How Anthropic's Security Team Uses Claude
Security teams drown in alerts, jumping between tools and query languages for every investigation. Jackie Bow, Technical Lead on Anthropic's Detection Platform Engineering team, shares how her team uses Claude to unify security signals and speed up threat investigation.
This lesson is original educational writing based on this video by Anthropic (published May 12, 2026). All credit for the original content goes to the creators.
1. The alert fatigue crisis in modern security operations
Security Operations Center (SOC) analysts face a problem that only gets worse over time: the sheer volume of alerts generated by modern enterprise environments has far outpaced the human capacity to investigate them. A typical enterprise SOC receives tens of thousands of alerts per day, and analysts on busy teams can be looking at hundreds of individual notifications during a single shift. The vast majority of these are false positives — benign activity that pattern-matched a detection rule — but finding the real threats buried in that noise requires opening and dismissing each one.
The cognitive cost of this work is enormous. Each alert is not just a notification; it is the beginning of an investigation that may span multiple data sources, multiple time windows, and multiple systems. An analyst investigating a suspicious login event might need to cross-reference endpoint telemetry, check network flow records, query identity provider logs, and pull cloud API call history. These data sources each live in different tools, and each tool speaks a different query language. Azure Sentinel uses KQL (Kusto Query Language). Splunk uses SPL (Splunk Processing Language). Many data warehouses use SQL variants. Security-specific tools have their own proprietary syntaxes. An experienced SOC analyst is effectively a polyglot programmer, holding multiple query dialects in their head and switching between them fluidly as they pivot through an investigation.
This context-switching overhead is invisible in staffing models but deeply real in practice. Every time an analyst has to stop, recall the correct KQL syntax for a time-range filter, write the query, wait for results, then switch to Splunk and reconstruct the same time window in SPL, they are burning time that should be going toward judgment and analysis. Jackie Bow, Technical Lead on Anthropic’s Detection Platform Engineering team, recognized this as a structural problem, not a training problem — and began exploring how Claude could address it at the workflow level rather than the individual skill level.
2. How Claude unifies security signals
The core insight behind using Claude for security work is that natural language is itself a query language — one that analysts already know fluently. Instead of requiring an analyst to recall the exact SPL syntax for correlating two event types across a time window, Claude can accept a description of what the analyst is looking for and translate it into the appropriate query for whatever system holds that data.
This is more transformative than it might sound at first. Query language proficiency has historically been a hard prerequisite for effective security investigation. Junior analysts were often blocked from running their own data queries, making them dependent on senior staff or data engineers to pull the information they needed. With Claude, the query-writing step collapses into a conversation: “Show me all authentication events for this user in the last 48 hours, but exclude normal business-hours logins from their registered workstation.” Claude produces the query, and the analyst focuses on reading the results rather than constructing the question.
Beyond individual query translation, Claude can help with cross-source correlation — one of the hardest parts of threat investigation. When an analyst suspects lateral movement, they need to stitch together evidence from endpoint detection (did any new processes spawn on that host?), network telemetry (did that host connect to unusual destinations?), identity logs (were any privileged accounts accessed?), and potentially cloud audit logs (were any resources accessed or permissions changed?). Each of those data sources lives in a different system. Doing this manually means opening four or five separate tools, writing queries in each, and then synthesizing the results in a spreadsheet or in memory. Claude can assist in planning the investigation sequence, writing the queries for each system, and then helping interpret what the combined picture means.
3. Mean Time to Detect: the metric that defines security outcomes
In security operations, the metric that matters most is Mean Time to Detect (MTTD) — the average time between when a threat actor begins their activity and when your security team becomes aware of it. This is the window during which attackers can move laterally, escalate privileges, exfiltrate data, or establish persistence. A shorter MTTD means a smaller blast radius for any breach. Compressing MTTD is the central goal of almost every investment a security organization makes, from better detection rules to more staff to better tooling.
The reason AI assistance so directly affects MTTD is that most of the time in a threat investigation is spent on mechanics rather than judgment. Writing queries, waiting for results, reformatting data for comparison, re-running queries with corrected syntax — these are mechanical steps that take time but do not require deep security expertise. The genuine expert judgment — “does this pattern represent actual attacker behavior or is it a misconfigured scanner?” — is a relatively small portion of the total investigation time. By handling the mechanical steps, Claude allows analysts to spend more of their time on the judgment portions, which directly compresses investigation time.
There is also a compound effect on alert throughput. When each individual investigation takes less time, analysts can work through more alerts per hour. This raises the percentage of alerts that get meaningful human attention, which reduces the risk that a real threat gets dismissed because the analyst’s queue was too long. Security teams using AI assistance report being able to investigate two to four times as many alerts per shift, fundamentally changing the economics of their operations.
4. Prompting patterns for security work
Using Claude effectively for security investigation requires more intentionality than a general-purpose chat conversation. Security environments are highly specific: your network topology, naming conventions, data sources, and threat model are unique. Claude’s outputs are only as good as the context you provide.
The most effective pattern is a rich system prompt that describes your environment before any investigation begins. This should include what SIEM tools you use, what your host naming conventions look like, what identity provider you use, what cloud platforms you operate on, and any relevant compliance or regulatory context. With this grounding, you can ask investigation questions in natural language and get responses that are calibrated to your actual environment rather than generic security advice.
For threat investigation specifically, the most useful prompting patterns involve asking Claude to explain what it is seeing, not just to query for it. Instead of “write me a query to find lateral movement”, try “I’m seeing an account authenticate to 14 different hosts in a 20-minute window. Help me understand what legitimate and malicious explanations exist for this pattern, then write the queries I’d need to distinguish between them.” This forces Claude to surface its reasoning, which you can then interrogate. You also want Claude to draft detection rules — Sigma rules, KQL detections, or SPL alerts — for patterns you have identified manually, so that the next occurrence is caught automatically.
Check your understanding
4 questions · your answers are saved in this browser only
-
1. What does MTTD stand for, and why does it matter in security operations?
-
2. Which of the following best describes why query language fragmentation is a problem for SOC analysts?
-
3. What is the most important thing to include in a system prompt for security-focused Claude workflows?
-
4. Beyond writing queries, how else can Claude assist security teams in making investigations more durable?
Build it yourself
Follow these exact steps to reproduce it yourself · estimated time: ~30 minutes
Prerequisites
- An Anthropic API key (get one at console.anthropic.com)
- Python 3.9+ installed
- The `anthropic` Python package: pip install anthropic
Step 1 — Set up your environment
pip install anthropic
export ANTHROPIC_API_KEY="your-key-here"Step 2 — Write the alert triage system prompt
Create a file called triage_assistant.py. The system prompt is the most important part — it defines the assistant’s security expertise and your environment:
import anthropic
import json
client = anthropic.Anthropic()
SECURITY_SYSTEM_PROMPT = """You are a senior security analyst assistant for a cloud-native enterprise.
Environment context:
- SIEM: Microsoft Sentinel (KQL) and Splunk (SPL)
- Identity: Azure Active Directory
- Cloud: AWS and Azure
- Endpoint: CrowdStrike Falcon
- Network: Palo Alto firewalls
When triaging an alert, you must:
1. Classify severity: CRITICAL, HIGH, MEDIUM, LOW, or FALSE_POSITIVE
2. State your confidence (0-100%)
3. Identify the most likely explanation (benign or malicious)
4. List 2-3 immediate investigation steps the analyst should take
5. Suggest one KQL or SPL query to gather more context
Respond in JSON format with keys: severity, confidence, explanation, next_steps, query.
"""Step 3 — Build the triage function
def triage_alert(alert_description: str) -> dict:
"""
Takes a plain-language alert description and returns structured triage output.
"""
message = client.messages.create(
model="claude-opus-4-5",
max_tokens=1024,
system=SECURITY_SYSTEM_PROMPT,
messages=[
{
"role": "user",
"content": f"Please triage this security alert:\n\n{alert_description}"
}
]
)
response_text = message.content[0].text
try:
return json.loads(response_text)
except json.JSONDecodeError:
return {"raw_response": response_text}Step 4 — Test with sample alerts
sample_alerts = [
"""Alert: Multiple failed login attempts
User: jsmith@company.com
Source IPs: 45.33.32.156, 45.33.32.157, 45.33.32.158
Attempts: 47 failed logins in 3 minutes
Time: 2:14 AM local time
Geolocation: Romania (user is based in Chicago)""",
"""Alert: Unusual process execution
Host: WIN-PROD-042
Process: powershell.exe -enc <base64 string>
Parent process: winword.exe
User: finance_user_3
Time: 10:30 AM""",
]
for alert in sample_alerts:
print("=" * 60)
print("ALERT:", alert[:80], "...")
result = triage_alert(alert)
print("SEVERITY:", result.get("severity", "unknown"))
print("CONFIDENCE:", result.get("confidence", "unknown"))
print("EXPLANATION:", result.get("explanation", "unknown"))
print("NEXT STEPS:")
for step in result.get("next_steps", []):
print(" -", step)
print("SUGGESTED QUERY:")
print(result.get("query", "none"))Step 5 — Run it
python triage_assistant.pyExpected output: Each alert gets a structured triage result with severity, confidence score, explanation, immediate next steps, and a ready-to-run query for your SIEM. From here you can pipe alerts in from your actual SIEM API, add a webhook endpoint to receive alerts automatically, or integrate this into a Slack bot that your team uses for alert review.
Where to go next
- Watch the original video by Jackie Bow to see the real-world context from Anthropic’s own detection engineering team.
- Explore Claude for Enterprise to understand how organizations are deploying AI at scale in regulated environments.
- Review the Anthropic API documentation for guidance on structured output and tool use, which can power more sophisticated triage pipelines.