Visa adopts AI security workflow, slashes alert triage to seconds

Serge Bulaev

Serge Bulaev

Visa has built an AI-powered security workflow that may help reduce alert triage time from around 20 minutes to just seconds. The system uses a four-step process - detection, enrichment, AI validation, and delivery - to prepare cases for human review, and analysts still make the final decisions. Early results suggest this approach saves time, gives consistent results, and lets analysts focus on more complex tasks. Some reports indicate that roles may shift, with more need for AI oversight and less manual work. This system appears to offer a way for other organizations to speed up security tasks while keeping human judgment and transparency.

Visa adopts AI security workflow, slashes alert triage to seconds

Visa's new AI security workflow, built with Elastic, is revolutionizing its global Security Operations Center (SOC) by slashing alert triage time from minutes to mere seconds. This experiment positions Visa as an early adopter of carefully constrained AI agents to compress repetitive cybersecurity tasks without sacrificing auditability or human judgment.

How the Four-Stage AI Pipeline Works

Visa's AI security workflow uses a four-stage pipeline to automate the detection, enrichment, and validation of security alerts. The system prepares a fully contextualized case for a human analyst who makes the final escalation decision, ensuring a rapid, consistent, and human-governed triage process across the organization.

The cybersecurity engineering team designed this process within a single, portable YAML file that chains detection, enrichment, AI validation, and delivery. According to the Elastic customer case study, the AI validation stage passes alert context to a constrained large language model (LLM), which confirms findings and drafts a structured summary. This has proven particularly effective for high-stakes mainframe identity alerts.

Stage Purpose
Detection Flags anomalous mainframe identity activity
Enrichment Runs follow-up ES|QL queries to attribute the alert
AI validation Constrained LLM checks evidence and drafts reasoning
Delivery Outputs an incident-ready case for human review

Measurable Results Inside Visa's SOC

The implementation yields significant time savings, reducing triage for complex mainframe alerts from lengthy manual processes down to just seconds. This AI-driven approach delivers consistent results regardless of analyst experience and creates a reusable pattern for other detections. Crucially, the AI never decides on escalation; human analysts approve every case.

Building on this success, Visa has open-sourced a complementary Visa Vulnerability Agentic Harness, as detailed in a recent LinkedIn update, extending the same governance model to vulnerability management.

The Wider Agentic AI Backdrop

This initiative places Visa at the forefront of a major industry shift. Industry reports suggest the market for agentic SOC automation is experiencing significant growth. Human-led agentic models are expected to become mainstream as platforms integrate guarded autonomous actions, such as host isolation, behind confidence thresholds.

Shifting Roles for the Cybersecurity Workforce

Contrary to fears of replacement, analyst roles are evolving toward higher-value work. Industry analysts estimate that AI will handle a significant portion of Tier 1 responsibilities in the coming years. This shift reduces demand for entry-level manual tasks but increases the need for professionals skilled in AI governance, threat hunting, and validating AI outputs. Visa's model exemplifies this trend, elevating analysts to focus on complex judgment instead of repetitive data enrichment.

Key Takeaways for Security Leaders

Visa's measured approach provides a powerful template for regulated enterprises seeking to accelerate security operations without sacrificing control. Success hinges on using portable workflows, constraining AI models to specific tasks, and enforcing human approval for all escalations. Maintaining clear reasoning traces and continuous metrics is essential for ensuring long-term trust and auditability in AI-assisted security.


What is Visa's agentic AI security workflow and how does it work?

Visa built its first Elastic Workflow - a four-stage, human-on-the-loop AI pipeline that automates alert triage while preserving analyst oversight. The entire workflow runs from a single portable YAML file, making it readable, editable, and reusable across different security detections.

The four stages function as follows:

Stage Purpose
Detection Identifies suspicious behavior (e.g., mainframe identity anomalies)
Enrichment Automatically runs follow-up queries to identify the responsible user
AI Validation Uses a constrained LLM to verify findings and output structured summaries
Delivery Produces an incident-ready case for a human's escalation decision

The constrained LLM step is critical; it ensures the AI only validates and summarizes evidence rather than making autonomous decisions, keeping humans in control of all critical judgment calls.

How much time did Visa actually save with this automation?

The results were substantial and immediate. For mainframe identity alerts, Visa successfully reduced manual triage time from lengthy processes down to seconds. This eliminated the variability that previously depended on an individual analyst's experience with complex legacy logs, ensuring a consistent and rapid response.

What does "human-on-the-loop" mean in practice?

Human-on-the-loop is a design principle where AI handles repetitive enrichment and validation, but a human retains final decision-making authority. In Visa's workflow, this means:

  • The AI does not decide to escalate; it only prepares an enriched, validated case.
  • Analysts must review the AI-generated summary before taking any action.
  • The workflow maintains full auditability with clear reasoning traces that show the tools, logic, and evidence used.

This architecture directly addresses a key industry concern: analysts who trust AI output without questioning it. Visa's model mandates human validation at the point of consequence.

How is Visa expanding agentic AI beyond this initial workflow?

Visa's agentic AI strategy has grown significantly beyond the initial Elastic proof of concept. Key initiatives now include:

Initiative Description
Visa Vulnerability Agentic Harness (VVAH) An open-sourced framework using Anthropic's frontier reasoning models to find, validate, and fix vulnerabilities at enterprise scale.
Agentic Control Plane A central governance layer that manages identity, policy gates, and human oversight for all AI-powered security tasks.
Trusted Agent Protocol An open framework to help distinguish legitimate AI agents from malicious bots, now supported by major partners like Akamai.

To measure success, Visa also introduced Mean Time to Adapt (MTTA) as a primary metric, tracking the time from an AI-discovered weakness to a validated fix in production.

What does this mean for cybersecurity analysts' careers?

The impact is role elevation, not elimination. While projections suggest a significant portion of Tier 1 analyst tasks will be automated in the coming years, demand remains strong for professionals who can perform high-level functions:

  • Validate AI outputs and apply critical oversight.
  • Conduct strategic threat hunting and complex investigations.
  • Manage AI governance and security automation platforms.

With millions of unfilled cybersecurity roles globally, professionals who develop AI fluency alongside deep domain expertise will remain highly valuable. The emerging AI SecOps Analyst role merges traditional functions, focusing on supervising AI agents and managing escalations.