Using ChatGPT to Augment Threat Detection

Cloud Security

Skyhawk recently announced a couple of new features that are based on ChatGPT. What’s new?

Watch this video and then read the blog for details:

  1. A new addition to our scoring mechanisms for malicious events called ‘Threat Detector’.

We use the ChatGPT API as an “advisor” to help us be more confident about our scoring mechanism. Our current scoring mechanism has several of these kinds of rules and machine learning based classifiers that can be thought of as advisors, and each one of them takes the score into another direction – but the ML models eventually use all of them to decide on the level of threat of an event. Skyhawk’s new ChatGPT functionality features “countless” new advisors whose opinions we consider in our final scoring mechanism, one that is proficient and smart because it is based on the security data of the whole internet.

  1. A new tab in our product called ‘Security Advisor’.

Skyhawk adds textual explanations (produced by ChatGPT) for the incidents found by the platform. These appear in a new platform tab called the ‘Security Advisor’. Having these textual explanations, in addition to visual representations, helps organizations understand incidents in greater depth and makes them more accessible to security personnel.

How does Chat-GPT help with scoring an Attack Sequence?

Our product uses ML to score security events and track them on a timeline called an “Attack Sequence”. We use Machine Learning labeling functions to “ask questions” about each potential event, and then score those events using proprietary information that we have gathered about security events (as well as the MITRE framework and other contextual components). Each advisor that we use scores whether an event is suspicious or not, and then we aggregate all the advisors’ results to create the Attack Sequence. Now, we’re adding another very strong advisor, that helps us to improve the detection rate and the speed of detection.

How does GPT help?

GPT is trained on reams of security data from across the web. For Skyhawk, it adds yet another point of view that we may not have thought of ourselves – a sort of unknown unknown. It allows us to assess what is considered risky and malicious based on different reports that GPT found on the web. And that gives us more confidence that we’re not missing anything. Because up until now, all these labeling functions of our advisors were actually code that we wrote ourselves, and now we add GPT results – a black box that acts as a sort of super-advisor.

Can you give an example?

Below is a real sequence where Skyhawk was able to alert just before the user actually performed a data extraction. However, GPT raised the flag after the very first activity of the sequence which means that we were able to avoid the data extraction by alerting on this much earlier than before, and of course much earlier than any other product on the market.

ChatGPT Threat Detector Skyhawk

In this image the ‘AWS API failure’ is something that is, while we identified it as is malicious, it’s not yet harmful. So most security products will either not alert, or alert but it will be ignored as something that is not necessarily threatening. But GPT, together with our MBI for this activity, created the confidence to alert the customer that this is a true alert (what we call a Realert).

What is the benefit of our ChatGPT functionality for Skyhawk customers?

The benefit is better security for cloud infrastructure. Security tools need to be as accurate as possible so that we have more alerts that are real and fewer that are that are false positives. The Chat-GPT API adds a layer of confidence because in our tests it found true malicious activity that led to a breach (in 78% of the cases we tested) earlier than without the Chat-GPT data.

It’s as if we take the advice of thousands of security researchers and average them, using the wisdom of the crowds to gain confidence on when to alert customers. This way they can pay attention only to events that are real threats and ignore the rest.

The addition of Chat-GPT scoring allowed us, in 78% of the cases, to alert earlier than we would have with our own baseline score.

Want to learn more? please join the upcoming webinar on April 25th at noon EST by registering here.

Blog

We may have recently been exposed to the largest cyber campaign of all times, in which China managed to completely penetrate the communications infrastructure of its great rival, the United States.In doing so, gained access to huge amounts of invaluable

Cloud Breach
Blog

Re:Invent has come to a close and we had a great week! We kicked off the week with our product announcement. Did you know that most threat actors (70%) are logging into the cloud – they are not “breaking in”.

Cloud BreachCloud SecurityThreat Detection
Blog

Skyhawk Security is proud to announce the expansion of its cloud threat detection and response capabilities with Interactive CDR. This new capability expands the team that can verify if an activity is malicious or not, by going to the alleged

AICloud BreachCloud SecurityThreat Detection
Blog

Skyhawk Security announces the availability of new features and integrations of its Autonomous Purple Team, aimed at extending detection and improving security validation as well as pre-validating threat detection alerts, to effectively manage the security of your cloud. The company

AICloud BreachCloud SecurityThreat Detection
Blog

By Asaf Shahar, VP, Product at Skyhawk Security Securing cloud environments presents unique challenges due to their constantly evolving nature. CERT-IL’s alert on public cloud threats (ALERT-CERT-IL-W-1810) underscores common vulnerabilities—exposed credentials, service misconfigurations, and inadequate tenant isolation—frequently exploited by attackers.

AICloud BreachCloud SecurityThreat Detection
Blog

By Asaf Shahar, VP, Product at Skyhawk Security As cloud security strategies evolve, attackers are staying a step ahead, moving beyond traditional credential theft tactics like phishing to adopt more sophisticated methods- some of which we’ve witnessed in the past.

AICloud BreachCloud SecurityThreat Detection

Thanks For Reaching Out!

One of our expert will get back to you
promptly at asafshachar@gmail.com

See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.