Cisco decides its homegrown AI model is ready to power its products
(2025/12/17)
- Reference: 1765952660
- News link: https://www.theregister.co.uk/2025/12/17/cisco_foundation_model_indentity_intelligence/
- Source link:
Cisco has decided its homegrown AI models are ready to power its products, starting with its Duo Identity Intelligence offering.
The model Cisco will use is called “Foundation-Sec-1.1-8B-Instruct”. As described on the [1]Hugging Face model-mart, it’s an open-weight, 8-billion-parameter instruction-tuned “Auto-regressive language model that uses an optimized transformer architecture,” namely Meta Llama-3.1-8B backbone.
Cisco tuned the model for cybersecurity applications and optimized it for three uses:
SOC Acceleration : Automating triage, summarization, case note generation, and evidence collection.
Proactive Threat Defense : Simulating attacks, prioritizing vulnerabilities, mapping TTPs, and modeling attacker behavior.
Engineering Enablement : Providing security assistance, validating configurations, assessing compliance evidence, and improving security posture.
In a Tuesday [2]post , Cisco revealed it’s using the model with Duo Identity Intelligence, a service that analyzes who logs on to networks, where they log on from, and which devices they use.
“By examining post authentication signals, the system identifies patterns that traditional access controls often miss, including unusual geographic activity, abnormal privilege usage, and indications of MFA fatigue attempts or session hijacking,” Cisco explained.
[3]
The product alerts users to potential identity issues in a weekly email digest that Cisco will now compose with help from its new model.
[4]
[5]
“Producing such a digest requires an artificial intelligence model that understands identity behavior, can interpret long chains of events, and communicates insights in a way that aligns with how security administrators make decisions,” Cisco’s post states, adding that general-purpose models “are not always tuned for the nuance and precision required for identity security and often introduce external dependencies.”
Using its own model, Cisco says, will deliver “summaries that are more accurate, more readable, and more aligned with real security workflows.”
[6]
The company also says the content of the digests will become “noticeably stronger … clearer and more consistent. Prioritization improves, making it easier to identify what demands immediate attention. Insights feel more relevant to each environment, and recommendations are expressed in a more actionable way.” Cisco reckons you’ll therefore end up using Identity Intelligence more often, because the model will produce info that demands action.
[7]Researcher claims Salt Typhoon spies attended Cisco training scheme
[8]Cisco suggests a stubby chassis, shrunken servers and router, to tame the edge
[9]Cisco: Most companies don't know what they're doing with AI
[10]Attackers turned Citrix, Cisco 0-day exploits into custom-malware hellscape
The improved digest is the result of collaboration between the teams that develop Duo and Cisco’s foundation models.
“Both groups created a tuned prompt stack that significantly improved output quality and aligned the model with the analytical style expected in the digest,” Cisco’s post states.
Over 2,000 Cisco customers receive the digest. If you’re one of them, let us know if the weekly email has improved!
The model can run on-prem or in the cloud, and do much more than write nice email digests. Cisco says its downstream uses include:
Prioritizing vulnerabilities based on contextual risk
Extracting compliance evidence from documents
Generating red-team attack plans and threat models
Predicting attacker next steps in active investigations
In early November, Cisco [11]told The Register it’s working on a 17-billion parameter foundation model, and “a whole phalanx” of other AI. Foundation-Sec-1.1-8B-Instruct seems to come from the phalanx, as while it is a foundation model it is nine billion parameters short of the forthcoming model Cisco mentioned.®
Get our [12]Tech Resources
[1] https://huggingface.co/fdtn-ai/Foundation-Sec-1.1-8B-Instruct
[2] https://blogs.cisco.com/security/duo-unveils-production-deployment-foundation-ai
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aUKNTE7lnxrSRDd2pRktUQAAABY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aUKNTE7lnxrSRDd2pRktUQAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aUKNTE7lnxrSRDd2pRktUQAAABY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aUKNTE7lnxrSRDd2pRktUQAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/12/11/salt_typhoon_cisco_training/
[8] https://www.theregister.com/2025/11/04/cisco_unified_edge/
[9] https://www.theregister.com/2025/10/15/cisco_ai_readiness_index/
[10] https://www.theregister.com/2025/11/12/amazon_cisco_citrix_0day_exploits/
[11] https://www.theregister.com/2025/11/10/cisco_new_17bn_parameter_model/
[12] https://whitepapers.theregister.com/
The model Cisco will use is called “Foundation-Sec-1.1-8B-Instruct”. As described on the [1]Hugging Face model-mart, it’s an open-weight, 8-billion-parameter instruction-tuned “Auto-regressive language model that uses an optimized transformer architecture,” namely Meta Llama-3.1-8B backbone.
Cisco tuned the model for cybersecurity applications and optimized it for three uses:
SOC Acceleration : Automating triage, summarization, case note generation, and evidence collection.
Proactive Threat Defense : Simulating attacks, prioritizing vulnerabilities, mapping TTPs, and modeling attacker behavior.
Engineering Enablement : Providing security assistance, validating configurations, assessing compliance evidence, and improving security posture.
In a Tuesday [2]post , Cisco revealed it’s using the model with Duo Identity Intelligence, a service that analyzes who logs on to networks, where they log on from, and which devices they use.
“By examining post authentication signals, the system identifies patterns that traditional access controls often miss, including unusual geographic activity, abnormal privilege usage, and indications of MFA fatigue attempts or session hijacking,” Cisco explained.
[3]
The product alerts users to potential identity issues in a weekly email digest that Cisco will now compose with help from its new model.
[4]
[5]
“Producing such a digest requires an artificial intelligence model that understands identity behavior, can interpret long chains of events, and communicates insights in a way that aligns with how security administrators make decisions,” Cisco’s post states, adding that general-purpose models “are not always tuned for the nuance and precision required for identity security and often introduce external dependencies.”
Using its own model, Cisco says, will deliver “summaries that are more accurate, more readable, and more aligned with real security workflows.”
[6]
The company also says the content of the digests will become “noticeably stronger … clearer and more consistent. Prioritization improves, making it easier to identify what demands immediate attention. Insights feel more relevant to each environment, and recommendations are expressed in a more actionable way.” Cisco reckons you’ll therefore end up using Identity Intelligence more often, because the model will produce info that demands action.
[7]Researcher claims Salt Typhoon spies attended Cisco training scheme
[8]Cisco suggests a stubby chassis, shrunken servers and router, to tame the edge
[9]Cisco: Most companies don't know what they're doing with AI
[10]Attackers turned Citrix, Cisco 0-day exploits into custom-malware hellscape
The improved digest is the result of collaboration between the teams that develop Duo and Cisco’s foundation models.
“Both groups created a tuned prompt stack that significantly improved output quality and aligned the model with the analytical style expected in the digest,” Cisco’s post states.
Over 2,000 Cisco customers receive the digest. If you’re one of them, let us know if the weekly email has improved!
The model can run on-prem or in the cloud, and do much more than write nice email digests. Cisco says its downstream uses include:
Prioritizing vulnerabilities based on contextual risk
Extracting compliance evidence from documents
Generating red-team attack plans and threat models
Predicting attacker next steps in active investigations
In early November, Cisco [11]told The Register it’s working on a 17-billion parameter foundation model, and “a whole phalanx” of other AI. Foundation-Sec-1.1-8B-Instruct seems to come from the phalanx, as while it is a foundation model it is nine billion parameters short of the forthcoming model Cisco mentioned.®
Get our [12]Tech Resources
[1] https://huggingface.co/fdtn-ai/Foundation-Sec-1.1-8B-Instruct
[2] https://blogs.cisco.com/security/duo-unveils-production-deployment-foundation-ai
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aUKNTE7lnxrSRDd2pRktUQAAABY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aUKNTE7lnxrSRDd2pRktUQAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aUKNTE7lnxrSRDd2pRktUQAAABY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aUKNTE7lnxrSRDd2pRktUQAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/12/11/salt_typhoon_cisco_training/
[8] https://www.theregister.com/2025/11/04/cisco_unified_edge/
[9] https://www.theregister.com/2025/10/15/cisco_ai_readiness_index/
[10] https://www.theregister.com/2025/11/12/amazon_cisco_citrix_0day_exploits/
[11] https://www.theregister.com/2025/11/10/cisco_new_17bn_parameter_model/
[12] https://whitepapers.theregister.com/
I wonder if
Mishak
It will remind people about the lack of support for "legacy" equipment that is known to be vulnerable?
"Identity intelligence that eliminates security blind spots"
Eliminates? That's a pretty bold claim, and only the start of a swathe of significant bollocks touted. I wish tech would stay tech, and tell the marketurds to FO. [ [1]Cisco Identity Intelligence ]
So, the premise is to increase security by... relinquishing control to software that you don't control? And accepting what is essentially a backdoor? Oh, do fuck off.
The linked spielfest has too much wrong with it to cover all of it, but cherry picking: "It’s difficult to manage multiple apps and identity security systems". Yes it is. But it's doable, and has been successfully undertaken for decades. Pay the meatware what they're worth and maintain control. Replace the meatware for "a saving" and reap what you sow.
[1] https://duo.com/product/cisco-identity-intelligence