The Cybersecurity and Infrastructure Security Agency (CISA) uses AI to automatically detect and analyze potential threats, flag unusual network activity, and identify patterns in vast amounts of data that could indicate cybersecurity threats or emerging risks in our nation’s critical infrastructure. Learn more about the ways CISA is using AI.
Below is an overview of each AI use case within CISA, as part of the Simplified DHS AI Use Case Inventory. More details about these use cases are available in the Full DHS AI Use Case Inventory on the DHS AI Use Case Inventory publication library.
AI use cases are listed by deployment status:
Pre-Deployment
Use Case Name: Critical Infrastructure Network Anomaly Detection (formerly Critical Infrastructure Anomaly Alerting)
Use Case ID: DHS-106
Use Case Summary: CISA is responsible for providing timely technical assistance, risk management support, and incident response capabilities to federal and non-federal critical infrastructure partners. In support of this responsibility, critical infrastructure partners can opt-in to the CyberSentry program, which monitors critical infrastructure networks. The CyberSentry program uses a suite of analytical tools and methods, including unsupervised machine learning algorithms that analyze unlabeled datasets to identify trends, patterns, and anomalies in network data. This AI capability automates manual data fusion and correlation processes, highlighting potential anomalies for CISA analyst review. Analysts are provided with an interface to query cybersecurity data and dashboards that display potential cybersecurity alerts, including anomalies detected through predictive models and rule-based heuristics. This use case delivers improved government tools for CISA analysts to hunt and detect malicious threat actors on critical infrastructure networks.
Use Case Topic Area: Mission-Enabling (internal agency support)
Deployment Status: Pre-deployment (Initiation)
Safety- and/or rights-impacting? No
Face Recognition/Face Capture (FR/FC)? No
Use Case Name: Draft Tailored Summaries of Media Materials for Different Publication Channels
Use Case ID: DHS-2335
Use Case Summary: CISA personnel draft product summaries for information sharing with federal and non-federal critical infrastructure partners. This is a custom generative AI solution that leverages a Large Language Model (LLM), augmented by Retrieval-Augmented Generation (RAG), to extract key themes from approved CISA products and automatically generate tailored summaries using approved templates. As established in required employee AI training, personnel using the tool will validate the accuracy of information and use it in accordance with applicable law and policy. The drafts are reviewed, edited, and coordinated by authorized CISA personnel prior to publication. This AI capability accelerates the process of drafting summarized content for CISA’s published products.
Use Case Topic Area: Mission-Enabling (internal agency support)
Deployment Status: Pre-deployment (Initiation)
Safety- and/or rights-impacting? No
Face Recognition/Face Capture (FR/FC)? No
Use Case Name: Malware Reverse Engineering
Use Case ID: DHS-107
Use Case Summary: CISA receives information about computer security vulnerabilities and threats in the form of malicious code samples (malware) from its federal civilian and critical infrastructure partners. These malware samples require manual reverse engineering to find actionable insights, such as indications of potential compromise or adversary-operated command and control. This AI capability uses deep learning to assist CISA analysts with understanding the content of malware samples, automating tasks such as triage and indicator extraction. This improves internal government tools for reverse engineering of malware, speeding the development of cyber threat intelligence that can be shared across the government and with CISA partners.
By enhancing the analysis and generation of shareable cyber threat intelligence, CISA forces threat actors to spend more resources generating new malware. A report is generated from malware samples submitted to the analysis pipeline, which is then used by human analysts to facilitate the malware triage process. Additional recommendations are displayed via plugins to reverse engineering tools.
Use Case Topic Area: Mission-Enabling (internal agency support)
Deployment Status: Pre-deployment (Initiation)
Safety- and/or rights-impacting? No
Face Recognition/Face Capture (FR/FC)? No
Use Case Name: Detection of Personally Identifiable Information (PII) in Cybersecurity Data (formerly Automated Indicator Sharing (AIS) Automated PII Detection) Automated
Use Case ID: DHS-4
Use Case Summary: The Automated Indicator Sharing (AIS) service allows public and private-sector organizations to voluntarily share real-time cyber threat information with CISA. Although the purpose of this service is to collect information directly related to potential cyber threats, there is a possibility that Personally Identifiable Information (PII), such as names or addresses, could be incidentally included in submission notes. To enhance privacy, this AI tool uses Natural Language Processing (NLP) to automatically flag potential PII for review and removal by CISA analysts. The Automated PII Detection and Review Process uses analytics to identify and manage potential PII in submissions. If PII is flagged, the submission is sent to CISA analysts, who are guided by AI to review and confirm or reject the detection, redacting information if necessary. Privacy experts monitor the system and provide feedback. The system learns from this feedback, ensuring compliance with privacy regulations and improving efficiency by reducing false positives. Regular audits ensure the process remains trustworthy and effective.
Use Case Topic Area: Mission-Enabling (internal agency support)
Deployment Status: Deployed (Operation and Maintenance)
Safety- and/or rights-impacting? No
Face Recognition/Face Capture (FR/FC)? No
Use Case Name: Confidence Scoring for Cybersecurity Threat Indicators (formerly AIS Scoring and Feedback)
Use Case ID: DHS-5
Use Case Summary: The Automated Indicator Sharing (AIS) service allows public and private-sector organizations to voluntarily share real-time cyber threat information with CISA. The Confidence Scoring for Cybersecurity Threat Indicators capability, a feature of the AIS service, uses an AI-driven decision tree process to assign a confidence score to a submission. The scoring algorithm evaluates factors such as whether technical details within the submission have been previously observed or verified by CISA analysts. The score represents the reliability and completeness of the information submitted, and helps analysts prioritize which information to review first. A set of confidence scores is included along with the other fields in the indicator data set. The confidence scores allow CISA's AIS partners to contextualize indicator information for improved data system ingest.
Use Case Topic Area: Mission-Enabling (internal agency support)
Deployment Status: Deployed (Operation and Maintenance)
Safety- and/or rights-impacting? No
Face Recognition/Face Capture (FR/FC)? No
Use Case Name: CISAChat
Use Case ID: DHS-2306
Use Case Summary: CISAChat is a custom generative AI solution that enables authorized CISA personnel to interact with, summarize, and search agency-created materials and internal content. Once prompted, the tool searches through relevant CISA files and delivers a focused response based on the inputs. As established in required employee AI training, personnel using the tool will validate the accuracy of the information and use it in accordance with applicable law and policy. This AI capability streamlines the process of finding information and improves CISA personnel’s internal customer experience. Currently, multiple CISA program offices use contractor staff to review pre-production content and other internal materials to develop summaries, key themes, and improve clarity. Leveraging CISAChat improves internal agency Customer Experience (CX) and saves staff time.
Use Case Topic Area: Mission-Enabling (internal agency support)
Deployment Status: Deployed (Implementation and Assessment)
Safety- and/or rights-impacting? No
Face Recognition/Face Capture (FR/FC)? No
Use Case Name: Security Operation Center (SOC) Network Anomaly Detection
Use Case ID: DHS-2403
Use Case Summary: CISA Threat Hunting and Security Operations Center (SOC) analysts process terabytes of daily network log data from the Cyber Analytic and Data System (CADS) Einstein network traffic sensors. CADS is a sensor grid that monitors network traffic for malicious activity to and from participating government departments and agencies. This AI capability uses methods such as unsupervised machine learning (algorithms that analyze unlabeled datasets) to detect trends, patterns, and anomalies in network data. It automates manual data fusion and correlation processes and highlights potential anomalies, allowing CISA analysts to narrow the scope of analysis and prioritize data for review. An interface is provided for analysts to query cybersecurity data, and dashboards display potential cybersecurity alerts, including anomalies detected through predictive models and rule-based heuristics. This use case delivers improved government tools for CISA analysts to hunt and detect malicious threat actors on federal civilian agency networks.
Use Case Topic Area: Mission-Enabling (internal agency support)
Deployment Status: Deployed (Operation and Maintenance)
Safety- and/or rights-impacting? No
Face Recognition/Face Capture (FR/FC)? No
Use Case Name: Cyber Threat Intelligence Feed Correlation
Use Case ID: DHS-40
Use Case Summary: Cyber Data Feed Correlation uses AI enabled capabilities to provide accelerated correlation across multiple incoming information feeds. This enables more timely enrichment to improve the externally shared information feeds. AI allows the algorithm to use the information items and results to learn the most efficient ways to perform the task. Additionally, tailored algorithms could be created to provided sustained surveillance of threat actor Tactics, Techniques, and Procedures (TTPs).
Deployment Status: Inactive (not initiated). This use case was reported in a previous version of the DHS AI Use Case Inventory but is still conceptual and has not met the requirements of an active use case yet.
Use Case Name: Cyber Incident Reporting
Use Case ID: DHS-41
Use Case Summary: Cyber incident handling specialists utilize advanced automation tools to process data received through various threat intelligence and cyber incident channels. These tools leverage machine learning (ML) and Natural Language Processing (NLP) to increase the accuracy and relevance of data filtered and presented to human analysts and decision-makers. ML techniques also assist in aggregating the information in reports for presentation and further analysis, including data received through covered Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) entities. Such tools can leverage current dashboards and reports to cluster vulnerabilities by entity and sector, identifying trends in exposure and remediation. These solutions can also correlate vulnerabilities to existing frameworks (such as MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)) and other incidents to understand attackers’ techniques and improve modeling.
Deployment Status: Inactive (research and development only). This use case was reported in a previous version of the DHS AI Use Case Inventory but is a research and development use case that is not planned to be deployed.
Use Case Name: Cyber Vulnerability Reporting
Use Case ID: DHS-42
Use Case Summary: Vulnerability analysts require advanced automation tools to process data received through various vulnerability reporting channels, as well as aggregate the information for automated sharing. These tools leverage machine learning (ML) and Natural Language Processing (NLP) to increase the accuracy and relevance of data that is filtered and presented to human analysts and decision-makers. ML techniques also assist to aggregate the information in reports for presentation and further analysis. This includes data in the Known Exploited Vulnerabilities (KEV) and Common Vulnerabilities and Exposures (CVE) databases.
Deployment Status: Inactive (not initiated). This use case was reported in a previous version of the DHS AI Use Case Inventory but is still conceptual and has not met the requirements of an active use case yet.
Use Case Name: AI Security and Robustness
Use Case ID: DHS-43
Use Case Summary: Frameworks, processes, and testing tools are developed to govern the acquisition, development, deployment, and maintenance of AI technologies. Technology integrators within CISA, as well as the rest of the federal enterprise, use AI-enhanced tools to ensure the trustworthy, robust, and secure operation of their AI systems. These tools use machine learning (ML) and Natural Language Processing (NLP) to enhance the assessment of AI technology within the agency by speeding up data processing.
Deployment Status: Inactive (research and development only). This use case was reported in a previous version of the DHS AI Use Case Inventory but is a research and development use case that is not planned to be deployed.
Use Case Name: Operational Activities Explorer
Use Case ID: DHS-44
Use Case Summary: The integration of an AI tool into a dashboard to analyze cyber and physical incidents affecting critical infrastructure from all-source reporting could assist with maintaining operational clarity and centralized situational awareness. However, CISA decided not to move forward from the conceptual phase due to the nuances of event data and resource constraints.
Deployment Status: Inactive (no longer used). This use case was reported in a previous version of the DHS AI Use Case Inventory but was never initiated and is retired.
Use Case Name: Security Information and Event Management (SIEM) Alerting Models
Use Case ID: DHS-103
Use Case Summary: CISA Threat hunting and Security Operations Center (SOC) analysts are provided with terabytes of log data per day. Manually developed detection alerts and automatic correlation in Security Information and Event Management (SIEM) tools are common, but not comprehensive. Many cyber attacks can be probabilistically determined given sufficient training data and time. Analysts use automated tooling to further refine the alerts they receive and produce additional automated alerts based on aggregated information and curated subject matter expertise. This can be further supported by the development of AI-assisted agents. Analysts can interact with such agents in a conversational manner to produce the input needed for complex search queries for behaviors or patterns in traffic that the agent then rapidly creates. This tooling allows CISA analysts to comb through security data in an automated fashion with mathematically and probabilistically based models to ensure high-fidelity anomalies are detected in a timely manner.
Deployment Status: Inactive (consolidated with another use case). This use case was consolidated under Security Operation Center (SOC) Network Anomaly Detection (DHS-2403).
Use Case Name: Advanced Analytic Enabled Forensic Investigation
Use Case ID: DHS-104
Use Case Summary: CISA deploys forensic specialists to analyze cyber events at Federal Civilian Executive Branch (FCEB) departments and agencies, as well as other State, Local, Tribal, Territorial, and Critical Infrastructure partners. Forensic analysts can utilize advanced analytic tooling, in the form of Artificial Intelligence (AI) implementations, to better understand anomalies and potential threats. This can be further supported by the development of AI-assisted agents. Analysts can interact with such agents in a conversational manner to produce the input needed for complex search queries for behaviors or patterns in traffic that the agent then rapidly creates. Such tooling allows forensic specialists the capabilities to comb through event data in an automated fashion with mathematically and probabilistically based models to ensure high-fidelity anomalies are detected in a timely manner.
Deployment Status: Inactive (not initiated). This use case was reported in a previous version of the DHS AI Use Case Inventory but is still conceptual and has not met the requirements of an active use case yet.
Use Case Name: Advanced Network Anomaly Alerting
Use Case ID: DHS-105
Use Case Summary: Threat hunting and Security Operations Center (SOC) analysts are provided terabytes per day of data from the National Cybersecurity Protection System's (NCPS’s) Einstein sensors. Manually developed detection alerts and automatic correlation via off the shelf tooling are common, but not comprehensive. Many network attacks can be probabilistically determined given sufficient training data and time. Analysts use automated tooling to further refine the alerts they receive and produce additional automated alerts based on aggregated information and backed in subject matter expertise. This tooling allows CISA analysts the capabilities to comb through data in an automated fashion with mathematically and probabilistically based models to ensure high-fidelity anomalies are detected in a timely manner.
Deployment Status: Inactive (consolidated with another use case). This use case was consolidated under Security Operation Center (SOC) Network Anomaly Detection (DHS-2403).
No changes to AI use cases within TSA since December 16, 2024. For other updates view the Full DHS AI Use Case Inventory on the DHS AI Use Case Inventory publication library.