Every alert is triaged in the Edg3 cloud by Cisco's Foundation-sec model on Nvidia-class hardware, the moment your agent reports it in. Work that used to sit in a tier-two analyst's queue for an hour is done in seconds. You get the verdict, the pivots it looked at, the evidence it cited, and the ATT&CK technique it mapped. If you disagree, you override it, and the correction trains the next verdict.
Most AI features bolted into SIEM products rely on general-purpose LLMs. Clever, but not tuned for adversary reasoning. Edge runs Cisco Foundation-sec, a security-tuned model, on Nvidia-class hardware in your isolated Edg3 cloud tenant, per-tenant isolated. The model can be audited, swapped, or fine-tuned on your own corpus without sending a single event to a vendor.
Security-tuned reasoning model that understands ATT&CK techniques, attacker tradecraft, and forensic chains of evidence as first-class concepts, not as generic text.
Runs in the Edg3 cloud on Nvidia-class hardware — no per-token billing, your tenant isolated from every other. Fully air-gapped, no-egress operation is on the roadmap. No-egress · Q4 2026
CPU inference with a quantised Llama-3-8B fallback for constrained estates or edge sites where GPU hardware isn't viable. Same verdict format, same evidence chain.
The model can be adapted to your environment, your normal, your rule library. Your analyst overrides become the training data. The longer you run it, the sharper it gets.
An AI answer is only useful if your analyst can replicate the reasoning in thirty seconds. Every Edge verdict ships with a cited evidence chain, an ATT&CK technique, a confidence score, and the exact telemetry events it pivoted through. There is no black box.
The verdict card is not a PDF export. It's the live working memory of the agent. Click any pivot and you're taken to the event that drove that conclusion. Click the technique and you see every rule in your library mapped to it. Click the actor and you see every other alert across the tenant touching the same IOC.
The model does not stay static. Every override your analysts produce, whether confirming, downgrading, or reclassifying a verdict, becomes labelled training data for the next cycle. The platform compounds in sharpness the longer it runs in your environment.
Detection engine fires on a rule or anomaly. The Edg3 cloud pulls cross-source context (endpoint, network, cloud, identity) from the lakehouse.
In the Edg3 cloud, Foundation-sec proposes a verdict with technique mapping, evidence chain, and confidence score. Anything below configured threshold routes directly to human.
Cited evidence is one-click reproducible. Analyst confirms, overrides, or reclassifies. Disagreement is logged with reason code.
Override signal becomes labelled data for the next model update. Tenant-scoped fine-tuning keeps every customer's learned patterns inside their isolated Edg3 tenant.
The noise class that yesterday sent a tier-two analyst into a rabbit hole is today closed by the agent with a one-line summary. Humans keep the interesting work.
Inference runs in your isolated Edg3 cloud tenant — never on a shared model, never cross-trained with another customer's data, never sent to a third-party LLM vendor. There is no cross-customer contamination risk, and your DPO gets a straight answer about where the model saw your alerts: inside your own tenant. A fully self-hosted, no-egress deployment for air-gapped estates is on the roadmap. No-egress · Q4 2026
The measurable business impact of agentic triage is analyst hours reclaimed. A conservative baseline: tier-two enrichment and triage work that previously held an analyst for 45–90 minutes per alert now closes in under 30 seconds of wall-clock time, with the analyst reviewing rather than assembling.
For MSSPs, this reshapes the book. The margin compression that per-GB cloud SIEM puts on analyst-hours is replaced by agent-assisted tier-one coverage that scales horizontally with tenants, not linearly with headcount.