惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
N
News and Events Feed by Topic
T
Troy Hunt's Blog
Help Net Security
Help Net Security
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
M
MIT News - Artificial intelligence
G
Google Developers Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V2EX - 技术
V2EX - 技术
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
Cisco Talos Blog
Cisco Talos Blog
T
Threatpost
Recent Commits to openclaw:main
Recent Commits to openclaw:main
S
SegmentFault 最新的问题
I
InfoQ
H
Hacker News: Front Page
D
Docker
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Blog — PlanetScale
Blog — PlanetScale
人人都是产品经理
人人都是产品经理
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
AWS News Blog
AWS News Blog
Know Your Adversary
Know Your Adversary
博客园 - 【当耐特】
T
Tor Project blog
U
Unit 42
H
Heimdal Security Blog
Microsoft Azure Blog
Microsoft Azure Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Privacy & Cybersecurity Law Blog
PCI Perspectives
PCI Perspectives
美团技术团队
O
OpenAI News
T
Tailwind CSS Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
B
Blog
GbyAI
GbyAI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
MyScale Blog
MyScale Blog

Cisco Blogs

Edge opportunity for service providers: Turn infrastructure into new services MRC and SRv6: How Foundational Networking Innovations Are Enabling the Next Generation of AI Supercomputers The SMB Marketing Reset: Winning Customer Trust in a Digital-First Economy Inside the SOC: AI-powered DNS defense against ransomware Our Path Forward Securing the Federal Digital Experience with Cisco ThousandEyes for Government Cisco at ONUG Dallas 2026: Securing the AI Data Center in the Agentic Era Cisco and Red Hat are powering intelligent core to edge: Red Hat Summit insights Building the Capabilities That Win: How Cisco Partners Can Lead in the SMB & Mid-Market Era How Two Hours Felt Bigger Than My To-Do List Announcing Foundry Security Spec Ace the CCIE Collaboration Lab: Success Tips from a TAC Engineer Turned CCIE Protecting Agents with Cisco AI Defense and Google Agent Development Kit Powering an Inclusive Future: Your guide to the Purpose Pavilion at Cisco Live Las Vegas The Infrastructure Behind the Mission: SOF Week 2026 Cisco Networking App Marketplace Partners at Cisco Live 2026 Beyond the Pilot: Building the Clinical Data Fabric for the Agentic Era Benchmarking scale-out AI fabrics with Cisco N9000 + AMD Pensando™ Pollara 400 NICs Month of Developer Productivity: Build and Forget The race to autonomous transport networks: A new study Lean IT, future-ready: How to save time and simplify wireless management with AI Reading Between the Pixels: Failure Modes in Vision Language Models Biochar’s triple win: Healthier soils, improved crops, and decarbonization Designing a Proactive Customer Journey Modernize your data center operations with Cisco Nexus Dashboard Why your automation stack needs Cisco Agentic Workflows Try Cisco AI Defense Explorer Edition in this hands-on lab From Bandwidth to Intelligence: How Cisco is Powering AI-Ready Networks Spotlight on digital transformation | FY25 Purpose Report Galaxy Mode is live: A limited-time look at what your Cisco AI Assistant and AgenticOps can already do Securing the Agentic Workforce: Cisco Announces Intent to Acquire Astrix Security Understanding CISA BOD 26-02: Mitigating Risk from End-of-Support Edge Devices Digging Deeper: The Future of Mining with Automation and Ultra-Reliable Wireless Voices from the field: Helping farmers build resilient local economies across rural America Built like a startup, scaled like Cisco: Transforming data center cooling for the AI era Defining Model Provenance: A Constitution for AI Supply Chain Safety and Security Introducing Model Provenance Kit: Know Where Your AI Models Come From Security Insights: A Threat-First View for the Platform That Enforces Access How I Turned My Curiosity into a Patent From Strategy to Architecture: How Cisco is Building a Quantum-Safe Future Maximizing Managed Security Services: A Strategic Guide to Optimizing Your Portfolio (Part 1 of 2) Simplify access control in five easy steps Trust: Why security is your next growth engine Cisco IQ is generally available. Here’s what that actually means. From Vision to Reality: Intelligence in Action with Cisco IQ How connectivity is shaping the future of surgical care The power of your network: Solving a physical security incident on Vision portal 5 signs your data center is holding your AI strategy back Stop Overthinking OT Security: The Total Cost of Ownership and Being Smart with Refreshes AI-Ready, Simpler, and More Secure WAN: Cisco SD-WAN Innovations Scaling the digital future: Why AI and skills investments matter for business and society Expanding our Product Organization Recap Scaling the Future: Reddit AMA on Network Automation at Scale Bringing Professional-Level Skills to Cisco Networking Academy Announcing Cisco Availability in Google Cloud Marketplace: A New Path to Scalable, Partner-Led Growth The Innovation Paradox: How We Reduced Incidents by 25% While Deploying Faster Funding the AI-ready data center: Why flexibility wins The switch that quantum networking has been waiting for From a Message I Couldn’t Believe to a Stage I’ll Never Forget The Hidden Bottleneck Slowing Down Manufacturing Transformation 30 Years as a CCIE: Why Certifications Matter in the AI Era Securing Enterprise AI: Cisco AI Defense Expands to Google Cloud How ThousandEyes Closed the Cloud Visibility Gap by Solving It Themselves First Energy Will Define the Scale of AI Introducing the AI Agent Security Scanner for IDEs: Verify Your Agents Stop Overthinking OT Security: People, Process and Technology Powering the Future of Research: Join Cisco at NLIT 2026 Building the Digital Foundation for a Smarter West Lincoln Memorial Hospital How Cisco built an AI-RRM that maximizes your wireless solution From Automation to Autonomy: Cisco and Rockwell Power a New Era for Manufacturing Unlocking the Future of Fan Engagement: The Power of VisionEDGE Find Yourself in the Future: AI Is the New Baseline—Here’s How to Build Your Skills One Day with Our Customers: Driving better outcomes through customer centricity What It Really Takes to Build an AI-First Workforce From Connectivity to Security: How E80 Future-proofed its AGV Operations with Cisco The Infrastructure of a Floating City: AIDA Cruises’ CX-Led Digital Transformation Scaling your network for AI without a forklift upgrade Why modern networks are moving DDoS defense to the edge Evolve IP Media to AI-Driven Media Fabrics: Future-Proof Broadcast with Cisco and NVIDIA Cisco and Generation are scaling AI-powered pathways to employment Reading Between the Pixels: Assessing Prompt Injection Attack Success in Images Lean IT, future-ready: Why Wi-Fi is your AI growth strategy Cisco Modeling Labs: Bringing the Network Digital Twin to Life AI on the Factory Floor: Why Manufacturing Requires a New Architecture with Cisco Unified Edge Designing for What’s Next: Securing AI-Scale Infrastructure Without Compromise Scaling the Future: Join Our Reddit AMA on Network Automation at Scale 5 wireless trends retail IT teams can’t ignore in 2026 Can your infrastructure management tools do that? Sustainability 101: Let’s talk about energy efficiency From Chai Breaks to Checkpoints: A Day at Cisco Bengaluru Preparing for Post-Quantum Cryptography: The Secure Firewall Roadmap Non-Obvious Patterns in Building Enterprise AI Assistants Making AI Trustworthy and Observable in Real-Time: Cisco Announces Intent to Acquire Galileo A simpler path to unified, AI-ready network operations Cisco Celebrates The Smart Industry Industrial Transformation Award Winners Mobile World Congress 2026: AI-powered Network Security Powering MWC Barcelona – Building a Unified SOC and NOC with Splunk in Record Time How New Data Streams Transformed Cisco Store’s Decision-Making AI-powered Network Security at the Mobile World Congress 2026 SNOC Inside the Mobile World Congress 2026 SOC: Detecting Shadow Traffic with Firepower 6100
SoftBank Corp.’s SOC Triaging Workflow Automated with Cisco Foundation AI’s Open-Source Model
Huaibo Zhao · 2026-06-23 · via Cisco Blogs

Introduction

SoftBank Corp. (“SoftBank”) has integrated Cisco Foundation AI’s Foundation-sec-1.1-8B-Instruct model into their Security Operations Center (SOC) triaging workflow, enabling full automation of suspicious software detection, dynamic policy verification, and corresponding actions. The Foundation-sec-1.1-8B-Instruct model plays a crucial role by categorizing software names into 17 different categories for policy enforcement, effectively enabling end-to-end workflow automation.

In this blog, we explain how the Foundation-sec-1.1-8B-Instruct model fits into SoftBank’s triaging process and how we achieve high accuracy in software categorization.

Figure 1: Suspicious file detection workflow in SoftBank. 


Suspicious software detection is a common use case in security operations. At SoftBank, software categories are defined based on capabilities and security risks. Once a category is determined, and depending on the network where the software is detected, relevant company policies are applied and appropriate actions are taken.
 

Previously, file categorization, policy verification, and response actions were performed manually by analysts, which is a time-consuming and labor-intensive process. To allow analysts to focus on higher-priority investigations, SoftBank decided to automate the workflow using automation frameworks and large language models (LLMs). 

Automation frameworks streamlined policy checks and response actions. However, automating software categorization was challenging due to the vast number of possible software, overlapping functionalities, and organization-specific categorization rules. As a result, categorization became the final piece needed for this automated assistance to human analysts. 

Foundation AI Model for Categorization 

To solve the categorization challenge, SoftBank chose LLMs for their general knowledge of software and ability to follow instructions. Due to data privacy requirements, cloud-based LLMs were not an option. Foundation-sec-1.1-8B-Instruct stood out as an open-source model that can be deployed on-premises. Its compact size reduces operational costs, and its security-specific pre-training allows it to outperform similar general-purpose open-source models in security tasks. 

For categorization, the model receives a software name as input and selects one of 17 output categories. The main challenge lies in overlapping category definitions and software with multiple functionalities. Additionally, to ensure smooth workflow integration, the model’s output must be strictly formatted as the category name only.

Output Optimization 

To address these challenges, the Cisco Foundation AI team collaborated closely with SoftBank on prompt tuning to ensure stable and accurate model outputs. 


Optimization 1: Output Formatting
 

First, few-shot examples were appended at the end of the prompt to guide the model on correct output formatting. The last part of the prompt was formatted as following:

# Examples 
Input: SOFTWARE_1 
Output: CAT_001 
 
Input: SOFTWARE_2 
Output: CAT_005 

Input: SOFTWARE_3 
Output: CAT_011 
# Now it is your turn: 

Input: <INPUT NAME> 
Output:  

These few-shot examples, combined with system prompts that define output rules and include validation, ensure the model consistently outputs a valid category for each input. We also integrated output validation into the workflow; if the model fails to return a valid category name, the inference process re-runs until a correct output is obtained. This combination of prompt engineering and output validation allows us to achieve stable, well-formatted categorization results. 


Optimization 2: Category Description
 

Next, we incorporated categorization rules—based on analyst logic and historical data—into the prompt to clarify the scope of each category. However, some overlap naturally occurs between categories. 

For example, “File Transfer,” “File Sharing,” and “Forbidden Internet Service” are governed by different rules. While cloud storage software like OneDrive should be categorized as “Forbidden Internet Service,” the model often misclassifies it as “File Sharing” due to its sharing functionality. Similar ambiguities exist between pairs like “Packet Capture & Vulnerability Scanning” and “Server Service & File Transfer.” To improve model performance, we identified these common misclassifications and added descriptive guidance to help the model distinguish between them. 

For instance, we added the following reasoning logic for the “Packet Capture” and “Vulnerability Scanning” categories:
Confirmation for Ambiguous Cases (Evaluate in order): 

1. Does it output vulnerability reports or CVE information? → Yes: Vulnerability Scanning / No: Proceed to next. 

2. Is the primary purpose packet interception, recording, or visualization? → Yes: Packet Capture / No: Proceed to next. 

3. Is the primary purpose network monitoring or bandwidth monitoring? → Yes: Packet Capture / No: Proceed to next. 

4. Is the primary purpose discovering or diagnosing vulnerabilities in the target? → Yes: Vulnerability Scanning / No: CAT_001. 

Throughout this process, we kept the prompt concise to avoid confusion and ensure reliable categorization. 


Optimization 3: Preprocessing and Postprocessing
 

The 17th category, “Undetermined,” is designed to capture software that does not fit into the other 16 categories. During testing, we observed that the model often force-assigned a category to software that should have been marked as “Undetermined.” In production, these misclassifications result in false positives, as the “Undetermined” category does not trigger any specific rules. 

While prompt tuning reduced many of these instances, some organization-specific cases remained where potentially sensitive files were incorrectly flagged as benign. To mitigate this, we implemented whitelisting as a preprocessing step and added postprocessing to further filter out false positives. 


Categorization Results
 

Testing was conducted on a curated dataset of historical detections and human-annotated categories. To prevent overfitting, we expanded the dataset with common software names and manually verified ground-truth labels. 

Using these 17 categories, the Foundation-sec-1.1-8B-Instruct model achieved 80.75% accuracy, which is comparable to the performance of cloud-based LLMs on the same task. When combined with our rule-based system and the new pre/post-processing steps, the overall workflow accuracy reached 90%, making it highly effective for daily operations. 

Conclusions 

SoftBank’s adoption of the Cisco Foundation AI model demonstrates that, while LLMs are often used for summarization and analysis, they can also effectively handle categorization tasks without resource-intensive retraining or fine-tuning. This approach shows that by carefully identifying which workflow tasks truly require generative AI, organizations can reduce computational demands and improve reliability while achieving automation goals—compared to relying entirely on LLM-based workflows. 

Looking ahead, SoftBank plans to extend this approach beyond suspicious file detection to automate intrusion detection system (IDS) responses as well. Given that IDS automation will involve handling sensitive network and security-related information, the Foundation AI model’s data privacy and security features make it particularly well-suited for these future security operations workflows. 

Customer Testimonials 

“Through our joint PoV with Cisco, we confirmed that the Cisco Foundation AI model can help streamline an important step in our SOC triaging workflow: software categorization. Its on-premises deployment model meets our data privacy requirements, and the PoV demonstrated practical accuracy, including over 85% accuracy at the workflow-action level, with further improvement expected through preprocessing and policy-based controls.  This approach can help our analysts reduce manual triage effort and allocate more attention to higher-priority security investigations.” 

Hajime Uematsu, Director, Security Verification Department, SoftBank Corp.