What Researchers Learned About Building an LLM Security Workflow

Security operations centers are drowning in alerts, and vendors have rushed to market AI copilots promising instant triage. The reality, however, is that raw large language models lack the discipline to sift through raw log data effectively. Without a clear investigative framework, even state‑of‑the‑art models like Claude 3 Haiku or Qwen3 misclassify threats, leaving analysts to manually verify every incident. This gap underscores why the industry must look beyond model size and focus on the surrounding architecture that guides AI behavior.

The Oslo‑Norway study provides a concrete proof‑of‑concept. By coupling LLMs with a lightweight toolkit—pre‑written SQL queries against Suricata logs, a single custom query option, and a controlled grep step—the researchers transformed passive models into active investigators. The result was a leap from 0% to 93% malicious detection, with GPT‑5‑mini flagging every true threat in 100 trials. Crucially, the improvement stemmed from workflow constraints, not larger prompts or model upgrades, highlighting the power of guardrails and iterative evidence collection in AI‑driven security.

For security vendors and enterprise SOCs, the takeaway is clear: building robust AI assistants requires a disciplined, tool‑centric design. Structured prompts, limited query vocabularies, and a feedback loop that mimics a junior analyst’s workflow can unlock the latent reasoning abilities of LLMs while keeping false positives manageable. Future research must expand testing across diverse datasets and real‑world IDS outputs, but the current findings suggest that a well‑engineered AI workflow could become a cornerstone of next‑generation threat triage, delivering measurable analyst time savings and stronger defense postures.