Using AI to Add Business Context to Cloud Security
When a new alert comes in, the first thing you want to know isn’t what the vulnerability is. You want to know whether you should care.
Have we seen this before? Is it reoccurring? Is the affected system internet-exposed? Does it hold sensitive data? Is this production or a developer sandbox?
These context questions used to require manual investigation. Pulling up different views, correlating data, and building a picture of what the alert actually means. Now we use AI to automatically perform that enrichment.
The MCP Server Approach
Modern CSPM platforms like Orca are adding Model Context Protocol (MCP) servers that let you plug AI and LLMs into your triage workflow. Practical automation that accelerates analysis, not chatbot gimmickry.
When we started using Orca’s MCP server, it had three or four tools available. Now there are 27 and growing. That expansion matters because more tools mean more questions we can answer programmatically.
The setup: alerts auto-process through the MCP server, get enriched with data from multiple sources, and come out the other side with context that would have taken manual investigation to assemble.
What AI Enrichment Provides
For every alert, we want answers to standard questions:
-
Is this new or known? Never seen before, persistent issue, ephemeral (coming and going), or reoccurring on a new asset. Classification changes the urgency and response.
-
Where else does this appear? Are you seeing the same issue on other systems? Is it part of a pattern or an isolated incident?
-
What’s the exposure? Is it? Behind network controls? The attack path matters as much as the vulnerability itself.
-
What data is at risk? Tagged as PII? Marked as a crown jewel? Customer data or internal only? Business context determines business impact.
-
What’s the environment? Production, staging, development? The answer doesn’t change the urgency, it changes the approach.
-
What’s the history? How long has this alert existed? Has the risk score changed over time? Context on evolution helps prioritize.
All of this gets assembled automatically. Instead of investigating from scratch, you get a concise triage summary that tells you what to do next.
The Alert Infrastructure We’ve Built
Our alerting system tells us:
- Classification: new, reoccurring, persistent, ephemeral, or closed
- One-liner summary: what role, what account, when first seen, how long present
- Alert ID for correlation back to the CSPM
- Asset details: last used, current state, internet exposure
- Environment type: production, developer, test
- Pattern analysis: similar issues across accounts?
- Historical precedence: have we dealt with this before?
- Recommended action: escalate now, batch for review, ignore
- Timeline of alert evolution
- Current state with direct link
We also track the cost of the AI analysis and the tokens used for each enrichment, for transparency into operational costs.
Practical Outcomes
Some alerts get immediately escalated to clients. The enrichment surfaces enough risk signals that we know it needs attention now.
Some alerts wait for regular review cadences. The context shows it’s known, being tracked, and scheduled for remediation in a few weeks.
Some alerts we recognize as recurring patterns. Maybe the scope is expanding (another server with the same misconfiguration), but the team already understands the issue and has a plan.
The goal is to spend human attention where it matters. Not investigating every alert from scratch, and not missing critical issues because they’re buried in noise. Automated enrichment handles the routine analysis, and humans make the judgment calls.
The Speed Advantage
Alert triage traditionally has two modes.
Thorough but slow: Pull up the affected asset, check exposure, review data sensitivity tags, look at alert history, and understand context. Takes significant time per alert and scale.
Fast but shallow: Glance at severity, make a quick call based on limited information. Scales but misses nuance. Critical issues get deprioritized. Minor issues are escalated.
AI enrichment gives you thorough and fast. The minutes a human spends on each alert disappear when the analysis arrives already enriched and ready for a decision. Multiply that across dozens of alerts in multiple environments and the impact is obvious, you get to go deeper on more alerts without the time cost, and that acceleration matters.
Technical Considerations
MCP servers have constraints. Limits on how many records get returned, response length caps, and query complexity boundaries.
See how we apply AI to cloud security
Managed CSPM with business context built in, powered by custom tooling and expert analysis.
See how we apply AI to cloud security →We design our prompts and systems with those limits in mind, restructuring queries or paginating results when needed. For standard alert‑enrichment workflows, this gives us consistent, predictable performance.
We run our own LLM instances in Bedrock rather than relying solely on built-in AI features. This gives us more control over prompts, better integration with our correlation systems, and the ability to connect multiple data sources into a unified view.
Beyond Alert Triage
The same MCP infrastructure supports other workflows:
-
Asset investigation: Query details about specific resources, understand relationships, and trace access paths.
-
Compliance analysis: Map findings to frameworks, identify gaps, and generate compliance-focused views.
-
Trend analysis: Aggregate data across time periods, identify patterns, spot anomalies.
-
Reporting: Generate summaries at different levels of detail for different audiences.
The MCP server is essentially an API to the CSPM’s underlying data. AI makes that API conversational and contextual. Ask questions and get answers, rather than building queries.
The Operator Advantage
This capability is harder to leverage for casual CSPM users. You need several things, like:
- Deep familiarity with what the MCP tools can do
- Systems to route alerts through enrichment workflows
- Prompts tuned for consistent, useful output
- Integration with your operational processes
Running this across many environments, we’ve built the infrastructure and developed the expertise to make AI enrichment practical and not just theoretical. This is actually how we triage alerts every day.
For a team running CSPM as one of many responsibilities, building and maintaining this infrastructure is a significant investment. For us, it’s core to how we operate.
The Takeaway
AI in cloud security handles the routine analysis that precedes judgment, not replacing human judgment itself.
Every alert needs context before it becomes actionable. AI can assemble that context automatically, faster and more consistently than manual investigation.
The result: better triage decisions, faster response to real issues, and less time wasted on noise.
If you’re manually investigating every alert, or worse, not investigating them at all because there’s no time, you’re leaving value on the table. The AI enrichment infrastructure we’ve built isn’t something most teams have bandwidth to create and maintain.
But you can get the benefit without building it yourself.
Curious how AI-driven security analysis works in practice?
We'll show you how business context changes what your CSPM surfaces.
Let's Connect →