A new AI research group within Cisco led an effort to train Meta's Llama 3 large language model on cybersecurity data. The model will be released as open source, including open weights.

The Foundation AI group, unveiled Monday, is led by Yaron Singer, a former Harvard professor of computer science and advanced mathematics and the CEO and co-founder of Robust Intelligence, which Cisco acquired in 2024. Singer is now vice president of AI and security at Cisco and recruited engineers from Meta and Google to train the cybersecurity large language model (LLM).*

The model was released to open source, including open weights, meaning its parameters, but not its source code or data, are publicly available for anyone to download, inspect, fine-tune and use. Cisco plans to integrate the model with AI agents in its extended detection and response (XDR) product. This week, it rolled out AI agents for attack verification, automated forensics and a visualization tool called Attack Storyboard using other LLMs.

Yaron Singer Yaron Singer

"Cybersecurity data, by its nature, is not necessarily natural language -- it's often bespoke languages," Singer said. "It's dynamic, so threats and vulnerabilities get updated frequently, and all that makes existing AI tools that we have right now for cybersecurity not sufficient for the [security operations center] SOC to adopt them."

The Foundation AI project distilled open source data from 200 billion tokens, the units of text that the LLM processes, down to 5 billion taken from data most relevant to cybersecurity. This makes the model fast-performing, though Cisco did not disclose specific benchmark numbers. Singer said the model is smaller than most foundation models and can run on a single Nvidia A100 GPU on-premises.

Andy Thurai, an independent analyst at The Field CTO, said IT organizations can add their own retrieval augmented generation data to customize the model further for their specific environments.

"Current general-purpose LLMs are mostly used for security-to-human-understanding translation with varying success, unlike this," Thurai said. "Its ability to run on a single A100 GPU is amazing. This means that even the most cost-conscious customers can run this model at the cheapest possible cost without being price-gouged by big-boy LLMs."

New AI agents that can automate attack verification in Cisco's XDR tool will soon integrate its new cybersecurity LLM.