Building Embedded AI Into the Cybersecurity Platform

This case study covers the second phase of our work with a US-based cyber risk mitigation platform (NDA) we've partnered with since July 2020. The first phase took the product from prototype to a Fortune 500 SaaS (you can read about it here). This phase covers what came next: building an embedded AI inside the live product.

The Challenge

By 2025, the platform was a mature analytics product with a strong value proposition and a Fortune 500 client base. Three problems surfaced as the product matured:

• Complexity at the surface. The platform handled rich cyber risk data, but interpretation required expert-level knowledge. This pattern is common in regulated, data-heavy categories: accounting, banking, finance, compliance.
   
• Low engagement frequency. Most users opened the tool once a quarter to produce periodic reports. The product wasn't part of their day-to-day workflow.
   
• Heavy onboarding. New clients needed roughly 45 minutes of guided setup and active customer support involvement before they could use the product on their own.

When agentic, ChatGPT-style interactions became a market expectation, the client came to us with a clear direction: bring that interaction model into their cyber risk platform. The hard part was that the panel had to work for three very different users at the same time.
 

A board member needs a screenshot that explains itself, ready to drop into a quarterly report. A CFO needs a narrative behind the numbers. A CISO needs conversational depth to investigate the data and act on it. The same interface had to serve all three. Building this meant more than dropping a ChatGPT clone on top of the platform. It meant one interface, three personas, and an LLM woven into the way they all worked.

Our Approach: Product Design

The core product question was how to introduce an LLM into a classic dashboard interface without forcing users to pick between two modes of working. We did not want to build another ChatGPT clone or a co-pilot sitting next to the platform, because either approach would leave users with two parallel interfaces. We chose a hybrid. The user keeps the familiarity of click-and-go for the things they already know how to do, and gains ask-and-go for everything else. The hybrid protects the learning curve. Users are introduced to LLM collaboration gradually, with safety rails at each step, until they can run on their own.

At the heart of the solution is a four-layer model: a ladder that lets users sink into the data at their own pace, with Aria sitting at every level. Each layer answers a different question. The deeper the layer, the slower and more flexible the interaction. The higher the layer, the faster and more deterministic. We rebuilt the panel around a single principle: simplicity at first, complexity on demand.

Layer 0 — Executive: What's happening?

The first view after login, designed for board members, leadership, and anyone who needs orientation in seconds. The top of the panel surfaces the most important cybersecurity status indicators. This is the classic dashboard view, available immediately, no AI involved. Blue buttons under each metric lead to prerendered content: answers displayed instantly from existing data, no model call, no waiting. This is the screenshot-first level, the one that explains itself.

Layer 1 — Financial: Why is this happening?

The investigation layer, where users like CFOs and finance leads dig into the narrative behind the number. Each metric can be explored further through blue buttons (described above) or purple buttons that open the embedded AI chat with Aria. Contextual prompt pills sit alongside the open question field. The pills look like short purple buttons, but each one carries a complex prompt underneath, suggesting what to ask based on what the user is currently looking at. Purple pills are the entry point for going deeper.

Layer 2 — Execution: Do it for me

The action layer, used most often by CISOs and security operators who already understand the problem and need Aria to act on it. Buttons stop being passive ("View") and become commands ("Create", "Identify", "Prepare"). The product moves from showing risk to resolving it.

Layer 3 — Open Inquiry: Whatever's on your mind

A free-prompt field, always available, running parallel to the four-layer ladder. Users who know exactly what they want do not have to walk through every layer to get there. They open the prompt field and ask.
The ladder is deliberately not linear. In practice, Layer 1 loops back on itself many times (explore → explore deeper → explore again → and only then act), because every user has their own decision pace and their own depth of investigation before they trust the number.

What different users get from the same interface 

For a CISO, this is a tool to drill into a number with the depth they need, at the pace they choose. For board members, it is a screenshot that explains itself. For a CFO, it is a narrative that holds together without exposing the seams of the methodology. And throughout, users did not have to learn a new product to get AI capability. The AI met them where they already worked.

Our Approach: Architecture

We rebuilt the runtime around three architectural decisions that matter for enterprise deployments: how the agent reasons, how it stays inside the customer's boundaries, and how it connects to the customer's live security stack.
 

Orchestration and reasoning

Aria runs on LangGraph, a stateful agent-orchestration framework that supports multi-agent composition, persistent multi-turn memory, and live tool-execution streaming. The reasoning layer uses Anthropic's Claude models. Model choice is configurable, not architectural, so the platform can switch providers without rewrites.
 

Tenant isolation

Aria's agents work across dozens of specialized tools: risk exposure, frameworks, governance, scoring, planning, document I/O, and everything the customer exposes through their own connectors. Each tool is wired to the authenticated user, organization, and profile at the moment it is created. The model cannot pass, change, or see that identity.
 

This matters for agentic systems specifically. Cross-tenant access in Aria is not a downstream filter that could be bypassed by prompt injection, jailbreak attempts, or malicious instructions embedded in uploaded documents. The agent simply cannot call tools outside its tenant boundary. On organization-wide chats, business unit names are also pseudonymized before any message reaches the model and de-anonymized in the response stream, so the model never sees real customer identifiers.

Live integrations through MCP

Aria queries the customer's live security stack, not just platform data. CrowdStrike Falcon today, any MCP-compliant tool tomorrow. Registration is per-profile, with OAuth 2.1 handling authentication. This shifts Aria from a standalone analytics product to an orchestration layer for the customer's entire security operation.
We are also extending Aria to expose its own tools as an MCP server, so Claude Desktop, Cursor, or the customer's internal tools can pull Aria data from wherever the user already works. Aria reads from any tool the customer connects, and exposes its own data to MCP clients on the customer's side.

Admin-defined agents

The customer's administrator creates new specialists directly from the application UI: name, prompt, tools. New agents go live for the entire organization in minutes. This runs alongside the prompts we manage as a fast path for here-and-now needs, so the customer teaches the platform new roles instead of waiting for a release.

The Solution

Aria is an embedded AI native to the platform. It lives inside the customer's interface, brand, and authentication boundary, with the analytical depth of the original platform behind it and a conversational front-end on top. Users do not switch to a separate tool to use it.

For users, the experience changed. The product now answers their questions and acts on them inside the same panel. The analytics tool that used to require expert interpretation became a self-serve product where users ask, explore, and act in one place. Risk is no longer just displayed. It is addressed in the same workflow.

For the client, product evolution stopped being gated by release cycles. The admin team can ship new agents, new prompts, and new connectors to live security tools in minutes, configured directly from the application UI. The customer can extend the platform on their own as new needs arise, without waiting for a sprint or a deployment.

What changed structurally is that the platform now operates as an orchestration layer for the customer's security stack, not just an analytics product. The same interface serves board reports, CFO narratives, and CISO investigations. The same architecture lets the customer's admin team extend Aria's capabilities and connect new security tools without engineering involvement.