Google hopes its experimental AI model can unearth new security use cases

Google has built a cybersecurity assistant for information security professionals, and now they’re looking for researchers to play with it.

Sec Gemini V1 is a new cybersecurity AI reasoning model that Google rolled out last week on an experimental basis. It is designed to function as an AI assistant for security practitioners, capable of handling data analysis and other lower-level tasks that are foundational to modern cybersecurity and vulnerability research.

The concept of “AI agent as a cybersecurity assistant” was one of the first use cases envisioned by security professionals when LLMs like ChatGPT first came on the market in 2022. Because researchers must sift through massive amounts of data to do their jobs, a tool or agent capable of quickly categorizing and organizing such information for higher-level analysis was viewed as one of the most feasible value-adds for the technology.

Marianna Tishchenko, group product manager for Sec Gemini, told CyberScoop the motivation behind the tool was to help security staff with that drudgery, which can be “pretty time-consuming and manual and toilsome” work.

“And where we see opportunity is to improve the efficiency and efficacy of the workflows that defenders pursue in order to keep their organizations safe,” Tishchenko said.

SecGemini’s answers are drawn in part from tapping multiple unique Google data streams or products, including Mandiant threat intelligence and the open-source vulnerabilities database.  

According to Google, Sec Gemini outperforms other models from OpenAI, Anthropic, DeepSeek and Mistral AI on benchmarks like CTI-MCQ, a multiple-choice questionnaire that evaluates a generative AI tool’s understanding of threat intelligence standards, threats, detection strategies, mitigation plans, and best practices.

It also outperforms many of those same models on metrics for root-cause mapping, which evaluates an LLM’s ability to understand nuances in vulnerability descriptions, flag root causes of vulnerabilities and classify them.

But Google is making a bet that security researchers will have a better understanding of how to leverage Sec Gemini for their own work and find even more use cases.

According to a 2024 meta-study that analyzed 127 different papers from security and software engineers about using LLMs for security, cybersecurity practitioners are already leveraging these tools to carry out a wide variety of tasks, such as vulnerability detection, malware analysis, network intrusion detection, and phishing detection. There is also potential for higher-level uses, such as proactive defense and threat hunting.

Elle Bursztein, a security and anti-abuse research lead at Google, said because Sec Gemini is constantly ingesting updated Google threat intelligence, it can provide up-to-date answers on security topics in “close to real time,” factoring in whether if, say, a CVE for a software vulnerability has been updated in the past few days with a new patch.

Asked if Google envisions Sec Gemini being used by cybersecurity staff during an active incident response, Bursztein said “we are as curious as you to know that.”

“Our intent is to have lessons learned that we can share,” Bursztein said. “We just don’t know until we try it.”

From there, Google will iterate and refine the model to further support identified use cases.

“What we’re trying to figure out with research: if we open it up to a set of people who have need and they use it, how are they going to use it?” Bursztein said. “Is it working for them? How good is it? Does it have failure cases?”

SecGemini is free, but its access will initially be limited to a select group of organizations who will experiment with and test the model in their own cybersecurity work. Tishchenko said Google will be working with non-governmental and academic organizations to test the tool for non-commercial research purposes. Bursztein said the initial group of organizations given access will likely number in the dozens.  

Finding viable use cases where Sec Gemini can handle meaningful data collection and analysis workloads will be an important marker of the tool’s relevance, especially as the broader generative AI boom struggles to translate its promise into performance.

Casey Ellis, chief technology officer at BugCrowd, told CyberScoop that Sec Gemini’s benchmark testing indicates it is capable of digesting complex workflows, while Google’s pairing of Mandiant threat intelligence and its open-source vulnerabilities database could “significantly reduce the time analysts spend piecing together disparate data sources.”

Ellis, who said back in 2022 that LLMs would be most useful for bug bounties and vulnerability research, also endorsed Google’s decision to open Sec Gemini up to cybersecurity testers in its early stages.

“It’s a smart move to crowdsource feedback and improvements while building trust within the cybersecurity community,” he said.

However, Ellis cautioned that some organizations could end up using tools like Sec Gemini to replace the work of their security staff rather than complement it.

“Businesses adopting it should view it as a force multiplier for their existing teams and processes, not a replacement,” Ellis said. “The real value lies in combining the model’s capabilities with human expertise to stay ahead of evolving threats.”

Like any large language model, Sec Gemini runs the risk of hallucinating facts or citations. Bursztein told CyberScoop that one of the ways Google has worked to mitigate those issues with Sec Gemini is by constantly training it on “very precise data” from Google’s threat intelligence and other data streams. They also curate the quality of the data “very, very heavily.”

“There is no one magic trick,” he said. “It’s a lot of measures and techniques together and effort into making it work well.”