Skip to main content
Version: Current

Security AI - Production Implementation Guide

Learn how to deploy AI-powered security analysis in production environments.

Production Ready v2.4.9

The default heuristic implementation is production-ready and requires no external services or API keys. Custom ML and external AI options are available for higher accuracy requirements.


Understanding Security AI

What is Security AI?

Security AI extends the basic Security module with AI-powered threat detection:

FeatureBasic SecuritySecurity AI
Secret Detection✅ Regex patterns✅ Context-aware AI
Threat Detection✅ Static rules✅ ML-based analysis
Behavioral Analysis❌ Not available✅ Anomaly detection
False Positive Rate~15%~5% (with ML)

Default Implementation

By default, Security AI uses heuristic detectors - no external AI services required:

builder.Services.AddPrimusSecurityAI();
app.MapPrimusSecurityAIEndpoints();

Heuristic detectors:

  • ✅ Pattern-based threat detection
  • ✅ Rule-based behavioral analysis
  • ✅ No API keys required
  • ✅ Runs entirely offline
  • ✅ Complete data isolation

Production Deployment Options

Best for:

  • Getting started quickly
  • Cost-sensitive deployments
  • Complete data isolation requirements
  • Offline environments

Setup:

using PrimusSaaS.Security.AI;

var builder = WebApplication.CreateBuilder(args);

// Add heuristic AI security
builder.Services.AddPrimusSecurityAI();

var app = builder.Build();

// Map AI endpoints
app.MapPrimusSecurityAIEndpoints();

app.Run();

Endpoints Created:

  • POST /api/aisecurity/detect-threats - AI threat detection
  • POST /api/aisecurity/analyze-behavior - Behavioral analysis
  • POST /api/aisecurity/smart-secret-detection - Smart secret detection
  • GET /api/aisecurity/ai-status - AI status check

Test It:

curl -X POST http://localhost:5000/api/aisecurity/detect-threats \
-H "Content-Type: application/json" \
-d '{
"code": "var query = \"SELECT * FROM Users WHERE id = \" + userId;",
"fileName": "UserController.cs"
}'

Response:

{
"threatsFound": 1,
"confidence": 0.85,
"threats": [
{
"type": "SQL Injection",
"severity": "High",
"confidence": 0.85,
"message": "Potential SQL injection via string concatenation",
"line": 1,
"snippet": "var query = \"SELECT * FROM Users WHERE id = \" + userId;"
}
]
}

Option 2: Custom ML Detector

Best for:

  • Higher accuracy requirements
  • Custom threat models
  • Domain-specific security rules

Implementation:

Step 1: Create Custom Detector

using PrimusSaaS.Security.AI;
using Microsoft.ML;

public class CustomMLThreatDetector : IAIThreatDetector
{
private readonly MLContext _mlContext;
private readonly ITransformer _model;
private readonly ILogger<CustomMLThreatDetector> _logger;

public CustomMLThreatDetector(
ILogger<CustomMLThreatDetector> logger,
IConfiguration config)
{
_logger = logger;
_mlContext = new MLContext();

// Load your trained ML model
var modelPath = config["SecurityAI:ModelPath"] ?? "threat-detection.zip";
_model = _mlContext.Model.Load(modelPath, out var modelSchema);
}

public async Task<AIAnalysisResult> AnalyzeAsync(string code, string fileName)
{
_logger.LogInformation("Analyzing {FileName} with ML model", fileName);

// Create prediction engine
var predictionEngine = _mlContext.Model
.CreatePredictionEngine<CodeInput, ThreatPrediction>(_model);

// Prepare input
var input = new CodeInput
{
Code = code,
FileName = fileName,
FileExtension = Path.GetExtension(fileName)
};

// Make prediction
var prediction = predictionEngine.Predict(input);

// Convert to AIAnalysisResult
var threats = new List<ThreatFinding>();

if (prediction.IsThreat && prediction.Confidence > 0.7)
{
threats.Add(new ThreatFinding
{
Type = prediction.ThreatType,
Severity = MapSeverity(prediction.Severity),
Confidence = prediction.Confidence,
Message = prediction.Message,
Line = prediction.LineNumber,
Snippet = ExtractSnippet(code, prediction.LineNumber)
});
}

return new AIAnalysisResult
{
Threats = threats,
OverallConfidence = prediction.Confidence
};
}

public async Task<SmartDetectionResult> DetectSecretsWithAIAsync(string content)
{
// Implement secret detection using your ML model
// Similar pattern to AnalyzeAsync

return new SmartDetectionResult
{
Findings = new List<SecretFinding>(),
FilteredCount = 0
};
}

private ThreatSeverity MapSeverity(string severity)
{
return severity.ToLower() switch
{
"critical" => ThreatSeverity.Critical,
"high" => ThreatSeverity.High,
"medium" => ThreatSeverity.Medium,
_ => ThreatSeverity.Low
};
}

private string ExtractSnippet(string code, int lineNumber)
{
var lines = code.Split('\n');
if (lineNumber > 0 && lineNumber <= lines.Length)
{
return lines[lineNumber - 1].Trim();
}
return string.Empty;
}
}

// ML.NET model classes
public class CodeInput
{
public string Code { get; set; }
public string FileName { get; set; }
public string FileExtension { get; set; }
}

public class ThreatPrediction
{
public bool IsThreat { get; set; }
public float Confidence { get; set; }
public string ThreatType { get; set; }
public string Severity { get; set; }
public string Message { get; set; }
public int LineNumber { get; set; }
}

Step 2: Register Custom Detector

var builder = WebApplication.CreateBuilder(args);

// Register custom ML detector instead of heuristic
builder.Services.AddSingleton<IAIThreatDetector, CustomMLThreatDetector>();

// Still need to register behavioral analyzer (or create custom one)
builder.Services.AddSingleton<IBehavioralAnalyzer, HeuristicBehavioralAnalyzer>();

var app = builder.Build();

// Map endpoints (works with custom detectors)
app.MapPrimusSecurityAIEndpoints();

app.Run();

Step 3: Configure Model Path

appsettings.json:

{
"SecurityAI": {
"ModelPath": "./Models/threat-detection.zip",
"ConfidenceThreshold": 0.75
}
}

Option 3: External AI Service (OpenAI, Azure OpenAI)

Best for:

  • Highest accuracy requirements
  • Leveraging pre-trained LLMs
  • Rapid deployment without ML expertise

Implementation:

using Azure.AI.OpenAI;

public class OpenAIThreatDetector : IAIThreatDetector
{
private readonly OpenAIClient _client;
private readonly ILogger<OpenAIThreatDetector> _logger;
private readonly string _deploymentName;

public OpenAIThreatDetector(
IConfiguration config,
ILogger<OpenAIThreatDetector> logger)
{
_logger = logger;

var endpoint = config["AzureOpenAI:Endpoint"];
var apiKey = config["AzureOpenAI:ApiKey"];
_deploymentName = config["AzureOpenAI:DeploymentName"];

_client = new OpenAIClient(new Uri(endpoint), new AzureKeyCredential(apiKey));
}

public async Task<AIAnalysisResult> AnalyzeAsync(string code, string fileName)
{
_logger.LogInformation("Analyzing {FileName} with Azure OpenAI", fileName);

var prompt = $@"Analyze the following code for security vulnerabilities.
Return a JSON array of threats found.

Code:
```
{code}
```

Return format:
{{
""threats"": [
{{
""type"": ""SQL Injection"",
""severity"": ""High"",
""confidence"": 0.95,
""message"": ""Description of the threat"",
""line"": 5
}}
]
}}";

var chatCompletionsOptions = new ChatCompletionsOptions
{
DeploymentName = _deploymentName,
Messages =
{
new ChatRequestSystemMessage("You are a security expert analyzing code for vulnerabilities."),
new ChatRequestUserMessage(prompt)
},
Temperature = 0.2f,
MaxTokens = 1000
};

var response = await _client.GetChatCompletionsAsync(chatCompletionsOptions);
var content = response.Value.Choices[0].Message.Content;

// Parse JSON response
var result = JsonSerializer.Deserialize<OpenAIResponse>(content);

return new AIAnalysisResult
{
Threats = result.Threats.Select(t => new ThreatFinding
{
Type = t.Type,
Severity = Enum.Parse<ThreatSeverity>(t.Severity),
Confidence = t.Confidence,
Message = t.Message,
Line = t.Line
}).ToList(),
OverallConfidence = result.Threats.Any()
? result.Threats.Average(t => t.Confidence)
: 0
};
}

public async Task<SmartDetectionResult> DetectSecretsWithAIAsync(string content)
{
// Similar implementation for secret detection
return new SmartDetectionResult();
}
}

public class OpenAIResponse
{
public List<OpenAIThreat> Threats { get; set; }
}

public class OpenAIThreat
{
public string Type { get; set; }
public string Severity { get; set; }
public double Confidence { get; set; }
public string Message { get; set; }
public int Line { get; set; }
}

Configuration:

{
"AzureOpenAI": {
"Endpoint": "https://your-resource.openai.azure.com/",
"ApiKey": "your-api-key-here",
"DeploymentName": "gpt-4"
}
}

Performance Comparison

ApproachLatencyCostAccuracyData Privacy
Heuristic<100ms$070-80%✅ Complete
Custom ML100-500ms$085-95%✅ Complete
External AI1-5s$$$90-98%⚠️ Partial

Detailed Metrics

Heuristic Detectors

  • Throughput: 1000+ requests/sec
  • Memory: ~50MB
  • CPU: Low
  • False Positives: ~15%
  • False Negatives: ~10%

Custom ML (ML.NET)

  • Throughput: 200-500 requests/sec
  • Memory: ~200MB (model loaded)
  • CPU: Medium
  • False Positives: ~5%
  • False Negatives: ~3%

External AI (Azure OpenAI)

  • Throughput: 10-50 requests/sec (API limits)
  • Memory: ~100MB
  • CPU: Low (offloaded)
  • False Positives: ~2%
  • False Negatives: ~1%
  • Cost: ~$0.002 per request

CI/CD Integration

GitHub Actions

name: Security AI Scan

on:
pull_request:
branches: [ main ]
push:
branches: [ main ]

jobs:
security-scan:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '9.0.x'

- name: Run Security AI Scan
run: |
# Start API with Security AI
cd YourApi
dotnet run &
API_PID=$!

# Wait for API to start
sleep 10

# Scan all C# files
for file in $(find . -name "*.cs"); do
echo "Scanning $file..."
curl -X POST http://localhost:5000/api/aisecurity/detect-threats \
-H "Content-Type: application/json" \
-d "{\"code\": \"$(cat $file | jq -Rs .)\", \"fileName\": \"$file\"}" \
>> scan-results.json
done

# Stop API
kill $API_PID

- name: Check Results
run: |
# Fail if critical threats found
CRITICAL_COUNT=$(jq '[.threats[] | select(.severity == "Critical")] | length' scan-results.json)
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "❌ Found $CRITICAL_COUNT critical threats!"
exit 1
fi

- name: Upload Results
uses: actions/upload-artifact@v4
with:
name: security-scan-results
path: scan-results.json

Azure DevOps

trigger:
- main

pool:
vmImage: 'ubuntu-latest'

steps:
- task: UseDotNet@2
inputs:
version: '9.0.x'

- script: |
cd YourApi
dotnet run &
API_PID=$!
sleep 10

for file in $(find . -name "*.cs"); do
curl -X POST http://localhost:5000/api/aisecurity/detect-threats \
-H "Content-Type: application/json" \
-d "{\"code\": \"$(cat $file | jq -Rs .)\", \"fileName\": \"$file\"}"
done

kill $API_PID
displayName: 'Run Security AI Scan'

Best Practices

1. Choose the Right Approach

Use Heuristic when:

  • ✅ Getting started
  • ✅ Cost is a concern
  • ✅ Data must stay on-premises
  • ✅ Offline deployment required

Use Custom ML when:

  • ✅ Need higher accuracy
  • ✅ Have domain-specific threats
  • ✅ Can train/maintain models
  • ✅ Data must stay on-premises

Use External AI when:

  • ✅ Need highest accuracy
  • ✅ Don't have ML expertise
  • ✅ Cost is acceptable
  • ✅ Data can leave premises

2. Optimize Performance

Caching:

public class CachedThreatDetector : IAIThreatDetector
{
private readonly IAIThreatDetector _inner;
private readonly IMemoryCache _cache;

public async Task<AIAnalysisResult> AnalyzeAsync(string code, string fileName)
{
var cacheKey = $"threat_{ComputeHash(code)}";

if (_cache.TryGetValue(cacheKey, out AIAnalysisResult cached))
{
return cached;
}

var result = await _inner.AnalyzeAsync(code, fileName);

_cache.Set(cacheKey, result, TimeSpan.FromHours(1));

return result;
}
}

Rate Limiting (for External AI):

builder.Services.AddRateLimiter(options =>
{
options.AddFixedWindowLimiter("ai-security", opt =>
{
opt.Window = TimeSpan.FromMinutes(1);
opt.PermitLimit = 60;
});
});

app.MapPrimusSecurityAIEndpoints()
.RequireRateLimiting("ai-security");

3. Monitor and Alert

builder.Services.AddPrimusSecurityAI(options =>
{
options.OnThreatDetected = async (threat) =>
{
if (threat.Severity == ThreatSeverity.Critical)
{
// Send alert
await SendSlackAlert($"Critical threat detected: {threat.Type}");
await SendEmail("security@company.com", threat);
}
};
});

Troubleshooting

High False Positive Rate

Problem: Too many false positives

Solutions:

  1. Increase confidence threshold:

    options.ConfidenceThreshold = 0.85; // Default: 0.75
  2. Implement custom filtering:

    var threats = result.Threats
    .Where(t => t.Confidence > 0.9 || t.Severity == ThreatSeverity.Critical)
    .ToList();

Slow Performance

Problem: AI analysis is too slow

Solutions:

  1. Enable caching (see Best Practices)
  2. Use async/parallel processing
  3. Consider heuristic detectors for non-critical paths

External AI Costs Too High

Problem: Azure OpenAI costs are high

Solutions:

  1. Use caching aggressively
  2. Only scan changed files in CI/CD
  3. Use heuristic for initial screening, AI for flagged items
  4. Switch to custom ML model

Next Steps

Want to...See Guide
Set up basic securitySecurity Quick Start →
Configure CVE databaseCVE Database Setup →
Train custom ML modelML Model Training →
Deploy to productionProduction Deployment →

Summary

Three deployment options: Heuristic, Custom ML, External AI
Complete examples for each approach
Performance comparison to guide decision
CI/CD integration examples
Best practices and troubleshooting