Introduction
The pace at which applications for artificial intelligence are evolving continues to impress. Businesses that once considered taking advantage of AI’s sophisticated predictive and natural language capabilities are now evaluating adoption of AI systems that have the ability to access internal data, make complex decisions, and have high levels of autonomy.
As we continue to push the envelope on AI, it’s important to keep a fundamental concept of information security in mind: the more powerful and capable a system, the more compelling a target it makes for adversaries. Eighty-four percent of businesses have reported experiencing an AI-related security incident in the last year; the volume of attacks will only grow from here.
We introduced Cisco AI Defense to protect businesses against the complex and dynamic landscape of AI risk. One of the defining characteristics of this landscape is how rapidly it’s evolving, as researchers and attackers alike uncover new vulnerabilities and techniques to break AI. Unlike traditional software vulnerabilities that can be addressed through conventional patching, AI attacks exploit the fundamental nature of natural language processing, making zero-day prevention impossible with existing approaches. This reality required us to shift from the concept of developing guaranteed immunity to risk minimization through multi-layered defense, enhanced observability, and rapid response capabilities. That’s why our team developed a comprehensive, multi-stage system that transforms AI threat intelligence into live, in-product AI protections with both speed and safety.
In this blog, we’ll walk through the stages of this framework, expanding on their impact and importance while also sharing a concrete example of one such threat that we rapidly operationalized.
Our Framework
At a high level, there are three distinct phases to our dynamic AI security system: threat intelligence operations, unified data correlation, and the release platform. Each step is thoughtfully designed to balance speed, accuracy, and stability, ensuring that businesses using AI Defense benefit from timely protections with zero friction.
Collecting AI Threat Intelligence
Threat intelligence operations are the first line of defense in our rapid response system, continuously monitoring the Internet and non-public sources for AI-related threats. This system transforms raw intelligence on attacks and vulnerabilities into actionable protections through a pipeline that emphasizes automation, prioritization, and rapid signature development.
While we collect intelligence from a variety of sources—academic papers, security feeds, internal research, and more—it’s effectively impossible to predict which attacks will actually appear in the wild. To help prioritize our efforts, we employ an algorithm that examines several factors such as priority characteristics (e.g., attack types or models) implementation feasibility, attack practicality, and similarity to known attacks. Priority threats are evaluated by human analysts aided by LLMs, and detection signatures are ultimately developed.
Our signature development relies on both YARA rules and deeper ML model training. In simple terms, this gives us an avenue to release timely protections for newly identified threats while we work behind the scenes on deeper, more comprehensive defenses.
Consolidating a Central Data Platform
The goal of our data platform is to provide a single location for all data storage, aggregation, enrichment, labeling, and decision making. Information from multiple sources is systematically aggregated and correlated in a data lake, ensuring comprehensive artifact analysis through consolidated data representation. This data includes customer telemetry when permitted, publicly available datasets, human and model-generated labels, prompt translations, and more.
The key advantage of this consolidated data storage is that it provides a centralized single source of truth for all of our subsequent threat-related work streams, like human analysis, data labeling, and model training.
Rolling Out Production-Ready Protections
One of the most significant challenges in creating a threat detection and blocking system like our AI guardrails is updating detection components post-release. Unforeseen shifts in detection distributions could generate catastrophic levels of false positives and impact critical customer infrastructure. We designed our platform specifically with these risks in mind, using three components—threat signatures, ML detection models, and advanced detection logic—to balance speed and safety.
Our release platform architecture supports simultaneous deployments of multiple, immutable versions of guardrails within the same deployment. Instead of updating and immediately replacing existing guardrails, a new version is released alongside the previous one. This approach enables gradual customer transition and maintains a simplified rollback procedure without the complexities of a conventional release cycle.
Because these “shadow deployments” cannot impact production systems, they allow our team to safely and thoroughly check for detection regressions across multiple version releases. That means when we roll these guardrails out in production, we can be confident in their reliability and efficacy alike.
The Importance of Dynamic AI Security
Just like AI technology itself continues to evolve at a breakneck pace, so too does the AI threat and vulnerability landscape. To adopt and innovate with AI applications confidently, enterprises need an AI security system that is dynamic enough to keep them secure.
The integrated Cisco AI Defense architecture uses three interdependent platforms to address the complete threat response lifecycle. With sophisticated threat intelligence operations, a consolidated data platform, and thoughtful release process, we balance speed, safety, and efficacy for AI security. Let’s look at a real example of one such release.
A multi-language mixture adaptive attack for AI systems known as the “Sandwich Attack” was released on arXiv on April 9. In three days, on April 12, this technique had already been integrated into our cyber threat intelligence pipeline—new attack examples were added to AI Validation, and detection logic added to AI Runtime Protection. On April 26, we successfully leveraged this very attack while testing a customer’s models.
Analysis of the Sandwich Attack was later shared in a monthly edition of the Cisco AI Cyber Threat Intelligence Roundup blog. Expanding on the original technique, Cisco internal research led to a new iteration known as the Modified Sandwich Attack, which allowed us to adapt to customized use cases, combine with other techniques, and expand product coverage even further.
A complete paper detailing our dynamic AI protection framework is now available on arXiv. You can learn more about Cisco AI Defense and see our AI threat detection capabilities in action by visiting our product page and scheduling time with an expert from our team.
