From months to hours: eSentire accelerates AI-augmented threat investigation with Anthropic’s Claude in Amazon Bedrock

eSentire stands out by delivering comprehensive threat resolution—detection through containment—on its Atlas Platform. Still, the company wanted to enhance “customer delight” by improving the quality and transparency of its threat management processes and outcomes. This included:

• Eliminating variability: Delivering detailed, accurate threat analysis from its most experienced Security Operations Center (SOC) experts to every customer
• Augmenting investigative transparency: Providing customers with clear, explainable reasoning behind every threat assessment and response decision to build trust via visibility into the company’s expertise
•  Scaling comprehensive analysis: Ensuring nuanced threat analysis for every customer regardless of attack complexity
• Accelerating expert investigation: Delivering hours of expert investigation depth in just minutes through agentic reasoning that could dynamically select and execute the right tools for each unique threat scenario

These improvements would ultimately enable expert-grade analysis, transparent intelligence, and intuitive, scalable interactions that empower customers to confidently navigate even the most complex security events. Generative AI with advanced reasoning capabilities offered the ideal path forward.

Key obstacles to achieving these outcomes via a generative AI solution included ensuring that AI-driven investigations maintain the depth and accuracy that eSentire customers rely on for critical security decisions. They also needed to build customer trust in automated analysis while maintaining transparency in decision-making processes. Any solution had to meet the rigorous quality standards required for protecting critical infrastructure where investigation accuracy is paramount. The company wanted to preserve the nuanced analytical thinking that makes elite SOC experts effective in complex threat scenarios. Initially, one of the company’s engineers bootstrapped together a DIY solution using open-source tools, but open-source models didn’t deliver the complex reasoning required to match expert security analysts. eSentire knew they needed a partner with a powerful, comprehensive generative AI solution.

After evaluating multiple LLM models, eSentire determined Anthropic’s Claude Sonnet 3.5 provided the highest performance for complex security reasoning. Claude formulates investigation hypotheses based on initial threat indicators, then dynamically selects and executes appropriate tools to gather evidence. The platform evaluates these findings and adjusts investigation strategy in real-time and continues the investigation loop until reaching a confident, evidence-based decision. Using Claude, eSentire conducted rigorous validation with 1,000 real-world investigations to compare Claude’s decisions against the company’s most senior SOC experts. Results showed 95% alignment across diverse endpoint security scenarios, confirming that Claude successfully replicated expert- level investigative reasoning and decision-making.

Next, eSentire worked with Anthropic to achieve sustained and scalable state of customer delight as well as cost efficiency. Together, they developed an intuitive interface to support efficient engagement, leveraging the expanded outputs of Claude Sonnet 3.7, while preserving the ability for analysts to extend investigations based on their expertise. Claude Sonnet 4, a newly introduced hybrid reasoning model with superior intelligence for high-volume use cases, is actively being used in production.

Key innovations included interactive investigation reports that allow drill-down into evidence and reasoning chains as well as enabling expert security analysts to embed their specialized knowledge and investigative techniques directly into the agent through a natural language model optimization framework that intelligently routes different workflow components to the most cost-effective model without loss in quality. Innovations also included prompt caching and optimization to reduce operational costs while maintaining investigation quality and speed.

AWS powers eSentire’s advanced security platform through Amazon Bedrock’s orchestration of LLM interactions and automated responses, while AWS Lambda executes agentic workflows and automated actions. Amazon API Gateway ensures secure API access for Natural Language to SQL capabilities and customer integrations, complemented by AWS Identity and Access Management (IAM) fine-grained access controls for multi-tenant security operations and Amazon CloudWatch for essential performance monitoring. This robust and secure AWS foundation delivers elite-level protection, superior attack prevention, enhanced visibility, and accessible security intelligence through natural language querying for eSentire customers.

This collaboration with AWS and Anthropic has enabled eSentire to achieve next-level AI capabilities. These include human expertise amplification, expert-level investigation at scale, unprecedented investigation detail, enhanced expert focus, consistent expert-quality outcomes, transparent expert decision making, and a platform so powerful it can be directly licensed to third-party service providers. This has led eSentire to hit their goal of customer delight. The company now provides customers with consistent elite-level investigations, hours of expert effort delivered in minutes, business continuity protection with 99.3% of attacks stopped at the first machine, and enhanced security assurance with transparent, outcome-driven security operations.

Generative AI has transformed how quickly eSentire can innovate and adapt to evolving threats. Development and deployment cycles have accelerated from months to days, enabling the company to respond to new attack vectors and threat intelligence with unprecedented speed. They can now bring knowledge from their security experts into the platform in a repeatable manner that doesn’t require traditional engineering effort. This makes embedding expertise into service delivery faster, a critical capability when stopping rapidly evolving threats that require immediate countermeasures. Their threat hunting team exemplifies this transformation: they can now create new tools and workflows for the entire SOC using natural language interfaces, moving from concept to production deployment in hours.