reports to identify potential detection use cases, summarise key findings, and suggest relevant detection opportunities. These suggestions are then matched against our existing detection catalogue, using MCP servers to retrieve internal detection data and mappings to MITRE ATT&CK techniques. The aim is to shorten the time from intelligence discovery to concrete, implemented detection rules, ensuring that coverage evolves in step with adversary behaviour.

Stay tuned for another blog post exploring this in detail.

We are also enabling our analysts to use agents who translate natural-language prompts into technically valid queries across diverse data sources. Through a single interface, we target Argus, Falcon, LogScale, Splunk, Kusto Query Language (KQL), and other platforms. AI-powered query generation combines reasoning with MCP guidance and is supplemented by use-case-specific rules for more complex queries.

For example, an analyst can ask: “Fetch all logs involving host X and user A one hour before and one hour after the alert.” Through MCP, the AI agent retrieves verified telemetry directly from operational systems. Tasks that would normally take several minutes to perform manually are completed more efficiently, while reducing the risk of hallucinations and improving interoperability across complex environments.

Beyond query construction, AI supports analysis by identifying patterns, guiding investigations, and surfacing anomalies that require human attention.

Final remarks

Agents can move faster than any analyst, connect signals at machine-scale, and automate large parts of detection and response. But they are limited when context matters, assumptions must be challenged, and decisions carry real operational consequences.

Ultimately, mnemonic’s application of AI is guided by this principle: to strengthen human decision-making and analytical precision through responsible, transparent, and operationally grounded innovation.

Because in security, as in The Matrix, the goal is not to build better agents, but to empower the people who understand the system well enough to defend it.