How AI‑Powered RAG and Agents Are Revolutionizing Enterprise Security Operations

Background

Under the dual drive of internet intelligence and AI large‑model technology, the information‑security field faces unprecedented complexity. External attackers exploit AI tools to generate automated attack scripts, bypass traditional detection, and conduct large‑scale asset scanning and vulnerability exploitation, while internal environments with diverse business scenarios, tens of thousands of employees, and numerous IoT devices increase the difficulty of building depth‑defense systems.

Three‑Layer Defense Architecture

Network layer: Domain‑controlled isolation, two‑factor real‑name authentication, and a zero‑trust gateway between office and production networks for identity verification, dynamic policy matching, and audit.

Transmission layer: Threat detection and analysis systems forward traffic from switches, gateways, and border devices to probes for deep inspection, focusing on malware, remote‑control tools, and proxy threats, with sandbox isolation for files.

Endpoint layer: Full‑coverage intelligent EDR deployment, pre‑installed IT security agents, and network discovery to achieve >95% endpoint‑software coverage.

Deep Operational Challenges (SOMM Level 4)

Alert overload: Only ~5% of 15,000 daily alerts are truly useful, while the rest create a “noise ocean.”

Response latency: High‑severity alerts take up to 2 hours to resolve; security‑audit alerts exceed 10 hours.

Knowledge gaps: 90% of threat judgments rely on expert experience, leading to high mis‑judgment rates for new staff.

Solution: Large Model + RAG + AI Agent

Since early 2024 we have explored AI‑enabled efficiency improvements. Pure large models suffer from nondeterminism, weak multi‑step reasoning, and lack of domain‑specific knowledge. By integrating a long‑reasoning model (e.g., DeepSeek) with Retrieval‑Augmented Generation and autonomous AI agents, we built an intelligent security brain that meets deep‑security‑operation needs.

Key Steps

Data standardization: Retain core fields of raw alerts (timestamp, alert ID, source/destination IP, threat type, network trace, geo‑location).

Key‑information enrichment: Use an intelligence agent to supplement missing data, distinguish internal vs. external sources, locate responsible parties, identify critical devices, and assess threat level via black‑list checks.

Vectorization: Apply BGE‑M3 embeddings to capture semantic meaning and enable accurate vector search.

Recall: Combine semantic vector retrieval with keyword search to avoid missing critical information.

Large‑model disposition: Feed retrieved references to the model with minimal prompting to reduce hallucinations and improve classification accuracy.

Cross‑model verification: Use multiple base models (e.g., QWEN, DeepSeek) to validate each other's reasoning; unresolved cases are marked “uncertain” for human review.

Agent execution: Automatically trigger actions such as antivirus deployment, ticket creation, whitelist updates, or blacklist insertion.

Feedback loop: Human‑validated cases update the vector database; high‑similarity cases (>95%) are either stored as new knowledge or flagged for rule‑optimization.

Effectiveness

Daily automatic disposition reaches 99.99% of alerts, reducing manual handling from ~1,000 to <10 alerts per day. Average response time drops from hours to under one minute, and recall improves from 89.1% to >99%.

Model performance (DeepSeek‑R1, GPT‑4, manual evaluation) shows precision 92‑93% and recall 95‑99% with F1 scores above 91%.

Conclusion & Outlook

The integration of reasoning models, RAG, and AI agents creates an adaptive internal‑network security system suitable for mid‑to‑large internet enterprises, delivering knowledge‑engineered expertise, transparent decision chains, and predictive defense against emerging threats.