AI and LLM Capabilities
Cyberhaven’s AI and LLM capabilities help organizations improve their incident management workflows. Our AI seamlessly integrates with user-defined policies to autonomously analyze data flows, detect anomalies, and generate incidents. The LLM complements this process by generating natural language summaries,
enabling security teams to quickly understand and respond to incidents efficiently.
Linea AI Overview
Linea AI is an autonomous agent built on our data lineage platform, designed to transform incident management workflows. By prioritizing, analyzing, and summarizing incidents, Linea AI ensures critical risks are promptly detected. While traditional incident management relies on user-defined policies to generate incidents, gaps in these policies often leave significant risks undetected. Linea AI bridges this gap by autonomously detecting anomalous data flows, even without predefined policies or datasets, delivering a proactive and adaptive layer of security.
NOTE
Linea AI is an optional add-on feature and requires a separate license. Contact your Cyberhaven Sales Representative for licensing and purchase details.
Features
Incident Detection and Alerts: Linea detects anomalies in the data flow based on historical events and creates incidents, even when no predefined policies or data classifications are in place. For example, it can flag risky user actions or data transfers that were not previously covered by existing policies, providing proactive protection.
Incident Prioritization: Linea assesses incidents by evaluating the data flow and determining the severity level. For example, a user uploading their personal tax form to a personal email account is classified as low risk, while attaching sensitive documents like source code is identified as high risk. This prioritization surfaces the most critical incidents that require immediate investigation while deprioritizing low or informational risks.
Analyzing and Summarizing Incidents: Linea provides a detailed summary of each incident, including its root cause. The summary contains key information such as the user action that triggered the incident, the location, the type of content (based on Linea's assessment of its security risk), and the destination of the data. This rich context accelerates the investigation process by giving analysts a clear understanding of the incident at a glance.
Benefits
Proactively Mitigate Risks: Detect and address risks that would otherwise go unnoticed.
Identify Critical Incidents: AI-driven risk assessment enables analysts to prioritize the most impactful incidents, enabling faster response. Reduce Incident Resolution Time: Summarized incidents provide clear root cause analysis, empowering teams to resolve issues more efficiently.
How Linea AI Works
Linea AI utilizes machine learning to analyze historical events generated by the platform and applies this knowledge to detect deviations from normal data flows.
At the core of Linea AI is our proprietary Large Lineage Model (LLiM), designed to detect anomalous incidents. These anomalies are analyzed by an LLM which evaluates the semantics of data flows and compares them against historical patterns to identify deviations. Linea AI is deployed privately within each customer’s secure GCP environment. This architecture ensures strict data separation, as the LLM only has access to historical events from the specific customer.
Example: Identifying Deviations in Data Flows
To understand how Linea AI works, consider the following scenarios showing a normal flow and a deviated flow.
Normal Flow
1. Jane, the CFO, creates a sensitive file named
2024_executive_equity_awards in a corporate Google Sheets document.
2. John, the Corporate Accountant, downloads the sheet as an XLS file. 3. John then attaches the file to an email and sends it from his corporate email account to the HR team.
In this scenario, LLiM assesses the flow and determines a high probability for such actions to occur within a corporate environment. Sharing sensitive files internally using sanctioned tools like corporate email aligns with historical patterns.
Result: No incident is created.
Deviated Flow
1. Jane, the CFO, creates a sensitive file named
2024_executive_equity_awards in a corporate Google Sheets document.
2. John, the Corporate Accountant, downloads the sheet as an XLS file. 3. John then attaches the file to an email and sends it from his corporate email account to the HR team.
4. John later opens the sheet, copies text from it, and pastes it into a Telegram chat window.
Here, LLiM detects a very low probability for sensitive data to be shared through an unsanctioned channel like Telegram. LLiM forwards the event to the underlying LLM for further analysis to assess whether the action has a Critical or High severity. If no existing policy is in place to flag such behavior, Linea AI autonomously creates an incident to alert the security team.
Result: LineaAI creates an incident.
By continuously analyzing metadata such as file names, locations, user roles, and historical events, LLiM identifies both expected and anomalous behaviors, ensuring that deviations are promptly flagged even in the absence of predefined policies.
Architecture
The architecture diagram below illustrates how Linea AI operates by utilizing LLiM and an underlying LLM. LLiM functions independently and concurrently with the existing policy engine to detect anomalous events. When an anomalous event is detected, LLiM forwards the event to the underlying LLM for analysis. The LLM compares the event against historical data and determines whether the event has a Critical or High severity. If it meets the severity threshold, the LLM generates an incident along with a natural language summary.
For incidents generated by user-defined policies, the policy engine similarly forwards the event to the LLM for analysis. The LLM evaluates the event against historical data to determine the AI-assessed risk and generates a natural language summary for these incidents as well.
Linea AI is fully self-contained, operating securely within each customer’s GCP environment to ensure strict data isolation. Customer data is never used to train external models or models for other customers, and the LLM adheres to a strict zero-data-retention policy.
Linea AI Configuration
The Linea AI Configuration page under Preferences allows you to define rules to exclude specific sources and destinations from Linea AI's analysis. When these rules are applied, any matching events will be excluded from Linea AI's processing.
To define a rule, navigate to Preferences > Linea AI Configuration and select a source or destination to exclude. Then, click Save.
NOTE
Lists are currently not supported by Linea and are not excluded from Linea AI’s analysis.
Change Log
Updated on 03/05/2025: Added a note.
Incident Management with Linea AI
Linea AI streamlines incident management by:
Generating clear and concise natural language summaries for each incident.
Automatically creating incidents for actions analyzed as Critical or High severity.
Assigning a risk level to every incident, ensuring that the most critical issues are prioritized for immediate attention.
Incident Summary
The natural language summaries generated for each incident provide concise and actionable insights. These summaries empower security analysts to quickly understand the context and severity of potential risks, enabling faster and more effective response actions.
Summary
On the Incidents page, expand on an incident to view the AI-generated summary. The summary highlights critical information such as what occurred, who was involved, and why the action triggered a policy or anomaly detection.
To view a detailed description of the incident, click on Show Details. The detailed view provides information such as the source and destination locations, file metadata (including its name and format), the type of information contained within the file, and an assessment of the potential security risks if the file is mishandled.
NOTE
Linea AI does not reveal the actual content within the files.
Escalation suggestions
The AI-generated summary also recommends appropriate escalation paths as a follow-up action.
Ask the user to explain the incident: Notify the user and request a justification for their action.
Ask the user’s manager to review the incident: Send a message to the user’s manager for review and decision-making.
Notify HR about the incident: Send a message to the HR department for review and appropriate next steps.
AI Assessed Risk
The underlying LLM evaluates events based on the dataset sensitivity, policy severity, and the historical data flows associated with the event to calculate risk levels. Based on this assessment, Linea AI assigns a risk level to each incident. Analysts can filter the incident list by risk level, allowing critical AI-assessed risks to be surfaced and prioritized.
For example, an incident involving copy-pasting source code to an external GitHub domain would receive a higher risk level compared to internal data movement.
Created by
This column indicates the source of the incident, showing whether the incident was created by a user-defined policy, Linea AI, or a combination of the two.
Policy: The incident was generated by a user-defined policy that matched the data flow.
Linea AI: The incident was created autonomously by Linea AI, which identified a data flow that did not match any existing policy and assessed the risk level as Critical or High. For incidents generated by Linea AI, a source and destination category are selected from a predefined template and displayed as the dataset and policy associated with the incident. AI+Policy: The incident was created by a monitoring policy that was set to “Let Linea Decide,” which allows Linea AI to create an incident if the event matching that policy was assessed as having a Critical or High AI Risk Assessment.
Linea AI in Policies
By default, monitoring policies are configured to allow Linea AI to determine
incident creation. When an event matches such a policy, Linea AI evaluates the risk level. If the risk is assessed as Critical or High, an incident is automatically generated.