DEV Community

Cover image for Using AI to Add Business Context to Cloud Security
Jon Rose
Jon Rose

Posted on • Originally published at blog.iomergent.com

Using AI to Add Business Context to Cloud Security

When a new alert comes in, the first thing you want to know isn't what the vulnerability is. You want to know whether you should care.

Have we seen this before? Is it reoccurring? Is the affected system internet-exposed? Does it hold sensitive data? Is this production or a developer sandbox?

These context questions used to require manual investigation. Pulling up different views, correlating data, building a picture of what the alert actually means. Now we use AI to do that enrichment automatically.

The MCP Server Approach

Modern CSPM platforms like Orca are adding MCP (Model Context Protocol) servers that let you plug AI and LLMs into your triage workflow. Practical automation that accelerates analysis, not chatbot gimmickry.

When we started using Orca's MCP server, it had three or four tools available. Now there are 27. That expansion matters because more tools means more questions we can answer programmatically.

The setup: alerts auto-process through the MCP server, get enriched with data from multiple sources, and come out the other side with context that would have taken manual investigation to assemble.

What AI Enrichment Provides

For every alert, we want answers to the SOC analyst's standard questions:

Is this new or known? Never seen before, persistent issue, ephemeral (coming and going), or reoccurring on a new asset. Classification changes the urgency and response.

Where else does this appear? Same issue on other systems? Part of a pattern? Isolated incident?

What's the exposure? Internet-facing? Behind network controls? The attack path matters as much as the vulnerability itself.

What data is at risk? Tagged as PII? Marked as crown jewel? Customer data or internal only? Business context determines business impact.

What's the environment? Production, staging, development? The answer changes how fast we need to move.

What's the history? How long has this alert existed? Has the risk score changed over time? Context on evolution helps prioritize.

All of this gets assembled automatically. Instead of investigating from scratch, you get a concise triage summary that tells you what to do next.

The Alert Infrastructure We've Built

Our alerting system tells us:

  • Classification: new, reoccurring, persistent, ephemeral, or closed
  • One-liner summary: what role, what account, when first seen, how long present
  • Alert ID for correlation back to the CSPM
  • Asset details: last used, current state, internet exposure
  • Environment type: production, developer, test
  • Pattern analysis: similar issues across accounts?
  • Historical precedence: have we dealt with this before?
  • Recommended action: escalate now, batch for review, ignore
  • Timeline of alert evolution
  • Current state with direct link

We also track the cost of the AI analysis, tokens used for each enrichment, for transparency on operational costs.

Practical Outcomes

Some alerts get immediately escalated to clients. The enrichment surfaces enough risk signals that we know it needs attention now.

Some alerts wait for regular review cadences. The context shows it's known, being tracked, scheduled for remediation in a few weeks.

Some alerts we recognize as reoccurring patterns. Maybe the scope is expanding (another server with the same misconfiguration), but the team already understands the issue and has a plan.

The goal is spending human attention where it matters. Not investigating every alert from scratch, and not missing critical issues because they're buried in noise. Automated enrichment handles the routine analysis. Humans handle the judgment calls.

The Speed Advantage

Alert triage traditionally has two modes.

Thorough but slow: Pull up the affected asset, check exposure, review data sensitivity tags, look at alert history, understand context. Takes significant time per alert. Doesn't scale.

Fast but shallow: Glance at severity, make a quick call based on limited information. Scales but misses nuance. Critical issues get deprioritized. Minor issues get escalated.

AI enrichment gives you thorough and fast. The investigation that would take a human analyst several minutes happens automatically, delivered ready for decision-making.

This lets us go deeper on more alerts without the time cost. When you're looking at dozens of alerts per day across multiple environments, that acceleration matters.

Technical Considerations

MCP servers have constraints. Limits on how many records get returned, response length caps, query complexity boundaries.

We engineer our prompts and systems around these limitations. Edge cases exist (queries that need to be restructured, results that need pagination), but for standard alert enrichment workflows, the tools work reliably.

We run our own LLM instances in Bedrock rather than relying solely on built-in AI features. This gives us more control over prompts, better integration with our correlation systems, and the ability to connect multiple data sources into a unified view.

Beyond Alert Triage

The same MCP infrastructure supports other workflows:

Asset investigation: Query details about specific resources, understand relationships, trace access paths.

Compliance analysis: Map findings to frameworks, identify gaps, generate compliance-focused views.

Trend analysis: Aggregate data across time periods, identify patterns, spot anomalies.

Reporting: Generate summaries at different levels of detail for different audiences.

The MCP server is essentially an API to the CSPM's underlying data. AI makes that API conversational and contextual. Ask questions and get answers instead of building queries.

The Operator Advantage

This capability is harder to leverage as a casual CSPM user. You need several things.

  • Deep familiarity with what the MCP tools can do
  • Systems to route alerts through enrichment workflows
  • Prompts tuned for consistent, useful output
  • Integration with your operational processes

Running this across many environments, we've built the infrastructure and developed the expertise to make AI enrichment practical. Not theoretical. How we triage alerts every day.

For a team running CSPM as one of many responsibilities, building and maintaining this infrastructure is a significant investment. For us, it's core to how we operate.

The Takeaway

AI in cloud security handles the routine analysis that precedes judgment, not replacing human judgment itself.

Every alert needs context before it becomes actionable. AI can assemble that context automatically, faster and more consistently than manual investigation.

The result: better triage decisions, faster response to real issues, and less time wasted on noise.

If you're manually investigating every alert, or worse, not investigating them at all because there's no time, you're leaving value on the table. The AI enrichment infrastructure we've built isn't something most teams have bandwidth to create and maintain. But you can get the benefit without building it yourself.


Jon Rose runs IOmergent, advising engineering-led companies on security strategy and managed cloud security operations.

Top comments (0)