Detection, endpoint isolation, and ticketing with one AI prompt

Most current demonstrations of AI in security operations are lackluster. You ask a chat interface a question, get a summary, and maybe a suggested next step. The operator still does all the work, at human speed. 

Meanwhile, adversaries are already deploying AI offensively against their targets. AI in SecOps must ultimately be an operator. Otherwise, the gap between adversary and defender will become too wide to bridge.

 LimaCharlie Co-founder, Christopher Luft, demonstrates a simple way to get started:

The demo begins with a default tenant installed on LimaCharlie and a single plain-language prompt. By the time the prompt finishes, a detection rule is live and a response action is configured to isolate affected endpoints. 

Christopher then runs a curl command (targeting a malicious URL that violates the rule) on his Mac laptop. The endpoint is immediately isolated. The AI agent logs the incident automatically and attaches detection telemetry.

What the prompt does

This scenario is grounded in a real attack pattern: a paste-and-run technique that Christopher covered previously on his podcast. Christopher simply prompted the AI to write a detection rule targeting a specific URL pattern and specified how to handle the problem. 

On detection, the rule triggers a security pop-up on the endpoint and isolates it from the network while preserving the LimaCharlie connection for incident response. It then creates a ticket with the relevant detection telemetry in LimaCharlie's case management system.

Each of the three outputs, the D&R rule, the isolation response, and the case ticket, is something a detection engineer would normally do manually. Here they are completed by a single prompt.

This example shows the power of plain language SecOps, executed by an AI agent with access to LimaCharlie’s platform skills. It's AI operating in security as people imagine it should, available today.

Why the architecture makes this possible

LimaCharlie’s API-first platform makes security resources equally available to AI agents and analysts. When AI writes a detection rule and deploys a response action, they go into LimaCharlie's standard D&R rule framework. There is no separate AI-only layer. 

Analysts can inspect AI-generated rules before anything runs. They look exactly like a rule a detection engineer would write by hand. 

The case ticket the AI created serves as more than a log entry. It acts as a state machine for agentic processes, meaning subsequent AI actions can read and update the case as the investigation continues. In this way it serves as a coordination surface, not just a record.

Try it yourself

The tenant in the video has two configurations beyond defaults: a Claude Code subscription connected through LimaCharlie's AI terminal, and an EDR sensor on a Mac endpoint. The free tier covers the core functionality needed to integrate both. Get started for free, no credit card required.

Integrating Claude Code with LimaCharlie takes about ten minutes. The process is documented in a blog post.

See supporting code in our lc-ai Github repo.

Sign up now at https://app.limacharlie.io/signup.