Building an agentic AI solution using Amazon Neptune with Trend Micro

To enhance the customer experience, Trend Micro wanted to develop long-term and short-term memory capabilities for its Companion assistant that would provide more accurate and explainable insights to users. The company sought to use AI and graph technology to understand complex connections in security data, learn from each interaction, and share knowledge across teams. When experienced analysts discovered effective ways to investigate threats or fix security problems, Trend Micro wanted this valuable knowledge to be accessible to other team members instead of staying isolated.

The cybersecurity company needed a data and AI foundation that could transform isolated security knowledge into accessible, actionable insights, so it turned to AWS. “Companion began as an AI assistant to let customers explore vast amounts of security information across our portfolio through natural conversation—intelligently prioritizing threats, connecting disparate signals, and guiding analysts toward the most impactful actions,” says Shawn Tsai, senior architect at Trend Micro. “To meet this vision at scale, we leaned into AWS as the backbone for data and AI.”

To build these advanced memory capabilities, Trend Micro adopted Amazon Neptune, a serverless graph database service for connected data and improved AI accuracy. Amazon Neptune serves as both a knowledge graph and an experience layer that helps Trend Micro’s customers better understand and take action on security-related information such as attack techniques, threat intelligence, alerts, and insights. Equipped with these insights and background on proven investigation approaches, teams can respond with appropriate remediation strategies.

Trend Micro uses Amazon Neptune to store the connections within this security data so that its customers can better understand how various actors and threats relate to each other and how teams have successfully addressed similar threats in the past. When users interact with Companion, effective investigation patterns and responses are automatically captured in Amazon Neptune, creating an expanding knowledge base of security expertise. “We’re most excited about building what we call a ‘living security brain’: a knowledge system that continuously learns and, most importantly, democratizes expertise so one team’s experiences can benefit others,” says Tsai.

The solution integrates multiple AWS services to create a comprehensive AI workflow. Trend Micro uses Amazon Comprehend, a service used to derive and understand valuable insights from text within documents, to scan all user conversations to detect and remove personally identifiable information. Additionally, Trend Micro uses Amazon Bedrock—a comprehensive, secure, and flexible service for building generative AI applications and agents—to orchestrate agentic AI workflows. Amazon Bedrock enhances prompts and identifies user intentions to route requests to the appropriate backend service agents.

Trend Micro also uses Amazon Managed Streaming for Apache Kafka (Amazon MSK), a streaming data service that manages Apache Kafka infrastructure and operations, to extract required metadata from various log collectors. This metadata is then stored in Amazon Neptune for long-term memory and correlation analysis, helping Companion better identify user intentions and correlate log data, such as identifying compromised devices under the same attack pattern. 

The AWS team guided Trend Micro’s Bedrock implementation and shared prompt-engineering best practices that led to the selection of Anthropic Claude for its accuracy and natural language capabilities. Trend Micro implements a GraphRAG solution to extract entities and relationships from customer conversations using Claude models available through Amazon Bedrock. New user conversations continuously enrich the knowledge graph in Neptune.

“Amazon Bedrock—and particularly Claude—consistently outperformed alternatives for our security use cases,” says Tsai. “AWS demonstrated a clear understanding of our vision and a strong commitment to AI-driven cybersecurity.”

Using AWS, Trend Micro has increased Companion’s answer quality by 20 percent, providing security professionals with more accurate and explainable threat response recommendations. As the system learns from each interaction, suggestions become increasingly personalized to each organization’s environment and practices. Companion promotes consistent, repeatable operations by capturing successful approaches and making them available across teams, helping best practices propagate naturally. Analysts can instantly access relevant prior cases and proven remediation approaches instead of manually gathering information across disparate tools, enhancing their productivity and shifting operations from reactive to proactive. Looking ahead, Trend Micro plans to expand the knowledge graph to cover additional product lines, integrate near real-time updates from internal data sources, and explore multilingual support.

“A robust graph database can be an experience-sharing layer and a long-term memory for organizational knowledge,” says Tsai. “By using Amazon Neptune along with Amazon Bedrock, we can turn vast security data and knowledge gained over the years into actionable insights and democratize security best practices.”