Tier 1 — triage and summarisation
LLMs excel at reading five log lines, a sandbox report, and a threat feed, then explaining in plain English what happened and what to do. This genuinely scales junior analysts into mid-tier ones.
Tier 2 — phishing and pattern detection
Fine-tuned transformers reliably catch novel phishing templates that signature filters miss. Detection rates of 95%+ are achievable with low false-positive budgets.
Tier 3 — policy and report drafting
AI drafts compliance evidence, incident reports, and remediation tickets better and faster than most humans. Humans still sign off, but the cycle time collapses.
Where it's still marketing
Autonomous response, fully automated threat hunting, and 'agentic' security operations. All impressive demos, none ready for unsupervised production use on critical systems in 2026.
Privacy trade-offs
Every prompt sent to a hosted LLM is a data exposure decision. Good products redact PII before sending, pin to zero-retention endpoints, and never forward customer documents unless explicitly requested.
How Citadel Frame uses AI
GPT-4o summarises scan findings with zero OpenAI data retention. Every prompt is scoped to your licence and tier, personally-identifying data is stripped, and the user can opt out per scan.