Cisco Identity Intelligence is Cisco’s first product to run entirely on an internally developed AI model, the company announced this week. The Foundation-sec-1.1-8B-Instruct model analyzes identity behavior and detects threats that would otherwise be difficult to detect.
Cisco Identity Intelligence helps organizations identify identity-related risks. The system monitors who logs in, where that happens, and which device is used. By analyzing post-authentication signals, the solution recognizes patterns that traditional access controls often miss. These include unusual locations, abnormal use of privileges, session hijacking, and a so-called “MFA fatigue” attack. In the latter form, attackers spam MFA requests to a user, who regularly gives in to get rid of the notifications.
Every week, Cisco emails users a summary of the most important identity-related events. This includes notable activity, risk trends, and options for improving cyber hygiene. Cisco points out that 2,000 customers rely on this service. From now on, these weekly digests will be generated by Cisco’s own Foundation AI model. We wrote about this in detail during the annual RSA Conference. General AI models can help, says Cisco, but they are not always tailored to the nuance and precision that identity security requires. They also introduce external dependencies, which the company logically does not want to be dependent on. The Cisco model is specifically trained on cybersecurity and identity scenarios, so the reasoning is in line with the working methods of SOC analysts and identity managers.
This is a logical interpretation of highly domain-specific AI use. Since Cisco can rely on decades of security data and select it itself for AI training, its own model is potentially more skilled in Cisco’s own applications and research areas.
This naturally entails development costs, but AI models can be effective in such limited target areas, especially if their ‘temperature’ is as low as possible. This refers to the variability within which a generative AI model is allowed to operate: at a temperature of 0, the output is theoretically completely predictable. In practice, this is sometimes still not completely deterministic due to floating point calculations, but the bandwidth of responses can be limited through fine-tuning and feedback rounds from actual users. It is not a completely ‘proprietary’ model, as we explain below.
Better alignment with security workflows
Foundation-sec-1.1-8B-Instruct is the result of close collaboration between the Cisco Identity Intelligence team and the Cisco Foundation AI team. The model is based on Meta’s Llama 3.1 and contains 8 billion parameters. It has been trained on a dataset of 5 billion tokens, distilled from 200 billion tokens of cybersecurity data.
Because Cisco owns the model, it can be customized for specific use cases with a precision that external models cannot offer. The model runs in secure cloud environments, on-premises installations, and other controlled settings. This gives Cisco and its customers flexibility that fits enterprise security and compliance requirements.
From theory to practice
The Foundation AI team hosts and serves the model on Amazon SageMaker. This allows Duo engineers to integrate it directly into their production systems with strong reliability and operational control. The updated digest was tested with three customers to validate real-world performance. Early feedback showed meaningful improvements in accuracy, relevance, and clarity. Customers responded positively to the improved summaries. They also reported faster review times and clearer identification of important identity events.
For customers, the workflow remains exactly the same, but the content is noticeably stronger, Cisco promises. Digest summaries are becoming clearer and more consistent. Prioritization is improving, making it easier to see what requires immediate attention. Insights feel more relevant to each environment, and recommendations are expressed in a more actionable way.
It is a realization of what Cisco calls “AI-native” security. In simple terms, this means that models will prove useful in all kinds of security matters, from identity, as is the case here, to network analytics, cloud security, and policy and rule analysis.