Artificial intelligence has moved from research labs into every keyboard, terminal, and security operations centre on the planet. Whether you are building with it, defending against it, or trying to keep up with it, fluency in the underlying vocabulary is no longer optional — it is the entry ticket. This glossary unpacks the twelve terms that define the modern AI conversation, with plain-language definitions, technical depth, and what each concept means for the cybersecurity professionals reading along.
If you have ever wondered what a large language model actually is, why hallucinations happen, what tokens cost you, why RAG is everywhere in 2026, or how coding agents differ from the autocomplete you have used for years — this article is for you. We cover each term three ways: what it means in plain English, how it works under the hood, and why it matters for the security teams that increasingly depend on it.
Who this glossary is for. Builders shipping AI features in 2026 will recognise these terms in every product specification. Security professionals will see them in every adversary-tradecraft report and in every internal SOC tooling proposal. Learners and tech-curious readers will leave with a working vocabulary that holds up in a conversation with anyone shipping production AI today.
01 · Large Language Model (LLM)
The AI brain behind every modern chat assistant, coding helper, and enterprise productivity tool. A large language model is a deep neural network with billions — sometimes trillions — of trainable parameters, taught to predict the most likely next chunk of text given what came before. From that one objective, scaled across vast text corpora, emerges everything we recognise as modern conversational AI: writing, summarising, reasoning, code generation, translation, even rudimentary planning.
What it is, in plain language
An LLM is a pattern-matching machine of unprecedented scale. It does not know anything in the way you do. What it has is a probability distribution over every possible next word fragment, learned from reading a meaningful fraction of the public internet, code repositories, books, scientific papers, and other corpora. When you ask it a question, it samples from that distribution one fragment at a time, conditioned on your prompt and everything it has just produced.
How it works under the hood
Modern LLMs use the transformer architecture — a neural network design centred on the attention mechanism, which lets the model weigh the importance of every previous token when predicting the next one. The model has three structural elements that matter for any user-facing conversation:
- An embedding layer that maps input tokens to dense vector representations.
- A stack of transformer blocks (often dozens to hundreds of layers) that progressively refine those representations through attention and feed-forward computation.
- An output projection that converts the final hidden state into a probability distribution over the model’s vocabulary.
Why it matters in 2026
LLMs are now embedded in productivity suites, developer tooling, customer-support workflows, threat-intelligence pipelines, and operating-system shells. The economic and operational implications are everywhere. If you are working in software, you are touching one. If you are working in security, you are increasingly defending against attacks that use them.
For security teams
LLMs are simultaneously the most useful junior analyst your SOC has ever had and one of the largest attack surfaces your organisation has ever deployed. The interesting threat models — prompt injection, indirect prompt injection through poisoned context, model exfiltration via repeated probing, data leakage through verbose system prompts — all stem from the same fundamental property: the model treats your prompt and its training data with similar trust by default. Designing around that property is the entire emerging field of AI security engineering.
Common misconception. An LLM does not “look things up” from a database. It generates answers by sampling probabilities from learned patterns. That is why it can be confident and wrong at the same time — the next concept on this list.
02 · Hallucination
When the model confidently makes things up. A hallucination is any output where the model produces plausible-sounding text that is factually wrong, fabricated, or internally inconsistent — not because it intended to mislead, but because the next-token sampling did not encounter a reliable signal in the training data and filled the gap with the most probable-looking guess.
Why hallucinations happen
Three failure modes account for the overwhelming majority of hallucinations seen in production:
- Gaps in training data. The model was never exposed to the specific fact the prompt is asking about. It still produces an answer because producing an answer is what the loss function rewarded during training.
- Aliasing in token space. Two distinct facts have similar surface forms in the model’s representation; the model samples a confident answer that confuses them.
- Reasoning-step compounding. A multi-step inference chain magnifies a small early error into a large final-answer error. Each step looked locally reasonable; the cumulative drift produced nonsense.
How modern systems reduce hallucination
The current best practice combines three layers:
- Retrieval-augmented generation (RAG), covered later in this article, grounds answers in a known corpus so the model cites rather than invents.
- Chain-of-thought reasoning, also covered later, surfaces the intermediate steps so a verifier can catch a hallucinated premise before it produces a hallucinated conclusion.
- Tool use: the model is permitted to call calculators, code interpreters, web-search APIs, and database queries — turning factual questions into deterministic computations rather than next-token guesses.
For security teams
Treat every AI-generated incident report, malware-analysis summary, indicator attribution, and rule explanation as provisional intelligence until a human verifies it. A hallucinated IOC, a hallucinated CVE, a hallucinated attribution — each can drive a six-figure response action against a phantom adversary. Build the verification step into your SOAR playbooks at the same level as the AI step itself.
Practitioner tip. Hallucinations are not a bug to be patched out — they are a structural feature of next-token-prediction systems. They will be mitigated by better architectures, better grounding, and better tool use, but they will not be eliminated. Build your workflows around verification, not around trust.
03 · Token
The atomic unit of AI communication. A token is the smallest piece of text the model reads or writes — not a word, not a character, but a sub-word fragment. “Unbelievable” is three tokens: un, believ, able. “AI” is one token. A typical English word averages 1.3 to 1.5 tokens. Every input you send and every output you receive is measured, billed, and constrained in tokens.
How tokenisation works
Modern LLMs use sub-word tokenisation schemes — most commonly byte-pair encoding (BPE) or WordPiece. The tokeniser learns a vocabulary during training: common character sequences become single tokens; rare sequences are decomposed into smaller, more common pieces. The result is a vocabulary of typically 30,000 to 200,000 tokens that lets the model represent any text, in any language, with reasonable efficiency.
Why tokens are the unit of cost
Three reasons tokens dominate the economics of production AI:
- Billing. Commercial APIs charge per token, both for input prompts and generated outputs. Heavy users see real bills.
- Context windows. Every model has a maximum number of tokens it can process in a single request — 8K, 32K, 128K, or even 1M in modern frontier models. Exceeding the window forces you to chunk, summarise, or use retrieval.
- Latency. Inference time scales roughly linearly with output tokens. The first token can take 200–500ms; subsequent tokens stream at tens of milliseconds each. Long answers feel slow because they are.
Real-world token economics
A few rules of thumb worth memorising:
- A 1,000-word essay is roughly 1,300–1,500 tokens.
- A typical SOC log line (with metadata) tokenises to 30–80 tokens depending on richness.
- A full year of email correspondence for one user can easily exceed 10 million tokens — well beyond any context window, which is why retrieval architectures exist.
For security teams
Token economics determine whether AI-assisted log analysis is operationally viable at your scale. Sending an entire day of SIEM telemetry to a frontier model costs real money and frequently exceeds context windows. The successful patterns combine aggressive pre-filtering, smart summarisation, and retrieval over an indexed history. If your AI initiative budget seems to disappear faster than the analyst productivity gains, the answer is almost always in your tokenisation strategy.
04 · Training vs. Inference
Two completely different phases of an AI model’s life. Training is the process of teaching the model — expensive, slow, done once or periodically. Inference is the process of using the model — cheap, fast, done millions of times in production.
Training: the teaching phase
During training, the model sees enormous quantities of example text and adjusts its weights (the next concept’s territory) so that its predictions of the next token gradually become more accurate. The process is deeply iterative: a forward pass produces a prediction, a loss function compares that prediction to the actual next token, and a backward pass propagates the error through the network to tweak every weight by a tiny amount. Repeat trillions of times.
Training the largest current frontier models takes thousands of high-end GPUs running for weeks or months, consumes electricity equivalent to a small town’s annual usage, and costs hundreds of millions of dollars. This is why so few organisations train foundation models from scratch.
Inference: the working phase
Inference is what happens when you send a prompt and get an answer. The model’s weights are frozen; nothing is being learned. The compute cost is dramatically lower than training — but multiplied by every user, every request, every day. For a service with millions of daily users, the total inference cost over a year easily dwarfs the training cost.
This is why inference optimisation — quantisation, distillation, batching, key-value caching, speculative decoding — has become its own discipline. A 30% inference speedup at scale is worth more than most training improvements.
| Dimension | Training | Inference |
|---|---|---|
| Frequency | Once or rarely | Every request |
| Cost | $1M–$1B per major model | Cents per request, scaled by traffic |
| Hardware | Thousands of GPUs | Single GPU or even CPU for small models |
| Data direction | Backward (gradient descent) | Forward only |
| What changes | Model weights | Nothing — weights are frozen |
| Engineering focus | Data quality, scale, efficiency | Latency, throughput, cost-per-request |
For security teams
The distinction matters operationally. Training-time supply-chain attacks (poisoned datasets, compromised checkpoint hosting, malicious fine-tuning data) are a fundamentally different threat model from inference-time attacks (prompt injection, jailbreaks, output exfiltration). The same model is vulnerable to both, but the controls live in completely different places: data-pipeline auditing for training, prompt-and-output filtering for inference.
05 · Fine-tuning
Taking a general-purpose model and making it specialist-grade at one thing. Fine-tuning starts with a pretrained foundation model and trains it further on a narrower, higher-quality dataset focused on a specific domain, task, style, or persona. The result is a model that retains the broad knowledge of the base while becoming markedly better at the target task.
When fine-tuning earns its keep
- Domain expertise. A legal model fine-tuned on case law speaks the language of jurisprudence; a base model gives plausible-sounding but legally unreliable answers.
- Style and tone. A customer-support model can be fine-tuned to match a brand’s voice with consistency that prompt engineering alone cannot deliver.
- Structured output. Fine-tuning on input-output pairs in a target format (JSON, YAML, Sigma rules, SQL) yields dramatically better adherence to that format than a base model with detailed prompting.
Modern fine-tuning techniques
You no longer need to retrain every weight in the model to fine-tune. Parameter-efficient fine-tuning (PEFT) techniques have radically lowered the cost:
- LoRA (Low-Rank Adaptation) trains small adapter matrices alongside the frozen base weights. The adapter is a few megabytes; the base model is hundreds of gigabytes; the combined performance approximates a full fine-tune.
- QLoRA combines LoRA with 4-bit quantisation, letting you fine-tune a 70B-parameter model on a single high-end consumer GPU.
- Prompt tuning trains a tiny learned prefix that conditions the model toward the target task without changing any base weights.
When NOT to fine-tune
Fine-tuning is over-applied. Before reaching for it, ask:
- Could a better prompt achieve the same result? Often yes.
- Could retrieval-augmented generation (next section) provide the missing context? Often yes.
- Is the gain worth the maintenance burden of a custom model that needs re-tuning each time the base model upgrades? Often no.
For security teams
Fine-tuning is the right answer for narrowly-scoped, repeatable security tasks where format and consistency matter more than general capability: log-line classification, IOC extraction from threat reports, Sigma-rule format generation, false-positive triage decisions. The wrong answer for open-ended investigation or novel adversary attribution — those reward general capability. The decision rule: fine-tune for production rule firing, prompt-engineer for human-in-the-loop hunting.
06 · Reinforcement Learning
How an AI learns by trial, reward, and repetition. Reinforcement learning (RL) is the training paradigm where the model takes actions, receives a reward signal that grades those actions, and updates its policy to maximise expected future reward. It is how modern reasoning models learn to think before they answer, how robotics models learn to navigate, and how game-playing AI learned to beat human grandmasters.
The core loop
Every RL system has four pieces: an agent (the model), an environment (what the agent acts on), a policy (how the agent chooses actions), and a reward function (the signal that says “that was good” or “that was bad”). The training loop is:
- The agent observes the current state.
- The policy chooses an action.
- The environment returns a new state and a reward.
- The policy updates to make high-reward actions more likely in the future.
Reinforcement Learning from Human Feedback (RLHF)
The technique that turned base LLMs into the polite, helpful assistants we now use is RLHF. The process: human raters rank multiple model outputs by quality; a reward model learns to predict those rankings; the base model is then trained to maximise the predicted reward. RLHF is what gives modern assistants their conversational quality, refusal behaviour, and tone.
From RLHF to reasoning models
The newest generation of reasoning models extends RL further. Instead of being rewarded for output style alone, they are rewarded for reaching verifiably correct answers on math, coding, and logic problems. The model learns to spend more inference compute on internal reasoning chains when the problem demands it — trading latency for accuracy in a way that pre-RL models could not.
For security teams
RL is also the threat model for adversarial AI: an attacker uses RL to find inputs that systematically degrade your model’s safety, jailbreak its restrictions, or exfiltrate its training data. The same algorithm that produces a helpful assistant produces, with a different reward function, an effective attack. Red-team your model the same way you would red-team your network: assume the adversary has a smarter optimiser than you do.
Practitioner analogy. RL is the dog-training of machine learning. You define the trick you want, you grade attempts, and you let the agent figure out the policy. The dog does not understand “sit”; it understands “sitting produces treats”. The model does not understand “be helpful”; it understands “outputs that look helpful produce reward”.
07 · Distillation
Teaching a small model to behave like a big one. Knowledge distillation is the technique that lets a compact, fast, cheap model approximate the capabilities of a much larger, slower, expensive model. A teacher (the large model) generates labelled examples; a student (the small model) is trained to match the teacher’s outputs as closely as possible. The student ends up substantially smaller and faster, with capability that is frequently within a few percentage points of the teacher.
Why distillation matters
Most large models are too expensive to deploy at scale. Distillation makes their capabilities accessible:
- Inference cost drops by 10× or more. A 7B-parameter student can replace a 70B-parameter teacher at a fraction of the compute.
- Latency improves linearly. Smaller models stream tokens faster, which matters for chat interfaces and real-time applications.
- On-device deployment becomes possible. Distilled models fit on phones, edge appliances, and offline laptops where the teacher never could.
How modern distillation works
Three flavours dominate production practice:
- Response distillation. The teacher generates millions of prompt-response pairs; the student is fine-tuned to reproduce them. Simple and effective.
- Logit distillation. The student is trained to match not just the teacher’s chosen output but its full probability distribution over the vocabulary at each step. Richer signal, more capability transfer.
- Behavioural distillation with RL. The student is trained with RL to satisfy a reward model that captures the teacher’s preferences. This is how reasoning-model behaviour is propagated to smaller students.
For security teams
Distillation is the path to on-premises and air-gapped AI. A distilled student can run inside your SOC, behind your firewall, on hardware you own — with all the data-residency and supply-chain control that implies. The trade-off is capability: a distilled student handles routine triage well, struggles with the long-tail novel adversary behaviour the teacher would catch. The right architecture pairs an on-prem student for bulk processing with optional escalation to a hosted teacher for hard cases.
Historical note. Many production-grade compact models you have used over the past few years — faster, cheaper, surprisingly capable — were almost certainly distilled from a much larger frontier model rather than trained from scratch. Distillation is the secret economic engine of the modern AI assistant market.
08 · RAG (Retrieval-Augmented Generation)
Connecting an LLM to your own knowledge so it stops making things up. RAG is the architecture pattern where the model retrieves relevant documents from a separate knowledge base before generating its answer, then grounds the answer in what was retrieved. It is the most operationally useful technique in production AI today and the single most effective way to reduce hallucinations on specific-knowledge tasks.
How RAG works, end to end
- Index your knowledge. Documents are split into chunks, each chunk is converted to a high-dimensional embedding vector by an embedding model, and the vectors are stored in a vector database for fast similarity search.
- At query time, retrieve. The user’s question is embedded the same way, and the database returns the top-k most-similar document chunks.
- Generate with context. The retrieved chunks are inserted into the LLM’s prompt alongside the original question. The model answers with explicit grounding in the retrieved content.
Why RAG is everywhere in 2026
- Hallucinations drop dramatically on the topics covered by the corpus.
- Knowledge stays current by simply updating the corpus, with no model retraining.
- Provenance is preserved. Every answer can cite the source chunks it relied on, making the system auditable in a way pure-LLM answers never are.
- Domain depth is unlocked. Your own technical documentation, internal wiki, codebase, threat-intelligence catalogue, or compliance corpus becomes queryable in natural language without fine-tuning.
Where RAG goes wrong
- Retrieval quality is the ceiling. If your retriever returns irrelevant chunks, the generator hallucinates around them. Embedding-model choice, chunk size, and re-ranking layers matter enormously.
- Context-window pressure. Stuffing too many retrieved chunks degrades generation quality; too few miss the answer entirely.
- Adversarial corpus poisoning. If an attacker can inject content into your retrieval corpus, they can steer the model’s answers. This is one of the most underestimated AI attack surfaces.
For security teams
RAG is the natural architecture for AI-assisted SOC workflows. Your threat-intelligence catalogue, your detection-rule library, your runbook collection, and your post-incident review archive each make excellent RAG corpora. The result: an analyst can ask “Has this IOC pattern been seen before, and how did we respond?” and get a grounded, cited answer instead of a hallucinated guess. The cybersecurity-specific concern: protect the corpus the same way you protect production code — signed commits, change-control, integrity monitoring — because a poisoned corpus becomes a poisoned AI.
09 · Chain of Thought
Breaking a problem into steps the model thinks through before answering. Chain of thought (CoT) is the technique — sometimes a prompting trick, sometimes a trained-in behaviour — where the model produces an explicit intermediate reasoning trace before its final answer. The reasoning is verbose and slower, but accuracy on hard problems improves dramatically.
The classic example
Question: If a baker has 12 dozen eggs and uses 47 of them, how many does she have left?
A base model often produces the wrong number immediately. With chain-of-thought prompting (often as simple as appending “Let’s think step by step”), the model produces:
12 dozen is 12 × 12 = 144 eggs. Subtracting 47 leaves 144 − 47 = 97. The baker has 97 eggs left.
Step-by-step decomposition reveals where each calculation lives, lets the model check its work, and dramatically improves correctness on math, code, logic, and multi-hop reasoning tasks.
From prompt-trick to trained behaviour
Originally, CoT was a prompt-engineering technique: add “think step by step” and accuracy improves. The newest reasoning models have CoT trained into them — they spontaneously decompose problems before answering, often producing internal reasoning chains many times longer than the user-visible answer.
The latency trade-off
Chain-of-thought reasoning generates many more tokens before producing the final answer. That means:
- Slower responses — sometimes 10× the latency of a direct answer.
- Higher cost — you pay for all those reasoning tokens, even though most are invisible to the end user.
- Better accuracy — on tasks that benefit from decomposition, the trade is usually worth it.
For security teams
Chain-of-thought reasoning is the property that makes AI-assisted incident analysis auditable. When the model produces an explicit reasoning chain — “first I checked the source IP, then I correlated with recent threat reports, then I noted the unusual user-agent” — a human SOC analyst can verify each step and catch hallucinated premises before they cascade into hallucinated conclusions. This makes CoT the bridge between AI-generated triage and human-accountable response decisions.
10 · Weights
The numbers that store everything the model has learned. Weights are the trainable parameters of a neural network — the floating-point numbers that get adjusted during training and frozen during inference. Modern frontier LLMs have hundreds of billions to trillions of weights. Each weight individually is meaningless. Collectively, they encode every pattern, fact, style, and capability the model has acquired.
How weights become “intelligence”
At the start of training, weights are initialised to small random numbers. The model produces nonsense. Training feeds it billions of examples, computes the error on each, and nudges every weight by a tiny amount in the direction that would have reduced the error. Repeat trillions of times. The cumulative effect is that the weights converge to a configuration where the model’s next-token predictions match the training distribution closely.
Where weights live
Most weights are concentrated in two places:
- The attention layers — the query, key, value, and output projection matrices that implement how each token attends to every other token.
- The feed-forward layers — large matrices that perform the bulk of the per-token computation between attention layers.
A 70-billion-parameter model occupies roughly 140 GB in 16-bit precision and 35 GB after 4-bit quantisation. That single fact — the multi-gigabyte memory footprint — drives every deployment decision in modern AI.
Why weights matter operationally
- Reproducibility. Two models with identical architectures but different weights behave completely differently. The weights ARE the model.
- Quantisation. Reducing the precision of each weight from 16-bit to 8-bit, 4-bit, or even 2-bit shrinks memory dramatically with surprisingly small capability loss.
- Pruning. Many weights contribute little to model output and can be removed entirely. Sparse models are an active research area.
- Open weights vs closed weights. A model whose weights are publicly downloadable can be inspected, modified, and deployed anywhere; a model whose weights are kept private can only be used through its host’s API. The distinction has enormous implications for security, sovereignty, and supply chain.
For security teams
Treat model weight files the same way you treat signed binaries: integrity matters more than convenience. Hash and verify before deployment; check provenance against the publisher’s signed manifest; monitor for tampering. A modified weight file is a fundamentally different model with potentially malicious behaviour, and the modification is undetectable from the outputs unless you are explicitly testing for it. This is a real and underestimated supply-chain attack surface in 2026.
11 · Validation Loss
The score that tells you whether training is working. Validation loss is the model’s error on a dataset it has not been trained on — the validation set. It is the single most important metric to watch during training, because it answers the only question that matters: is the model getting better, or is it just memorising its training data?
Why a separate validation set is essential
A model can drive its training-set error to nearly zero just by memorising the training examples. Without a separate evaluation set, you have no way to know whether it has actually learned anything generalisable. The validation set is held out from training and used only to score the model. Falling training loss with rising validation loss is the signature of overfitting: the model is memorising rather than generalising.
What a good loss curve looks like
- Both losses fall together. Training is working as intended. The model is learning the underlying pattern, not just the examples.
- Validation loss flattens before training loss. The model has captured most of the generalisable signal. Additional training will not help and may hurt.
- Validation loss rises while training loss keeps falling. Classic overfitting. Stop training, reduce model capacity, add regularisation, or augment the training data.
The metrics beyond loss
Validation loss is necessary but not sufficient. Production models are evaluated on additional metrics:
- Task-specific accuracy on a benchmark suite that resembles real production usage.
- Calibration — do the model’s confidence scores match its actual correctness? Overconfident models are hallucination-prone.
- Behavioural evaluations for safety, helpfulness, and refusal behaviour. These have become as important as raw accuracy.
For security teams
If your team is building ML-based detection systems — the kind that score whether a log line is malicious or whether an executable is suspicious — validation discipline is the difference between a useful tool and shelf-ware. Train on six months of data, validate on the seventh, deploy and watch performance degrade as adversary behaviour drifts. Re-validate quarterly. The same overfitting risk applies to LLM-based detection content — a Sigma rule that catches yesterday’s malware perfectly may miss tomorrow’s variant entirely.
12 · Coding Agent
An AI that doesn’t just suggest code — it writes, tests, and debugs autonomously. A coding agent is qualitatively different from an autocomplete tool. Where autocomplete predicts the next line of code in a single editor, a coding agent works at the task level: read this issue, find the affected files, write the fix, run the tests, iterate until the tests pass, commit. The agent is given goals; it chooses the steps.
What makes an agent an agent
Three properties distinguish coding agents from older AI-coding tools:
- Tool use. The agent can call APIs, run shell commands, edit files, execute code, search the web, and read documentation as part of its task. It is not just generating text — it is taking actions in the real world.
- Planning and decomposition. The agent breaks the user’s goal into sub-goals, evaluates progress at each step, and adjusts its plan when something does not work.
- Iterative refinement. When a generated test fails, the agent reads the failure, hypothesises the cause, modifies the code, and re-runs — until either success or the loop limit is hit.
Where coding agents shine in 2026
- Bug fixes from issue descriptions. Read the issue, navigate the codebase, write the fix, write the test, open the pull request.
- Migrations and refactors at scale. Apply the same structural change consistently across hundreds of files.
- Test generation. Read the production code, generate exhaustive unit tests, ensure coverage exceeds a target threshold.
- Documentation generation. Read the code, generate API references and tutorial walkthroughs with examples.
Where they still struggle
- Novel architectural decisions. Agents do well at executing decided plans, less well at making the original design call.
- Subtle, cross-file logic bugs. The agent may pass the tests it wrote without catching the bug a senior engineer would notice in seconds.
- Security-critical code. Cryptographic, authentication, and authorisation code remains an area where human review is non-negotiable.
For security teams
Coding agents are reshaping detection engineering. A well-prompted agent can take an adversary technique description, write a Sigma rule, generate test data that exercises the rule, run the rule against the test data, iterate until precision and recall match the spec, and open the pull request for human review. Multiply that across the dozens of new techniques surfaced every week and the productivity impact is structural. The flip side is the security risk: coding agents make the same kinds of mistakes a junior engineer would make — introducing subtle vulnerabilities, missing edge cases, trusting input that should be validated — just at much higher throughput. The defensive playbook is mandatory: every agent-generated commit gets human review, every agent-generated rule gets validation backtesting, every agent action gets logged for audit.
Cultural note. The right mental model for a coding agent is a tireless junior engineer with broad knowledge and limited judgement. Treat it as you would treat that engineer: pair-program important changes, review every commit, never let it ship to production without human approval. The throughput multiplier is real; the abdication of accountability is not.
13 · AI for cybersecurity — the practitioner’s view
The twelve terms above are not abstractions. They are tools, weapons, and threat models — sometimes the same term plays all three roles depending on whose hands are on it. Below are the patterns we see most often across security teams adopting AI in 2026.
Where AI helps security operations today
| SOC workflow | How AI helps | Concept(s) involved |
|---|---|---|
| Alert triage | An LLM enriches each alert with adversary context, suggests next investigation steps, and drafts a summary for the on-call analyst. | LLM, RAG, Chain of Thought |
| Threat intelligence summarisation | Daily ingestion of vendor reports, government advisories, and OSINT collapsed into a single briefing tailored to the organisation’s threat profile. | LLM, RAG, Distillation |
| Detection-rule generation | Coding agents read adversary tradecraft descriptions and generate Sigma, KQL, or SPL rules with validation backtests. | Coding Agent, Fine-tuning |
| Incident report writing | Post-incident, the AI drafts the timeline, the root-cause analysis, and the remediation report from raw log and alert data. | LLM, Chain of Thought, RAG |
| Phishing simulation tailoring | Generates targeted, organisation-specific phishing lures for awareness training — defensively, with consent. | LLM, Fine-tuning |
| Hunt-query authoring | Translate a natural-language hunt hypothesis into platform-native query syntax that a hunter then verifies. | Coding Agent, Chain of Thought |
The AI threats security teams now defend against
| Threat | What it does | Defensive control |
|---|---|---|
| Prompt injection | Adversary content hidden in a document or webpage hijacks the model’s instructions. | Input sanitisation, content provenance, output validation, least-privilege tool access. |
| Indirect prompt injection | Same idea, but the malicious instructions come from a retrieved document the AI has been asked to summarise. | Treat retrieved content as untrusted; sanitise; consider RAG-pipeline content firewalls. |
| Training data poisoning | Adversary contributes content to a dataset that will be used to fine-tune your model; the contribution embeds back doors. | Dataset provenance auditing, fine-tuning corpus integrity controls, behavioural eval on every checkpoint. |
| Model exfiltration | Repeated probing extracts training data, system prompts, or proprietary fine-tuning weights. | Rate limiting, query-pattern detection, output redaction layers. |
| Hallucinated attribution / IOCs | The AI confidently outputs adversary names or indicators it invented; downstream automation acts on them. | Mandatory human-in-the-loop verification before any irreversible response action. |
| AI-augmented phishing | Adversaries use AI to draft highly tailored, well-written phishing emails at scale. | User awareness training updated for the new quality bar; content-pattern detection at the mail gateway. |
Synthesis. AI is changing what your SOC can do and what it must defend against, simultaneously. The skills that compound for the next decade are not “use this specific assistant” but “understand what these systems can and cannot do, and design workflows that use the strengths while gating the failure modes”. The twelve terms in this glossary are the entry point to that fluency.
14 · A learning path — from glossary to capability
This article is the vocabulary. The next steps build the capability. Here is a practical, no-fluff progression for the readers who want to keep going.
Week 1 · Read more, ship nothing
- Re-read this glossary twice. The second pass is where most of the connections click.
- Read a current frontier-model technical report end to end. The architecture, training data, and evaluation sections are where the real fluency lives.
- Watch one production AI engineer give a recent conference talk. The applied perspective grounds the theory.
Week 2 · Build the smallest useful thing
- Pick one repeatable task in your daily work that involves moving text from one place to another.
- Build a script that uses an LLM API to do it.
- Measure the cost in tokens. Measure the time saved. Decide whether the trade is worth keeping.
Week 3 · Add retrieval
- Take that script and bolt RAG onto it. Use a local vector store and an embedding model.
- Observe how dramatically the output improves when the model has grounded context.
- Now think about adversarial corpus poisoning — what would protect this if your input documents came from untrusted sources?
Week 4 · Add tools, become an agent
- Extend the script so the model can call a small set of tools — a calculator, a database query, a web search.
- You now have a working, scoped, agent. The patterns generalise.
- Decide where you would never let it act autonomously. Write that policy down. That is the start of your AI governance.
Ongoing · Keep your fluency current
- The field moves quickly. Schedule 30 minutes a week to read one technical post or paper. That is enough to stay oriented.
- Talk to other practitioners. The implementation patterns that ship are not always the ones that make headlines.
- Build, ship, retire. The intuitions only come from operating systems in production.
15 · FAQ
Do I need a maths background to understand AI?
For working fluency at the level this article targets, no. You can be effective with the concepts here using language, examples, and an experimental mindset. To build models or read primary-source research papers, comfort with linear algebra, calculus, and probability becomes necessary. The dividing line is roughly: “user, integrator, applied engineer” vs “researcher”.
How is generative AI different from machine learning?
Machine learning is the broader category — any system that learns patterns from data. Generative AI is the subset focused on producing new content (text, images, audio, video, code). Every generative AI system is a machine-learning system; not every machine-learning system is generative.
What’s the difference between a model and an assistant?
The model is the underlying neural network with its weights. The assistant is the product wrapped around it — a chat interface, a system prompt, tool integrations, content filters, and so on. Two products built on the same underlying model can feel completely different to use because of differences at the assistant layer.
Is on-device AI a real option in 2026?
Yes — for a growing set of use cases. Distilled models in the 1-7B parameter range run usefully on modern laptops and even phones. The capability is below frontier-model performance but is enough for many production workflows. Hybrid architectures — local model for everything routine, cloud model for the hard cases — are now the norm for cost-sensitive applications.
How do I prevent prompt injection in my own application?
Three layers together. First, treat all user input and all retrieved content as untrusted. Second, give the model the smallest possible set of tools and capabilities; do not let it call shells or write to production databases without explicit human approval. Third, validate the model’s outputs before they take any consequential action. None of the three alone is sufficient; all three together are robust.
How do I measure whether an AI feature is actually helping users?
Three levels of metric, in order of usefulness. Engagement: are users using the feature? Task success: are users completing the task they came for, faster than before? Outcome: is the metric the user actually cares about — revenue, time-to-resolution, accuracy — moving in the right direction? Engagement is the cheapest to measure and the easiest to mistake for value.
What’s the most important skill to develop right now?
Specification clarity. The single highest-leverage skill in 2026 is the ability to describe what you want clearly enough that an AI can produce it, evaluate the result against your specification, and iterate. This is not “prompt engineering” in the magic-incantation sense — it is the engineering discipline of writing requirements that can be verified. It generalises across every AI tool you will ever use.
Where should a cybersecurity team start with AI adoption?
Pick a single repetitive workflow with a clear success criterion — alert summarisation, threat-report ingestion, or hunt-query translation are common entry points — and build a small, scoped pilot. Measure rigorously. Decide explicitly whether the AI is in the critical path or in an advisory role. Document the verification step. Build governance in parallel with capability. The teams that adopt AI well are the ones that treat it as an engineering discipline, not a magic-wand purchase.
Will AI replace security analysts?
The honest answer in 2026: it will substantially change what the role looks like, accelerate the routine work, and raise the floor on what every analyst can produce. It will not replace the senior judgement that decides which alerts matter and which incident response paths to take. The analysts who thrive will be the ones who treat AI as the leverage that lets them focus on the hard parts.
What’s one thing I can do tomorrow?
Pick the term in this glossary that you understood least well, read about it in two more sources, and explain it back to a colleague in your own words. The act of teaching is the fastest possible test of whether you have learned. Everything else builds from there.
Closing thought
The twelve terms in this glossary are the entry vocabulary for the conversation that is reshaping software, security, and knowledge work in 2026. Memorising the definitions matters less than internalising the relationships — how training and inference relate, why RAG mitigates hallucinations, what coding agents actually do that autocomplete cannot, why validation loss matters for trust. Once those connections click, every AI announcement, product launch, and research paper becomes legible. The fluency compounds quickly from there.
If your team is building AI into security operations, the cybersecurity tie-ins throughout this article are the patterns we see working most often. If you want to go deeper on hunting, detection engineering, or threat-intelligence platforms, the linked reading below covers the operational side of where AI and security converge.
Threat Intelligence pillar ·
Threat Hunting pillar ·
Detection Engineering ·
MITRE Coverage ·
More General articles
