Security AI - Production Implementation Guide
Learn how to deploy AI-powered security analysis in production environments.
The default heuristic implementation is production-ready and requires no external services or API keys. Custom ML and external AI options are available for higher accuracy requirements.
Understanding Security AI
What is Security AI?
Security AI extends the basic Security module with AI-powered threat detection:
| Feature | Basic Security | Security AI |
|---|---|---|
| Secret Detection | ✅ Regex patterns | ✅ Context-aware AI |
| Threat Detection | ✅ Static rules | ✅ ML-based analysis |
| Behavioral Analysis | ❌ Not available | ✅ Anomaly detection |
| False Positive Rate | ~15% | ~5% (with ML) |
Default Implementation
By default, Security AI uses heuristic detectors - no external AI services required:
builder.Services.AddPrimusSecurityAI();
app.MapPrimusSecurityAIEndpoints();
Heuristic detectors:
- ✅ Pattern-based threat detection
- ✅ Rule-based behavioral analysis
- ✅ No API keys required
- ✅ Runs entirely offline
- ✅ Complete data isolation
Production Deployment Options
Option 1: Heuristic Detectors (Recommended for Most)
Best for:
- Getting started quickly
- Cost-sensitive deployments
- Complete data isolation requirements
- Offline environments
Setup:
using PrimusSaaS.Security.AI;
var builder = WebApplication.CreateBuilder(args);
// Add heuristic AI security
builder.Services.AddPrimusSecurityAI();
var app = builder.Build();
// Map AI endpoints
app.MapPrimusSecurityAIEndpoints();
app.Run();
Endpoints Created:
POST /api/aisecurity/detect-threats- AI threat detectionPOST /api/aisecurity/analyze-behavior- Behavioral analysisPOST /api/aisecurity/smart-secret-detection- Smart secret detectionGET /api/aisecurity/ai-status- AI status check
Test It:
curl -X POST http://localhost:5000/api/aisecurity/detect-threats \
-H "Content-Type: application/json" \
-d '{
"code": "var query = \"SELECT * FROM Users WHERE id = \" + userId;",
"fileName": "UserController.cs"
}'
Response:
{
"threatsFound": 1,
"confidence": 0.85,
"threats": [
{
"type": "SQL Injection",
"severity": "High",
"confidence": 0.85,
"message": "Potential SQL injection via string concatenation",
"line": 1,
"snippet": "var query = \"SELECT * FROM Users WHERE id = \" + userId;"
}
]
}
Option 2: Custom ML Detector
Best for:
- Higher accuracy requirements
- Custom threat models
- Domain-specific security rules
Implementation:
Step 1: Create Custom Detector
using PrimusSaaS.Security.AI;
using Microsoft.ML;
public class CustomMLThreatDetector : IAIThreatDetector
{
private readonly MLContext _mlContext;
private readonly ITransformer _model;
private readonly ILogger<CustomMLThreatDetector> _logger;
public CustomMLThreatDetector(
ILogger<CustomMLThreatDetector> logger,
IConfiguration config)
{
_logger = logger;
_mlContext = new MLContext();
// Load your trained ML model
var modelPath = config["SecurityAI:ModelPath"] ?? "threat-detection.zip";
_model = _mlContext.Model.Load(modelPath, out var modelSchema);
}
public async Task<AIAnalysisResult> AnalyzeAsync(string code, string fileName)
{
_logger.LogInformation("Analyzing {FileName} with ML model", fileName);
// Create prediction engine
var predictionEngine = _mlContext.Model
.CreatePredictionEngine<CodeInput, ThreatPrediction>(_model);
// Prepare input
var input = new CodeInput
{
Code = code,
FileName = fileName,
FileExtension = Path.GetExtension(fileName)
};
// Make prediction
var prediction = predictionEngine.Predict(input);
// Convert to AIAnalysisResult
var threats = new List<ThreatFinding>();
if (prediction.IsThreat && prediction.Confidence > 0.7)
{
threats.Add(new ThreatFinding
{
Type = prediction.ThreatType,
Severity = MapSeverity(prediction.Severity),
Confidence = prediction.Confidence,
Message = prediction.Message,
Line = prediction.LineNumber,
Snippet = ExtractSnippet(code, prediction.LineNumber)
});
}
return new AIAnalysisResult
{
Threats = threats,
OverallConfidence = prediction.Confidence
};
}
public async Task<SmartDetectionResult> DetectSecretsWithAIAsync(string content)
{
// Implement secret detection using your ML model
// Similar pattern to AnalyzeAsync
return new SmartDetectionResult
{
Findings = new List<SecretFinding>(),
FilteredCount = 0
};
}
private ThreatSeverity MapSeverity(string severity)
{
return severity.ToLower() switch
{
"critical" => ThreatSeverity.Critical,
"high" => ThreatSeverity.High,
"medium" => ThreatSeverity.Medium,
_ => ThreatSeverity.Low
};
}
private string ExtractSnippet(string code, int lineNumber)
{
var lines = code.Split('\n');
if (lineNumber > 0 && lineNumber <= lines.Length)
{
return lines[lineNumber - 1].Trim();
}
return string.Empty;
}
}
// ML.NET model classes
public class CodeInput
{
public string Code { get; set; }
public string FileName { get; set; }
public string FileExtension { get; set; }
}
public class ThreatPrediction
{
public bool IsThreat { get; set; }
public float Confidence { get; set; }
public string ThreatType { get; set; }
public string Severity { get; set; }
public string Message { get; set; }
public int LineNumber { get; set; }
}
Step 2: Register Custom Detector
var builder = WebApplication.CreateBuilder(args);
// Register custom ML detector instead of heuristic
builder.Services.AddSingleton<IAIThreatDetector, CustomMLThreatDetector>();
// Still need to register behavioral analyzer (or create custom one)
builder.Services.AddSingleton<IBehavioralAnalyzer, HeuristicBehavioralAnalyzer>();
var app = builder.Build();
// Map endpoints (works with custom detectors)
app.MapPrimusSecurityAIEndpoints();
app.Run();
Step 3: Configure Model Path
appsettings.json:
{
"SecurityAI": {
"ModelPath": "./Models/threat-detection.zip",
"ConfidenceThreshold": 0.75
}
}
Option 3: External AI Service (OpenAI, Azure OpenAI)
Best for:
- Highest accuracy requirements
- Leveraging pre-trained LLMs
- Rapid deployment without ML expertise
Implementation:
using Azure.AI.OpenAI;
public class OpenAIThreatDetector : IAIThreatDetector
{
private readonly OpenAIClient _client;
private readonly ILogger<OpenAIThreatDetector> _logger;
private readonly string _deploymentName;
public OpenAIThreatDetector(
IConfiguration config,
ILogger<OpenAIThreatDetector> logger)
{
_logger = logger;
var endpoint = config["AzureOpenAI:Endpoint"];
var apiKey = config["AzureOpenAI:ApiKey"];
_deploymentName = config["AzureOpenAI:DeploymentName"];
_client = new OpenAIClient(new Uri(endpoint), new AzureKeyCredential(apiKey));
}
public async Task<AIAnalysisResult> AnalyzeAsync(string code, string fileName)
{
_logger.LogInformation("Analyzing {FileName} with Azure OpenAI", fileName);
var prompt = $@"Analyze the following code for security vulnerabilities.
Return a JSON array of threats found.
Code:
```
{code}
```
Return format:
{{
""threats"": [
{{
""type"": ""SQL Injection"",
""severity"": ""High"",
""confidence"": 0.95,
""message"": ""Description of the threat"",
""line"": 5
}}
]
}}";
var chatCompletionsOptions = new ChatCompletionsOptions
{
DeploymentName = _deploymentName,
Messages =
{
new ChatRequestSystemMessage("You are a security expert analyzing code for vulnerabilities."),
new ChatRequestUserMessage(prompt)
},
Temperature = 0.2f,
MaxTokens = 1000
};
var response = await _client.GetChatCompletionsAsync(chatCompletionsOptions);
var content = response.Value.Choices[0].Message.Content;
// Parse JSON response
var result = JsonSerializer.Deserialize<OpenAIResponse>(content);
return new AIAnalysisResult
{
Threats = result.Threats.Select(t => new ThreatFinding
{
Type = t.Type,
Severity = Enum.Parse<ThreatSeverity>(t.Severity),
Confidence = t.Confidence,
Message = t.Message,
Line = t.Line
}).ToList(),
OverallConfidence = result.Threats.Any()
? result.Threats.Average(t => t.Confidence)
: 0
};
}
public async Task<SmartDetectionResult> DetectSecretsWithAIAsync(string content)
{
// Similar implementation for secret detection
return new SmartDetectionResult();
}
}
public class OpenAIResponse
{
public List<OpenAIThreat> Threats { get; set; }
}
public class OpenAIThreat
{
public string Type { get; set; }
public string Severity { get; set; }
public double Confidence { get; set; }
public string Message { get; set; }
public int Line { get; set; }
}
Configuration:
{
"AzureOpenAI": {
"Endpoint": "https://your-resource.openai.azure.com/",
"ApiKey": "your-api-key-here",
"DeploymentName": "gpt-4"
}
}
Performance Comparison
| Approach | Latency | Cost | Accuracy | Data Privacy |
|---|---|---|---|---|
| Heuristic | <100ms | $0 | 70-80% | ✅ Complete |
| Custom ML | 100-500ms | $0 | 85-95% | ✅ Complete |
| External AI | 1-5s | $$$ | 90-98% | ⚠️ Partial |
Detailed Metrics
Heuristic Detectors
- Throughput: 1000+ requests/sec
- Memory: ~50MB
- CPU: Low
- False Positives: ~15%
- False Negatives: ~10%
Custom ML (ML.NET)
- Throughput: 200-500 requests/sec
- Memory: ~200MB (model loaded)
- CPU: Medium
- False Positives: ~5%
- False Negatives: ~3%
External AI (Azure OpenAI)
- Throughput: 10-50 requests/sec (API limits)
- Memory: ~100MB
- CPU: Low (offloaded)
- False Positives: ~2%
- False Negatives: ~1%
- Cost: ~$0.002 per request
CI/CD Integration
GitHub Actions
name: Security AI Scan
on:
pull_request:
branches: [ main ]
push:
branches: [ main ]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '9.0.x'
- name: Run Security AI Scan
run: |
# Start API with Security AI
cd YourApi
dotnet run &
API_PID=$!
# Wait for API to start
sleep 10
# Scan all C# files
for file in $(find . -name "*.cs"); do
echo "Scanning $file..."
curl -X POST http://localhost:5000/api/aisecurity/detect-threats \
-H "Content-Type: application/json" \
-d "{\"code\": \"$(cat $file | jq -Rs .)\", \"fileName\": \"$file\"}" \
>> scan-results.json
done
# Stop API
kill $API_PID
- name: Check Results
run: |
# Fail if critical threats found
CRITICAL_COUNT=$(jq '[.threats[] | select(.severity == "Critical")] | length' scan-results.json)
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "❌ Found $CRITICAL_COUNT critical threats!"
exit 1
fi
- name: Upload Results
uses: actions/upload-artifact@v4
with:
name: security-scan-results
path: scan-results.json
Azure DevOps
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: UseDotNet@2
inputs:
version: '9.0.x'
- script: |
cd YourApi
dotnet run &
API_PID=$!
sleep 10
for file in $(find . -name "*.cs"); do
curl -X POST http://localhost:5000/api/aisecurity/detect-threats \
-H "Content-Type: application/json" \
-d "{\"code\": \"$(cat $file | jq -Rs .)\", \"fileName\": \"$file\"}"
done
kill $API_PID
displayName: 'Run Security AI Scan'
Best Practices
1. Choose the Right Approach
Use Heuristic when:
- ✅ Getting started
- ✅ Cost is a concern
- ✅ Data must stay on-premises
- ✅ Offline deployment required
Use Custom ML when:
- ✅ Need higher accuracy
- ✅ Have domain-specific threats
- ✅ Can train/maintain models
- ✅ Data must stay on-premises
Use External AI when:
- ✅ Need highest accuracy
- ✅ Don't have ML expertise
- ✅ Cost is acceptable
- ✅ Data can leave premises
2. Optimize Performance
Caching:
public class CachedThreatDetector : IAIThreatDetector
{
private readonly IAIThreatDetector _inner;
private readonly IMemoryCache _cache;
public async Task<AIAnalysisResult> AnalyzeAsync(string code, string fileName)
{
var cacheKey = $"threat_{ComputeHash(code)}";
if (_cache.TryGetValue(cacheKey, out AIAnalysisResult cached))
{
return cached;
}
var result = await _inner.AnalyzeAsync(code, fileName);
_cache.Set(cacheKey, result, TimeSpan.FromHours(1));
return result;
}
}
Rate Limiting (for External AI):
builder.Services.AddRateLimiter(options =>
{
options.AddFixedWindowLimiter("ai-security", opt =>
{
opt.Window = TimeSpan.FromMinutes(1);
opt.PermitLimit = 60;
});
});
app.MapPrimusSecurityAIEndpoints()
.RequireRateLimiting("ai-security");
3. Monitor and Alert
builder.Services.AddPrimusSecurityAI(options =>
{
options.OnThreatDetected = async (threat) =>
{
if (threat.Severity == ThreatSeverity.Critical)
{
// Send alert
await SendSlackAlert($"Critical threat detected: {threat.Type}");
await SendEmail("security@company.com", threat);
}
};
});
Troubleshooting
High False Positive Rate
Problem: Too many false positives
Solutions:
-
Increase confidence threshold:
options.ConfidenceThreshold = 0.85; // Default: 0.75 -
Implement custom filtering:
var threats = result.Threats
.Where(t => t.Confidence > 0.9 || t.Severity == ThreatSeverity.Critical)
.ToList();
Slow Performance
Problem: AI analysis is too slow
Solutions:
- Enable caching (see Best Practices)
- Use async/parallel processing
- Consider heuristic detectors for non-critical paths
External AI Costs Too High
Problem: Azure OpenAI costs are high
Solutions:
- Use caching aggressively
- Only scan changed files in CI/CD
- Use heuristic for initial screening, AI for flagged items
- Switch to custom ML model
Next Steps
| Want to... | See Guide |
|---|---|
| Set up basic security | Security Quick Start → |
| Configure CVE database | CVE Database Setup → |
| Train custom ML model | ML Model Training → |
| Deploy to production | Production Deployment → |
Summary
✅ Three deployment options: Heuristic, Custom ML, External AI
✅ Complete examples for each approach
✅ Performance comparison to guide decision
✅ CI/CD integration examples
✅ Best practices and troubleshooting