Security companies are using small AI models to protect businesses. Cisco is set to launch another such “SLM”, following up its Foundation-Sec-8B with 8 billion parameters with a 17 billion parameter count model. It will contain 30 years of threat intelligence emanating from Cisco Talos. However, the company emphasizes the new model is not a direct successor to Foundation-Sec-8B.
Cisco currently uses Foundation-Sec-8B in its products. The model analyzes security alerts, checks code for vulnerabilities, and suggests workflows that prioritize security. The new model, which is still unnamed, is more ambitious in nature. It must both detect threats and recommend steps to avert those cyber dangers.
At Cisco Live Asia-Pacific in Melbourne, Raj Chopra, senior vice president and chief product officer for security, announced the new 17 billion parameter model. The Register was the first to report on it. The model trains on threat intelligence, incident summaries, and red team playbooks that Cisco has collected. Chopra emphasizes that the Talos team contributes thirty years of data to the training. This should make the new model well-versed in all aspects of threats and defenses against them.
Detection and advice
The new model is therefore not a direct successor to Foundation-Sec-8B, Chopra tells The Register. The company wants to build a model that both detects threats and recommends steps to address them. To do that, Cisco says it needs a comprehensive model. The model will be released “after Christmas, but not far after that.”
According to Chopra, Cisco is working on “a whole phalanx” of new models and AI initiatives. He points to the late October release of an update for the SecureBERT model, a tool for security professionals. Cisco helped the developers improve performance “manyfold” in the new version.
In other words, multiple spear throws are being aimed at the same security problem. We already learned in April that Cisco has big plans for building its own AI models. The company’s Foundation AI, established at the time, is supposed to provide more than just security within Cisco, but that branch of the business is clearly the focus at the moment. Yaron Singer is responsible for Foundation AI and previously led Robust Intelligence, which was acquired by Cisco last year. The task of Cisco’s new AI branch is primarily scientific in nature, and in the spirit of open research, the models are being released as open-source LLMs.
Open source with a commercial side
Cisco is developing these LLMs because, according to the company, organizations need a mix of generic security data and information about their own environment. The models are open-source, but the AI efforts are not entirely altruistic, notes The Register. Cisco uses the models in its own products and positions its Splunk tools as the best way for customers to analyze their own data. That makes sense, but we don’t expect the LLMs for security to simply disappear behind a closed-source wall. This is because generative AI models are not yet mature enough for security purposes.
The solution to this appears to be to build small AI models on high-quality data. In essence, these are Small Language Models (SLMs) that can run on relatively simple hardware. Cisco isn’t the only security company thinking along these lines – Trend Micro’s Cybertron model is also equipped with 8 billion parameters and a treasure trove of proprietary security data. The alternative would be to run the largest AI models from, for example, OpenAI or Anthropic via an API, but these LLMs are not trained on high-quality security data. As a result, they lack the accuracy to be useful, and because they are closed-source, they cannot be customized or checked against the training data. In addition, they require an internet connection to function.
From our own scattered use of local AI, we have noticed that the step between 8 billion parameters and 17 (or so) billion is a big one. That’s just a generic statement of fact with no domain-specific data being used, but size does bring its advantages. All smaller models are highly error-prone when they have to perform many tasks, but the parameters alone should not be used as a yardstick for the skill of an LLM. For example, DeepSeek-R1 consists of 671 billion parameters, but it only uses a fraction of those for each individual AI prompt. A smaller model that focuses solely on security can therefore be seen as one of these fractions that could also have been activated inside a larger LLM for security tasks. This technique is called Mixture-of-Experts and has been developed on by various AI companies, including OpenAI, DeepSeek, Meta, and Mistral.