惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
O
OpenAI News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 三生石上(FineUI控件)
Webroot Blog
Webroot Blog
GbyAI
GbyAI
S
SegmentFault 最新的问题
Cyberwarzone
Cyberwarzone
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
J
Java Code Geeks
Google DeepMind News
Google DeepMind News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
博客园 - 【当耐特】
S
Secure Thoughts
酷 壳 – CoolShell
酷 壳 – CoolShell
AWS News Blog
AWS News Blog
Engineering at Meta
Engineering at Meta
S
Security Affairs
H
Help Net Security
Microsoft Security Blog
Microsoft Security Blog
D
DataBreaches.Net
云风的 BLOG
云风的 BLOG
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
Spread Privacy
Spread Privacy
T
Threatpost
Forbes - Security
Forbes - Security
C
Cisco Blogs
Scott Helme
Scott Helme
Attack and Defense Labs
Attack and Defense Labs
Simon Willison's Weblog
Simon Willison's Weblog
腾讯CDC
The Last Watchdog
The Last Watchdog
Cloudbric
Cloudbric
Last Week in AI
Last Week in AI
Recorded Future
Recorded Future
小众软件
小众软件
V
Vulnerabilities – Threatpost
美团技术团队
人人都是产品经理
人人都是产品经理
有赞技术团队
有赞技术团队
Apple Machine Learning Research
Apple Machine Learning Research
Hacker News - Newest:
Hacker News - Newest: "LLM"
I
Intezer
月光博客
月光博客
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 司徒正美
C
Cybersecurity and Infrastructure Security Agency CISA
Martin Fowler
Martin Fowler
博客园 - 聂微东

Sysdig Blog

Masterclass: AI is more than ChatGPT and LLMs CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace Kubernetes 1.36 - New security features 5 steps to securing AI workloads Marimo OSS Python Notebook RCE: From Disclosure to Exploitation in Under 10 Hours Security briefing: March 2026 The Sysdig MCP server is now available in AWS Marketplace Risk isn’t reduced until you take action: How teams resolve issues in the cloud AI infrastructure security: Why it deserves its own category Three pillars for building effective runtime-powered cloud defense, the right way Closing the cloud security gap with runtime security Seeing risk isn’t stopping it: Why visibility alone isn’t enough TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions AI coding agents are running on your machines — Do you know what they're doing? Runtime security for AI coding agents: Protecting AI-assisted development How runtime insights power every cloud security use case CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours Inline Cloud Response: Accelerating AWS threat containment for SOC teams Runtime malware detection for AWS Fargate Detecting CVE-2026-3288 & CVE-2026-24512: Ingress-nginx configuration injection vulnerabilities for Kubernetes Malware detection with Sysdig Security briefing: February 2026 Leveling up Kubernetes Posture: From baselines to risk-aware admission Eliminating runtime blind spots: How CleanStart and Sysdig build continuous trust across the container lifecycle LLMjacking: From Emerging Threat to Black Market Reality Real risks live at runtime: Why CISOs must care about deep telemetry in 2026 Sysdig named a Leader in the Forrester Wave™: Cloud Native Application Protection Solutions, Q1 2026 How to run rootless containers AI-assisted cloud intrusion achieves admin access in 8 minutes Security briefing: January 2026 Securing GPU-accelerated AI workloads in Oracle Kubernetes Engine Bringing OSS runtime security to AWS: Falco integration with AWS Security Hub CSPM Our customers have spoken: Sysdig rated a Strong Performer in Gartner® Voice of the Customer for Cloud-Native Application Protection Platforms Protecting sensitive business data in preparation for the organization's Gen AI VoidLink threat analysis: Sysdig discovers C2-compiled kernel rootkits AI is still a workload: A practical guide to securing AI workloads How threat actors are using self-hosted GitHub Actions runners as backdoors How Sysdig Sage delivers AI-powered, real-world vulnerability management Security briefing: December 2025 Top 10 ways to get breached in 2026 EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2 Introducing runtime file integrity monitoring and response with Sysdig FIM How to detect multi-stage attacks with runtime behavioral analytics EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks Detecting React2Shell: The maximum-severity RCE vulnerability affecting React Server Components and Next.js The rise of AI agents: How autonomous AI Is transforming cloud security Kubernetes 1.35 - New security features The Urgency of Securing AI Workloads for CISOs Security briefing: November 2025 Quantum and the cloud: Science fiction turned security strategy Cloud security, the right way: What the industry should demand (and why "good enough" isn't) Return of the Shai-Hulud worm affects over 25,000 GitHub repositories Detecting CVE-2024-1086: The decade-old Linux kernel vulnerability that’s being actively exploited in ransomware campaigns What’s old is new again: How to demystify AI security with AIBOMs Securing Kubernetes with agentic cloud security How agentic cloud security reduces real risks Hunting reverse shells: How the Sysdig Threat Research Team builds smarter detection rules Shifting left with AI and MCP: Sysdig + Amazon Q Developer How Falco and Stratoshark close the gap between open source runtime detection and deep forensic analysis Investigating security issues with ChatGPT and the GitHub MCP server New runc vulnerabilities allow container escape: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 Harden your LLM security with OWASP Security briefing: October 2025 How agentic AI is changing cloud security Kubernetes Incident Response: Detect, investigate, and contain in under 10 minutes Sysdig recognized as a Cloud Security Leader in Latio Tech Cloud Security Market Report AI echolocation of cloud risks using Sysdig & Snyk MCP servers Sysdig MCP Server: Bridging AI and cloud security insights Understanding CVE-2025-49844: “RediShell” Critical Remote Code Execution in Redis How Sysdig secures your containers and Kubernetes Sysdig Security Briefing: September 2025 Cloud security, the right way: The 3 pillars of real-time defense Open source spotlight: Bringing web application security to Falco with Falcoya's Nginx plugin Malicious NPM packages: Are you exposed? AI for SOC teams: 5 cloud security prompts to start your day with Sysdig Sage™ Shai-Hulud: The novel self-replicating worm infecting hundreds of NPM packages ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT Modern vulnerability management, built for the cloud Build your AWS incident response playbook with open source tools 2025 Gartner® CNAPP Market Guide: Runtime visibility is no longer optional Threat hunting with Sysdig: Uncovering “IngressNightmare” Open source spotlight: From alerts to action with AI-powered Falco Vanguard From triage to action: How Sysdig’s agentic cloud security platform slashes noise and accelerates remediation The vision comes to life: Agentic cloud security with Sysdig Sage™ Data security findings: A technical deep dive Connecting runtime to source: Sysdig and Semgrep integration Fix what matters, faster: How Sysdig and Semgrep are unifying security without silos – from code to runtime Defending sensitive data with Sysdig Secure Redefining cloud security, the right way Join the movement: The Sysdig Open Source Community is live A smarter, safer cloud in the age of AI Unifying detection and response: Sysdig + Cortex XSOAR for security at cloud speed The future of security is open, and it needs a unified hub: The Sysdig Open Source Community is here CVE-2025-53104: Command injection via GitHub Actions workflow in gluestack-ui Why MCP server security is critical for AI-driven enterprises What’s new in Sysdig — June 2025 AI-powered CNAPP with Sysdig Sage™ Sysdig Threat Bulletin: Iranian Cyber Threats The end of the prioritization-only era: Vulnerability management needs action Dangerous by default: Insecure GitHub Actions found in MITRE, Splunk, and other open source repositories
Revolutionizing Cybersecurity Search with Sysdig Sage™
2025-06-24 · via Sysdig Blog

We are excited to introduce Sysdig Sage for Search, our AI-based graph search assistant, which enriches Sysdig’s AI capabilities after launching Sysdig Sage for Cloud Detection and Response. Designed to assist cybersecurity professionals, Sysdig Sage for Search redefines how we interact with and extract insights from complex security data.

Traditional cybersecurity tools often fall short when it comes to handling the growing complexity of modern environments. The challenge lies in making sense of vast amounts of data while providing actionable insights in real time. This is where Sysdig’s AI search engine stands out.

Introducing Sysdig Sage for Search 

At the heart of Sysdig Sage for Search is a powerful search engine that combines cutting-edge AI technology with deep domain expertise. Designed specifically for cybersecurity, this engine simplifies how professionals interact with complex infrastructure and security data.

Sysdig Sage for Search enables users to express security questions in natural language, which are automatically interpreted and translated into formal SysQL queries against a graph-based datastore. This allows security teams to seamlessly explore relationships, entities, and events without needing to write or understand query syntax.

The system empowers analysts with an intuitive interface that bridges the gap between high-level investigation goals and low-level data, accelerating workflows such as incident response, policy validation, and behavioral analysis.

Key innovations

SysQL: A proprietary query language

Sysdig introduces SysQL, a novel query language tailored specifically for the cybersecurity domain. Unlike generic query languages, SysQL is user-friendly and intuitive, enabling professionals to ask complex questions without needing advanced technical expertise.

SysQL is a query language designed specifically for exploring Kubernetes and cloud resources, as well as risks and findings relevant to cloud security posture management (CSPM). It provides capabilities to query entities related to cloud infrastructure, security conditions, vulnerabilities, and compliance controls.

Advantages of SysQL:

1. Specificity to cloud and Kubernetes:

SysQL is tailored for querying resources and vulnerabilities within cloud environments and Kubernetes setups, making it more efficient for CSPM-related operations than using generic query languages.

2. Entity-relationship structure:

SysQL allows querying based on entities and their relationships. This is particularly useful for understanding how different components in the infrastructure interact and affect each other.

3. Built-in security features:

SysQL supports queries targeting security findings, vulnerabilities, and configurations, making it a valuable tool for security analysis and posture management.

4. Usability:

The language of SysQL is designed to be user-friendly, allowing operators to easily specify the data they want to target or filter, simplifying the task of complex cloud security operations.

5. Comprehensive query operations:

Similar to other query languages, SysQL offers a range of operators like MATCH, WHERE, RETURN, ORDER BY, and more, providing robust support for filtering, sorting, and limiting query results.

Overall, SysQL consolidates cloud-native and Kubernetes resource queries with security and compliance analysis, enabling more relevant and context-driven exploration compared to generic database query languages.

For further details about SysQL please refer to our documentation here

Fine-tuned LLM

Sysdig’s AI engine is powered by a large language model (LLM) trained on hundreds of thousands of carefully crafted domain-specific questions. This model translates user queries into SysQL, ensuring precise and actionable results.

To enable natural language access to our security data, we fine-tuned a custom LLM specifically designed to understand and generate structured queries over our security graph. This model doesn’t just parse sentences — it interprets user intent in the context of cloud and container security, generating precise, semantically rich queries that power our search engine. The LLM has been trained on a dataset containing about 34k SysQL queries and 135k questions in natural language.

By training the model on real-world examples and refining it through continuous evaluation, we ensure it stays aligned with how practitioners investigate risk and exposure in modern cloud environments.

Sysdig Sage for Search

The model creation and training process includes:

  1. AI-driven dataset generation: The dataset is generated using an AI-driven builder that combines human-curated queries, SysQL query templates, and the SysQL knowledge graph to produce realistic text-to-SysQL query pairs. This process creates a large, diverse dataset split into training, validation, and test sets, enabling the model to learn how real users interact with security data.
  2. Fine-tuning: A domain-specific large language model is fine-tuned using the generated training and validation datasets. With around 135k natural language questions and 34k SysQL queries, the model learns to translate user intent into precise, executable queries that align with the structure and semantics of the SysQL knowledge graph.
  3. Model evaluation: The fine-tuned model is evaluated on both AI-generated and human-curated test datasets to ensure quality, accuracy, and alignment with real-world use cases. A data scientist reviews the model’s output to continuously refine performance and ensure that it meets the practical needs of cloud and container security professionals.

Key advantages:

  • Domain specialization: By grounding the model in a security-specific query language, you ensure far better precision and relevance than general-purpose models.
  • High-quality training data: Combining human expertise with template-based generation ensures accuracy while scaling the dataset.
  • Test-time control: Evaluation on a curated “golden dataset” allows for consistent tracking of performance across iterations.
  • Explainability: SysQL’s structured format makes it easier to inspect, debug, and validate the generated queries — a critical feature in security applications.
  • Scalability: The templated and pattern-based query generation enables rapid adaptation to new schemas or data models.

Why this matters:

  • Faster investigation: Analysts get to insights quickly, without needing to learn a query language.
  • Security-aware results: The model is purpose-built to understand cloud-native threats and relationships.
  • Trust through structure: Outputs are explainable and inspectable — critical in high-stakes security workflows.
  • Built to evolve: As cloud threats change, the model adapts, making our AI engine more resilient and future-proof.

Innovative inference pipeline

Sysdig’s inference pipeline combines the power of the custom LLM with a cybersecurity knowledge graph. This unique approach allows the engine to handle complex user requests, providing insights that go beyond surface-level analysis.

Once trained, our custom LLM becomes the heart of a real-time inference pipeline that transforms natural language into executable security graph queries. When a user asks a question — like “Show me the resources affected by critical vulnerabilities for clusters named “cluster-name” and prioritize by number of packages in use” — the system first moderates the input, then passes it to a query generator that interprets intent and assembles a valid SysQL query.

We introduced a robust, multi-stage inference pipeline for translating natural language questions into formal SysQL queries. The system is designed to handle ambiguity, syntax errors, and unsupported query patterns using a combination of LLM generation, programmatic feedback loops, and semantic post-processing.

Pipeline overview

  1. Moderation and filtering. The generated query undergoes moderation to filter out:
    1. Out-of-context questions that do not pertain to the current application scope.
    2. In-context but unsupported queries due to system or schema limitations.
  2. Initial query generation. A natural language question is passed to an LLM to generate a candidate SysQL query.
  3. Syntactic validation and correction loop. The query is submitted to a SysQL interpreter. If it fails syntactic validation:
    1. The interpreter’s error message and relevant schema-level information (entities, relationships) are injected back into the LLM’s prompt.
    2. The LLM attempts to regenerate a corrected version of the query using this enriched context.
  4. Semantic post-processing. Once a syntactically valid query is produced, semantic enumeration issues (e.g., column name ambiguity) are corrected using AI-driven techniques.
  5. Iterative attempts. Steps 2–6 are repeated up to K times to generate multiple candidate queries.
    1. The system generates correlated suggestions (e.g., rephrasings or schema hints).
    2. These are used to re-prompt a fine-tuned LLM for another round of query generation.
  6. Query refinements. A final refinement step selects the top-1 query from the K candidates and optimizes it for best alignment with the input question and schema context.

Key advantages of the inference pipeline

  • Resilient to imperfect input: Recovers from incomplete or imprecise questions through layered correction mechanisms.
  • Accurate query generation: Validates and refines generated queries to ensure they are executable and relevant.
  • Domain-aware interpretation: Leverages cloud security context to resolve entities, relationships, and fields correctly.
  • Iterative refinement: Applies structured fallbacks to maximize success without user intervention.
  • Seamless integration: Connects directly with the backend search engine, delivering results with minimal latency.
  • Explainability: Produces queries that are transparent and inspectable, enabling trust in automated results.

Why this matters

  • Robustness: The system can gracefully handle ambiguity or partially formed inputs.
  • Precision at scale: Multiple validation and correction steps ensure queries are accurate and meaningful.
  • Adaptability: The pipeline improves over time as new security concepts and query patterns emerge.
  • Low friction: Users get high-quality results without needing to reformulate their questions.

Seamless integration

The AI-powered search engine is deeply integrated into Sysdig’s platform, particularly within the assistant chat experiences. This integration turns complex cloud and Kubernetes data into accessible, conversational insights, reducing friction and helping users to take action faster.

Embedded where it matters

Whether you’re navigating through Sysdig’s Search UI or interacting with the assistant chat, the AI engine is always on hand to:

  • Understand natural language questions
  • Translate them into precise SysQL queries
  • Return curated, structured answers directly from your environment

This tight integration means security teams can explore their infrastructure and risk landscape without needing to learn a query language or dig through multiple dashboards.

Why this matters

This integration bridges the gap between raw cloud data and the people who need to act on it. By enabling searchable, explainable, and actionable insights, it transforms how teams approach:

  • Cloud and Kubernetes resource inspection
  • Vulnerability triage and remediation
  • Security posture monitoring
  • Inventory and asset visibility

What the AI assistant can do

The assistant is not a static chatbot, it’s a domain-aware security search interface capable of:

  • Analyzing cloud and Kubernetes resources across AWS, GCP, and Azure
  • Surfacing security insights, like failed controls, risky configurations, and exposed assets
  • Executing and explaining SysQL queries
  • Summarizing infrastructure inventory by resource type, account, or region
  • Guiding investigations through follow-up suggestions and contextual understanding

In short, it turns security and operations questions into actions with context, precision, and zero manual digging.

Real-world use case

Scenario

Meet Alex, a cloud security analyst at a mid-sized enterprise. It’s Monday morning, and she’s reviewing their weekly vulnerability status.

Alex starts with the familiar search bar interface and types:

“Show in-use vulns with fix available for more than 30 days.”

Immediately, she sees a list of known vulnerabilities that haven’t been remediated in time: a red flag. One entry catches her eye: CVE-2025-22871.

Instead of switching tools or hunting for documentation, Alex clicks into the Sysdig Sage chat:

“Which workloads are affected by CVE-2025-22871?”

The assistant quickly responds with a breakdown of affected workloads. Alex clicks on the provided link to view them in detail; no need to write complex queries or dig through dashboards.

Then, she asks:

“Tell me more about the coredns workload.”

The assistant pulls up contextual information: the version in use, recent changes, risk exposure, and even deployment timelines.

Next, she digs deeper:

“Can you explain this query?”

Rather than just throwing a SysQL query at her, the assistant offers a step-by-step explanation of how the results were derived, improving Alex’s confidence in the data.

Finally, Alex asks:

“Should I fix this CVE?”

The assistant assesses risk based on exploitability, exposure time, and availability of a fix. It offers a clear recommendation: “Yes. This CVE is actively exploitable, and a patch is available. Delaying may increase your risk posture.”

Outcome and value

By the end of this short interaction, Alex has:

  • Identified a critical vulnerability
  • Understood its impact across workloads
  • Interpreted the technical details of the query
  • Received a prioritized recommendation for action

All of this has been accomplished without needing to know the underlying query language.

Outperforming the competition

We evaluated Sysdig’s AI-powered graph search against a leading competing solution in the domain of cloud and Kubernetes security (CSPM/KSPM/VM/Inventory). Both systems aim to translate user intent expressed in natural language into structured, executable queries over a security graph.

The competing system clearly demonstrates strong engineering and domain modeling. It produces syntactically valid queries, often capturing a significant portion of the user intent. However, our analysis shows that Sysdig Sage delivers a fundamentally more accurate and operationally effective solution, due to key differences in semantic understanding, entity modeling, and query construction.

Entity modeling aligned with operational reality

Search with Sysdig Sage consistently identifies and models the correct primary entity based on the user’s question. For instance, when the question is about “workloads affected by critical vulnerabilities,” Sysdig Sage returns the workloads as the main result, with related vulnerability data attached. The competing system, while often able to recognize relevant concepts (e.g. vulnerabilities, findings), tends to orient the query around the wrong object, such as findings or container images, leading to mismatches between the intent and output. We suspect that this may depend on our opinionated concept modelling.

Accurate graph traversal and contextual filtering

Search with Sysdig Sage constructs precise graph traversal paths that align with actual runtime relationships: workloads to containers to images to vulnerabilities. It also supports contextual filtering on fields like exposure, region, fix availability, and usage status.

In contrast, the competing system often introduces semantically ambiguous or unnecessary intermediate steps. While these queries are syntactically sound, they do not always reflect real-world deployment semantics (e.g., distinguishing between an image in a registry and a container running in production).

Aggregation, sorting, and limiting built-in

Security investigations often require more than just listing resources: Users frequently want aggregated summaries, ordered risk prioritization, or scoped subsets (e.g., “top 5,” “grouped by region,” etc.). Sysdig Sage fully supports these constructs directly in the initial query.

By comparison, the competing system often omits GROUP BY, ORDER BY, or LIMIT logic, requiring manual editing or post-processing to make the results usable.

Better alignment between input and output

One of the core strengths of search with Sysdig Sage is preserving semantic symmetry: The structure and content of the output precisely match the intent of the question. Whether a user asks about specific CVEs, workloads, clusters, or vulnerable images, Sysdig Sage ensures that the query and its results remain centered on that concept.

In multiple test cases, the competing system returned results that diverged from the expected shape — for example, returning only vulnerability IDs when the user asked for affected resources, or missing key attributes such as cluster or namespace names.

Consistency and executability

Every Sysdig Sage-generated query tested was immediately executable and returned valid, meaningful results. This highlights a key differentiator: Sysdig Sage not only generates correct syntax, but also operationally accurate semantics, ensuring reliable answers to real-world security questions.

Summary of findings

Aspect Sysdig Sage Competing System
Primary entity focus Correctly modeled (e.g., workload, resource) Sometime misaligned
Graph traversal semantics Accurate and minimal Feels redundant or imprecise
Aggregation and grouping Fully supported Often absent or requires edits
Sorting and top-N queries Supported and accurate Frequently missing
Result shape Matches user intent Partial or misaligned
Manual refinement needed Rarely Frequently

Final thoughts

We acknowledge the strong capabilities of the competing system, which has pushed the field forward and set a solid baseline for natural language querying in the security domain. Their work has contributed meaningfully to reducing the gap between natural language and structured security insights.

That said, we believe Sysdig Sage offers a fundamentally better solution: one that more accurately understands user intent, translates that intent into executable graph queries, and delivers immediately useful, scoped, and actionable results, all without the need for manual correction or refinement.

Outpace cloud threats with Sysdig Sage

Sysdig’s AI-based search engine is more than just a tool. It’s a game-changer for the cybersecurity industry. By combining cutting-edge AI with deep domain expertise, Sysdig helps professionals to stay ahead of threats and make smarter decisions. Experience the future of cybersecurity search with Sysdig Sage. Request a personalized demo!