Visa integrates AI to slash security alert triage from minutes to seconds
Serge Bulaev
Visa has built a new security workflow using AI with Elastic, which may reduce the time to review security alerts from 10 - 20 minutes to just seconds. The AI checks evidence in security logs and creates a summary, but a human still decides if an alert should be escalated. This process is designed to be safe and controlled, using only trusted data and keeping the final decision with people. While some data on overall impact is not yet public, the much faster triage suggests the approach could help other companies looking for both speed and control in security. Experts suggest this hybrid system may speed up routine work and let analysts focus on harder problems.

In a major step for enterprise security, Visa integrates AI to slash security alert triage time through a new agentic workflow built with Elastic. According to an Elastic case study, the new system reduces review times from minutes to seconds by automating evidence validation while keeping human analysts in control of final escalation decisions.
The new process replaces a manual system where analysts spent significant time combing through logs to validate identity alerts on mainframes. Defined in a single YAML file, the automated pipeline executes four key steps: detection, enrichment, validation, and delivery. A large language model (LLM) receives a constrained prompt, analyzes log evidence against the alert, and generates a structured summary for a human reviewer who remains "on the loop" for the final decision.
Why Visa chose a controlled agentic design
Visa achieved this speed by deploying an agentic AI workflow with Elastic. The system automates the manual work of searching logs for evidence related to an alert. It uses a large language model to validate the threat and summarize findings, presenting a concise report to a human analyst.
Visa's security engineering team prioritized an AI model that was auditable, narrowly focused, and grounded in trusted internal data. This "human-on-the-loop" design, which limits the AI's scope to specific evidence fields and reserves escalation authority for analysts, directly addresses common enterprise concerns about AI autonomy and accountability. Elastic notes the workflow's pattern is reusable, enabling a scalable security solution without altering existing governance structures.
Measured outcome: faster triage, higher throughput
For the initial pilot alert, the triage time was reduced to just seconds. While Visa has not released aggregate performance metrics, Elastic reports that the significant speed increase frees up analysts from repetitive data enrichment tasks to concentrate on more complex investigations. This suggests a potential for higher SOC throughput without increasing headcount, an outcome supported by similar industry findings, such as Google's report of agents reducing 30-minute analyses to 60 seconds.
Connection to Visa's broader agentic roadmap
This security operations workflow is part of a broader strategic initiative at Visa called Project Glasswing. As part of this project, Visa also open-sourced its Visa Vulnerability Agentic Harness (VVAH) to support defensive research. The company's stated goal is to "refactor our defenses to be increasingly autonomous" while ensuring they remain under strict human governance. A related Visa announcement positioned the VVAH as a tool to help organizations "find, understand, and fix security gaps at AI speed."
Key design elements in one place
- Four stages: detect - enrich - validate - deliver
- Constrained LLM prompt anchored in SOC data
- Single YAML file for reproducibility
- Human reviewer finalises escalation
How it fits emerging SOC practice
This implementation aligns with emerging best practices for the modern SOC. According to industry reports, many organizations are exploring hybrid systems that combine deterministic queries with specialized AI agents. Visa's model is a practical example of this approach: deterministic steps gather context, while the AI agent validates the hypothesis and drafts a summary. Security experts believe this hybrid approach is key for safe adoption, as it quickly resolves most false positives and frees up human analysts to handle complex edge cases.
Although specific metrics on false positive reduction or mean time to respond (MTTR) are not yet public, the long-term impact is under evaluation. However, the dramatic reduction in triage time to mere seconds strongly suggests that Visa's controlled, agentic design could become a valuable template for other highly regulated organizations seeking to balance operational speed with robust security controls.