JP Morgan has deployed AI to speed up threat modelling, using an approach it calls “tradecraft modelling.”

The financial services firm said the approach is helping its cybersecurity team automate “complex and time-consuming” threat modelling, using prompt engineering. 

Input a system architecture either as a diagram or text description and parameters into the “Auspex” copilot and it will produce an end-to-end threat model for that system. 

JPMorgan’s CISO Pat Opet said: “Given an arbitrary system design we can now produce a fully elaborated threat model in context of our threat and control framework in minutes. 

“Innovations like this help engineers understand *why* controls are important not just *what* they need to do to build secure systems, while breaking the scaling problem…’

How JPMorgan’s Auspex works

JP Morgan’s AI threat modeling copilot works in two stages to analyse system inputs and produce threat matrices complete with scenarios categorisations, and then suggest mitigations using security frameworks like STRIDE and the CIA Triad.

Stage one is breaking the ingested system down using prompt chains encoded with expert threat modeller knowledge or “tradecraft” to generate a security-first description of a system.  

Stage two is sending that solution description through another round of prompts to chain it to an AI model that produces a complete threat matrix. JPMorgan said in a whitepaper on the approach that it was withholding full details of the “tradecraft prompts, prompt chains, and elicitation methods” for now.

The report does provide general example prompts similar to what JP Morgan researchers have encoded in their copilot to replicate the human expertise of their in-house threat modellers. 

However, the specificity of the full prompts is what seems to make this tool successful. 

See also: Microsoft rewrites UEFI firmware in Rust

Overall, six out of the eight human threat modellers who evaluated the system's outputs said "the generated threat scenarios reflected realistic security threats to the systems being threat modelled". All eight evaluators agreed, or strongly agreed, that the model produced easily-understandable scenarios and that it improved the overall threat modelling experience.

The bank’s team said they want to mature the process along two paths: “agent frameworks, fine-tuning methods, grounding methods, among others, as investigations into system performance warrant. The second is maturing Auspex along a "shift left" pathway, initiating threat modeling earlier in the technical planning phases, while also expanding its scope to business development and organizational-level strategy.”

The link has been copied!