LimaCharlie’s AI: What It Does
Sr. Technical Content Strategist
Everyone advertises AI, how does LimaCharlie use it?
If you are not exhausted by the relentless AI hype cycle by now, your resilience is commendable. Our industry is awash in AI marketing that is an inch deep and a mile wide*. Everyone claims to have AI, almost no one will explain how it works.
At LimaCharlie transparency is a core value. You see it in our high-visibility security platform and publicly available pricing structure. We understand that announcing “we have AI” is pointless without explaining why it would matter to you.
This article covers how LimaCharlie currently uses AI in the SecOps Cloud Platform (SCP) and offers concrete examples. It is important to remember the SCP is under continuous development and new capabilities are always being added. For the most current list of our AI features consult our documentation.
For readers outside of the US, AI hype is 2.54 centimeters deep and 1.6 kilometers wide.
MCP server: AI’s pathway to security data
LimaCharlie’s Model Context Protocol (MCP) server makes it easy to integrate your favorite AI agents into established security workflows. Once integrated, your AI agents can:
Query historical telemetry from any Sensor
Investigate incidents in real time using the LimaCharlie Agent (EDR)
Take active remediation measures like isolating endpoints or terminating processes, etc.
Connecting AI agents directly to your telemetry, detections, and response workflows opens the door to intelligent automation. Automating security processes such as threat detection and remediation increases incident response times and frees employees to pursue other tasks. Our MCP server also allows you to maintain full visibility and control over how the AI agents behave in your environment.
AI Agent Engine: AI’s API connection
Our AI Agent Engine extension (part of LimaCharlie Labs) provides another way to integrate AI into security operations. This extension grants AI agents access to LimaCharlie’s APIs. Since the SCP is an API-first platform, API access empowers AI agents to interact with almost everything in the security stack.
The power of this integration becomes more impressive when you consider how it works with LimaCharlie’s native multi-tenancy. While controlling AI agents in one organization is great, the SCP makes it easy to manage AI agents across multiple organizations. This capability can be a game changer for businesses in the security services sector.
How does API-integrated AI work in the environment? Agents can be invoked through automated playbooks or receive a JSON dictionary object for command parameters. This approach is useful for passing AI agents additional context like a detection or event from a D&R rule. AI agents can be automated to trigger in response to events, detections, audit messages or any other target rules. They can also be triggered manually.
Community rules: AI conversions
LimaCharlie also features some built-in AI functionality that assists with core security operations. One good example is our use of AI to convert existing third-party rules into syntax that runs natively on LimaCharlie. Our Community Rules features thousands of third-party and open source security rules that users can adopt and implement with the click of a button. Simply find the rule you want, click it, AI translates it into LCQL (LimaCharlie Query Language), and modify/deploy it at will.
Natural Language Threat Hunting
Our AI-specific integrations make it easy to leverage your favorite AI platforms as chat interfaces that directly assist with threat hunting. For example, you can write a markdown file for Claude Code (Anthropic) that sets the specific parameters for conducting investigations in your environment. By authoring structured instructions for Claude you customize the AI for optimal security performance in your organization.
What’s the advantage?
There is an elegant simplicity in typing “retrieve all recent detections in LimaCharlie that are worth investigating” instead of scripting or writing a complex query. This simple sentence can, through configuration, trigger the AI to:
Prompt for the current time (to ensure it applies a ‘recent’ timeframe)
Check to ensure sensors are online
Analyze suspicious detections
Search for indicators of compromise (IoCs)
Investigate for network beaconing patterns
Check for process injections or signs of persistence
Generate an investigation summary and provide recommendations
In a few seconds you can type a simple, plain-English sentence to perform SecOps work that traditionally took hours. That’s the power of integrating AI into the SecOps Cloud Platform. See an example of what is possible in this video on integrating Claude Code into the SCP.
Only limited by imagination
Like all things LimaCharlie, the capability of AI agents are limited only by your imagination. They can perform extensive tasks across environments according to your specific instructions. Or, if you prefer simpler automation, they can handle a few repetitive tasks that simply free up team bandwidth. Bottom line: you stay in control of the AI in your security stack.
If you’re looking for an AI approach that’s hands-on, transparent, and actually useful, we’d love to show you more.
You can:
