David Wolf · Project Use Case
AI SECURITY · PRODUCT SECURITY · UNUM
UNUM
LLM Attack Story & Detection Engineering
A paid consulting engagement using LLM-assisted attack trees, MITRE ATT&CK mapping, ServiceNow asset inventory, enterprise architecture context,...
Delivered a two-month consulting engagement for UNUM that used LLM-assisted attack-tree and attack-story generation, MITRE ATT&CK mapping, ServiceNow asset inventory, data-center and campus architecture context, CISO risk...
Client
UNUM
Engagement Type
Paid consulting engagement
Period
2025; two-month engagement
Role
AI Security / Detection Engineering Consultant
Focus Areas
LLM-Assisted Security Engineering, Attack Trees, Attack Stories, MITRE ATT&CK
The Research Narrative
Strategic Problem
The core challenge was converting enterprise-specific architecture and asset context into attack scenarios that were realistic enough to matter, structured enough to map to controls, and concrete enough to...
What David Did
Used LLM-assisted workflows to generate, iterate, and refine realistic enterprise attack trees and attack stories.
What Became Clearer
Delivered an innovative AI-assisted detection engineering engagement for a major insurance enterprise.
Consulting Proof
This is evidence of turning messy security telemetry into explainable dashboards, alert-quality improvements, and executive-ready operating views.
The Context
This was a primary paid consulting engagement. The project combined AI-assisted security analysis with enterprise detection engineering, using UNUM-specific infrastructure context, ServiceNow asset inventory, data-center and campus architecture, control group mapping, MITRE ATT&CK alignment, Zero Trust tagging, Splunk SPL query development, and realistic synthetic data/log generation.
The Challenge
The core challenge was converting enterprise-specific architecture and asset context into attack scenarios that were realistic enough to matter, structured enough to map to controls, and concrete enough to become detections. The work needed to avoid generic cyber storytelling and instead produce scenarios tied to actual infrastructure, services, impact paths, controls, telemetry, and SIEM validation.
What I Did
- •Used LLM-assisted workflows to generate, iterate, and refine realistic enterprise attack trees and attack stories
- •Grounded attack scenarios in UNUM's ServiceNow asset inventory and architecture context rather than generic attack templates
- •Incorporated data-center and campus architecture details to ensure the scenarios could plausibly target relevant infrastructure and services
- •Mapped attack paths to MITRE ATT&CK tactics, techniques, and enterprise-relevant behavior patterns
- •Aligned scenarios to CISO-level enterprise risk, actual impact paths, and control group expectations
- •Tagged attack stories with Zero Trust buckets, relevant devices, infrastructure components, control types, and security policy categories
- •Translated attack stories into detection engineering requirements and Splunk SPL query logic
- •Generated realistic synthetic logs and data to support detection testing without relying on unsafe or unavailable production evidence
The Outcome
Delivered an innovative AI-assisted detection engineering engagement for a major insurance enterprise.
Research Outcomes
Alert Trust
Reduced noise and improved signal quality for IAM and access-control alerts
Operational Clarity
Translated complex security data into clearer operating views
Stakeholder Visibility
Made technical risk and status easier to explain
Operational Impact
Turned raw telemetry into actionable security intelligence
Capabilities Demonstrated
SIEM Alert Debugging
Noise reduction and signal validation
Operational Reporting
Actionable views for security operations
Security Analytics
Signal investigation and event analysis
IAM / Access Control
Identity telemetry and access insights
Dashboard Development
Operational and executive views
Executive Reporting
Security data translated for leadership
Telemetry Normalization
Consistent and trusted data
Public-Safe Evidence
Shareable insights without sensitive data
Key Deliverables
- •LLM-assisted attack-story generation workflow
- •Enterprise-specific attack-tree modeling
- •ServiceNow asset inventory alignment
- •Data-center and campus architecture attack-context modeling
- •MITRE ATT&CK mapping
- •Control group mapping
- •Zero Trust bucket tagging
- •Splunk SPL detection queries
Tools & Technologies
Consulting Translation
The reusable pattern is not Disney-specific: normalize fragmented security telemetry, debug low-signal alert behavior, build trusted operating views, and give leadership evidence they can act on without exposing sensitive systems.