AWS re:Invent 2025 - Deep Dive into Deloitte's Amazon Neptune GenAI Security Intelligence Center

Improving Generative AI Capabilities with Graph-Augmented Retrieval

Overview

• Presentation by Ian Robinson, a graph architect with the Amazon Neptune team, and Evan Owie, an AVP for cyber operations at Deloitte
• Discussed Deloitte's use of the open-source Graph Toolkit library developed by the Neptune team to build their Cyber Security Intelligence Center

The Challenge of Security Alert Overload

• When cloud security platforms like Wiz or CrowdStrike are first enabled, they can generate hundreds or thousands of security alerts and compliance notifications
• Security operations (SecOps) engineers and analysts are then faced with the challenge of triaging and prioritizing these issues to remediate them safely and efficiently
• This requires understanding the significance of each issue in the context of the organization's security policies and the potential impact of remediation on production systems

The Role of Generative AI and Retrieval-Augmented Generation (RAG)

• Automation and context-awareness, which sound a lot like generative AI and RAG, can help address this challenge
• Deloitte used the Graph Toolkit to build an "AI for Triage" system to provide expert-in-the-middle assistance to SecOps engineers

Improving Graph RAG Techniques

• The quality of the context retrieved by RAG systems can significantly impact the quality and reliability of the responses
• Vector similarity search can find semantically similar content, but may miss structurally relevant but dissimilar content
• Hybrid RAG approaches using both vector and graph search can improve recall, but the quality of the graph search depends on the quality of the underlying graph

The Graph Toolkit's Hierarchical Lexical Graph Model

• Designed to make it easy to build a graph from unstructured or semi-structured data sources with minimal information architecture overhead
• Uses a "hierarchical lexical graph" model with:
  • Lineage tier: Source nodes and chunk nodes
  • Summarization tier: Statements grouped by topic and supported by facts
  • Entity relationship tier: Entities and relations

Improving Recall with Entity Network Contexts

• To find relevant but dissimilar content, the toolkit uses "entity network contexts" - one or two-hop networks surrounding key entities and keywords from the user's query
• These entity network contexts are used in three ways:
  1. To seed dissimilarity searches, finding content similar to something different from the original query
  2. To rerank the search results, promoting statements that are relevant to the entity network contexts
  3. To enrich the prompt used to generate the final response

Results and Impact

• Using traditional vector similarity search alone resulted in an overly optimistic response about sales prospects
• The graph RAG approach using the toolkit provided a more nuanced conclusion, identifying potential supply chain and distribution challenges due to a cyber attack
• The combination of vector and graph search helps mitigate quality issues in the original query and the underlying content

Key Takeaways

• The Graph Toolkit's hierarchical lexical graph model and entity network context techniques improve recall and reliability of generative AI responses
• Graph search and vector search are mutually beneficial, working in concert to smooth out quality issues
• The toolkit is an open-source library intended to be combined with other tools and libraries to build more fully-featured applications

Deloitte's Cyber Security Intelligence Center

• Deloitte used the Graph Toolkit to build a system that integrates short-term security alerts and long-term organizational knowledge
• Key components:
  • Document graph to capture short-term security signals and logs
  • Triage record that converts short-term data into long-term organizational memory
  • Human-in-the-loop "AI-enabled factory" to generate evidence-based remediation recommendations
• Enables collaboration between SecOps analysts and business stakeholders by providing a shared, evolving knowledge base

Technical Implementation

• Built on AWS services including EKS, Neptune, OpenSearch, DynamoDB, and Lambda
• Uses a pipeline to rapidly ingest and convert various data sources into the document graph
• Separates the "reading" and "writing" engines to prevent graph pollution
• Provides a "cognitive substrate" or AI-enabled factory to shield end-users from the complexity of the underlying systems

Business Impact

• Moves from an "operational reality" to "policy intent" by grounding security policies in the organization's actual security experiences
• Enables truth and traceability, allowing analysts and business stakeholders to have a shared understanding of security posture
• Supports automation through reusable "recipes" rather than brittle code, with human-in-the-loop validation

Conclusion

The Graph Toolkit and Deloitte's Cyber Security Intelligence Center demonstrate how graph-augmented generative AI can enhance security operations by improving recall, providing context-aware responses, and building an evolving organizational memory. This approach empowers security experts, enables collaboration, and grounds security policies in real-world experience.