Decision Making in the Era of AI

Decoding A Journey into Decision Intelligence in Cybersecurity

In the cybersecurity space, deciding fast if an event is a potential threat is key. The most important factor is being able to understand the relevant data to make an educated decision - therefore, grasping the context in which an event happened. Your analyst teams are limited by time and resources, and need to handle hundreds of events at the same time. Because of this, investigating each event becomes a challenging task that is prone to errors, in an environment where any error can lead to a security breach. 

Decision Intelligence, which means harnessing AI to make better, faster  decisions, becomes a critical component for the cybersecurity world. Algorithms are not impacted by the endless volume of data that they need to analyze; with today’s computing power, it’s a matter of milliseconds to analyze hundreds of events at once. By all means, AI models benefit from it and only improve with the amount of relevant information used to train them.

Arcanna serves as a Decision Intelligence AI platform meant to enhance human decision-making within the Security Operations Center (SOC) or Network Operations Center (NOC), regardless of the tools, processes, and data in your environment. It achieves this by leveraging consistent data points and incorporating human feedback into  AI models, moving towards an autonomous decision-making system

Due to's innovative approach to integrating expert knowledge into its models' training data, the learning process ensures that the decisions made by the platform  are constantly improving, until it becomes your best analyst. Its patented approach to continuous learning and feedback collection, together with advanced insights into the data and performance metrics, give your SOC a distinctive advantage in the race against threats.  


Deep learning is a subfield of machine learning that implies the use of neural networks to model and solve complex problems. Traditionally, analysts look at data from a range of sources, consisting of information that is relevant in the context of a possible malicious event. Using their know-how and experience, they extract information to correlate features and draw conclusions, building patterns mentally. In deep learning, the algorithms can automatically learn, optimize and correlate features from the same data, making it well-suited for tasks such as natural language processing and other complex pattern recognition problems.

Arcanna can "reverse engineer" the connections between relevant data points that all the analysts make, optimizing them collectively to reach decisions. It learns to ignore noise in the data - irrelevant information - and builds robust patterns optimized on decisions made by all the analysts in the team. This way, it incorporates the common knowledge and relevant skills of the entire team, at once, with no need for an explicit description of the process followed when investigating. 

The decision-making process is framed as a classification problem, where investigation reports conclude with a status or label assigned to the original event (e.g., "False Positive" for noise, "Threat" or "Malicious" for true positives, or any other user-defined flag). As analysts investigate and label a set of alerts, Arcanna, trained on this data, can autonomously apply similar flags to events, providing reasons behind each decision.

Given the classification approach, Arcanna can become the main actor inside an operation for activities such as alert handling, incident creation, threat intel collection, notifications, or even improved remediation.

Predictive AI vs. Generative AI

There is no such thing as a perfect approximator. However, any task that can be thought of as a function can be approximated by a neural network. This is a both powerful and bold affirmation, because it translates to "Any human process or procedure can be mimicked by AI, without defining its intermediary steps to go from start to end, but solely knowing its prerequisites and conclusions”.

Predictive and generative are two branches of the AI field that start from distinct prerogatives and serve different purposes, both adding significant value to modern technology. Any field of science or industry can benefit from their use one way or the other, and in our lifetime we can only expect them to become more and more significant.

What "Predictive" and "Generative" actually mean for cybersecurity

Predictive AI is essential for data-driven applications; it learns from historical data to forecast patterns and make decisions on new data. Its decision points have weights assigned to them through training, which tell the importance of a decision point in predicting the target result. Predictive neural networks constantly evolve as more and more information is served to them as training data. Their predictions are explainable and traceable, since they learn from contextual information in controlled environments.

On the other hand, generative AI is, by design, meant to generate new information based on large volumes of prior know-how. It produces novel content such as text or images, based on characteristics from the training information it received. It can excel at tasks such as creating new types of information, summarizing texts, or offering opinions on various subjects, without necessarily having enough prior data to base them on.

Cybersecurity is, as the name states it, a field that needs to be secure. Over the past years, we've been flooded by attacks, and a huge amount of the events that need to be investigated don't even make it in front of the analysts due to talent shortage and false positives that take up valuable time. Of course, security analysts need to be creative in the investigative sense - they need to figure out what information is vital to decide how to handle an event, or be aware of exceptional situations happening in the security space, such as newly discovered vulnerabilities. However, investigation procedures are set for a reason - there are steps to be followed to decide what's malicious and what's not, and each organization has its own security policies. 

The reality is cybersecurity cannot afford to be solely creative and needs a way to explain how and why a decision was reached, and that decision needs to be based on prior facts.

But can they work together, though?

With Arcanna, we believe we can harness the best of both worlds. The decision-making process is fully predictive and relies on facts, making Arcanna the most efficient analyst any SOC or NOC could have. But to reach educated decisions, it's mandatory to give the neural networks all the data that is relevant for the event. Data collection - pre-decision context enrichment, as it's called in Arcanna - is achieved through more than one path. One approach is integrating with all the tools that the analysts use to make correlations. For this we built automated integrations, configurable directly from our platform. But what really changes the game is harnessing the power of generative AI to gather relevant contextual data dynamically, based on the information inside the initial event, thus truly emulating the investigative process that an analyst would go through. By using generative AI solely for controlled, predefined tasks, and with safety nets in place to combat hallucinations, we make use of the generative AI capabilities inside a predictive AI application, without suffering from its downsides.

The WHYs and HOWs of AI

Making decisions is the result - being able to justify them is the end goal, and is bound to building ethical, explainable AI. Post-decision actions - both generative and predictive - include summarizing Arcanna's predictive result into an executive text, together with its explainability features - why our Predictive AI engine reached a decision, what were the decision points that contributed to it and how much they weighed, which previous events were most similar to the current one, and what decision Arcanna made on them.  With this, we offer an end-to-end investigation result and close the circle. It all starts with an event and ends with a decision made on it, with human readable notes and conclusions. 

And, maybe most importantly, the control stays at the human level, through the continuous feedback loop. Our approach is human and data centric. Arcanna's classification can be supervised by a human, and, if needed, changed. This continuous loop of learn - optimize- decide - validate ensures that results do not drift and Arcanna stays up to date with the latest security policies that the company enforces.

There's no such thing as a perfect approximator - we can't stress this enough. But technological advancement does offer the possibility to build robust, explainable, expert-level ones that aim to become autonomous decision making systems through seamless integrations into any environment where there's sufficient data to lead to educated decisions. 

With, we built one, and together with the expertise of the team in which it gathers its experience, we believe it to be an indispensable asset, a way out of the rabbit hole of never-ending, overwhelming events to be investigated.