Cisco's Foundation-Sec-8B: A New Cybersecurity LLM Competes with Giants

📄 Full Paper

🔊

💬 Ask

Cisco Systems has announced Foundation-Sec-8B, a new large language model (LLM) specialized for cybersecurity tasks. According to a technical report released this week, Foundation-Sec-8B rivals the performance of models like Llama 3.1-70B and even GPT-4o-mini on specific cybersecurity benchmarks, despite having a significantly smaller size. This advancement aims to democratize access to sophisticated AI tools within the cybersecurity domain.

One of the key challenges in applying LLMs to cybersecurity has been the limited availability of specialized training data and the complexity of representing intricate cybersecurity knowledge. Unlike general-purpose language tasks, cybersecurity requires a nuanced understanding of vulnerabilities, attack vectors, and threat intelligence.

Foundation-Sec-8B addresses these challenges through continued pretraining on a carefully curated corpus of cybersecurity data. This corpus was built using a two-pronged approach: broad web scraping with a relevance filter and custom scrapers targeting high-quality but less accessible cybersecurity sources. The data collection process involved a sophisticated three-stage pipeline, starting with wide-net scraping, followed by parallelized processing for filtering and cleaning, and concluding with training preparation steps like deduplication and tokenization.

The model’s performance was evaluated on several cybersecurity benchmarks, including CTIBench, CyberMetric, and SecBench. CTIBench, for example, assesses a model’s ability to understand and mitigate cyber threats through tasks like multiple-choice question answering (MCQA) and root cause mapping (RCM). Results presented in the paper indicate that Foundation-Sec-8B shows significant improvement over its base model, Llama 3.1-8B, while matching or even surpassing the performance of GPT-4o-mini in cyber threat intelligence knowledge.

To illustrate the significance of these results, consider the task of identifying the root cause of a vulnerability. A cybersecurity analyst might be presented with a Common Vulnerability Enumeration (CVE) record and asked to map it to a Common Weakness Enumeration (CWE) entry. Foundation-Sec-8B’s enhanced understanding of cybersecurity concepts allows it to perform this mapping with greater accuracy, enabling faster and more effective vulnerability remediation.

Cisco envisions Foundation-Sec-8B being used in a variety of cybersecurity applications, including:

• SOC Acceleration: Automating the triage, enrichment, and contextualization of security alerts in Security Operations Centers (SOCs). For instance, it can summarize multi-source alerts into human-readable case notes or generate incident timelines.

• Proactive Threat Defense: Modeling and simulating attacker behavior, such as extracting Tactics, Techniques, and Procedures (TTPs) from threat intelligence reports or prioritizing vulnerabilities.

• Engineering Enablement: Streamlining security engineering workflows by providing secure development guidance, validating configurations, and supporting compliance efforts.

The release of Foundation-Sec-8B aims to foster broader experimentation and adoption of AI-driven security tools within both public and private cybersecurity contexts. By providing a high-performing, specialized LLM, Cisco hopes to empower cybersecurity professionals and accelerate innovation in the field.

Chat about this paper

To chat about this paper, you'll need a free Gemini API key from Google AI Studio.

Your API key will be stored securely in your browser's local storage.