AVDA: Autonomous Vibe Detection Authoring for Cybersecurity

TL;DR

AVDA introduces an AI-assisted framework for automating cybersecurity detection authoring by integrating organizational context, improving efficiency, and maintaining high detection quality.

Contribution

It presents AVDA, a novel framework leveraging the Model Context Protocol to automate detection creation, enhancing workflow efficiency and detection quality in cybersecurity.

Findings

Agentic workflows improve similarity scores by 19%.

Sequential workflows achieve 87% of Agentic quality at 40x lower token cost.

Detection methods match TTPs with 99.4% accuracy and are syntactically valid 95.9% of the time.

Abstract

With the rapid advancement of AI in code generation, cybersecurity detection engineering faces new opportunities to automate traditionally manual processes. Detection authoring - the practice of creating executable logic that identifies malicious activities from security telemetry - is hindered by fragmented code across repositories, duplication, and limited organizational visibility. Current workflows remain heavily manual, constraining both coverage and velocity. In this paper, we introduce AVDA, a framework that leverages the Model Context Protocol (MCP) to automate detection authoring by integrating organizational context - existing detections, telemetry schemas, and style guides - into AI-assisted code generation. We evaluate three authoring strategies - Baseline, Sequential, and Agentic - across a diverse corpus of production detections and state-of-the-art LLMs. Our results show that Agentic workflows achieve a 19% improvement in overall similarity score over Baseline approaches, while Sequential workflows attain 87% of Agentic quality at 40x lower token cost. Generated detections excel at TTP matching (99.4%) and syntax validity (95.9%) but struggle with exclusion parity (8.9%). Expert validation on a 22-detection subset confirms strong Spearman correlation between automated metrics and practitioner judgment ($\rho = 0.64$, $p < 0.002$). By integrating seamlessly into standard developer environments, AVDA provides a practical path toward AI-assisted detection engineering with quantified trade-offs between quality, cost, and latency.