RAG Against the Machine: Using Retrieval-Augmented Generation & MCP to Fortify Cybersecurity Defense
Unknown
BSides Las Vegas 2025 · Day 1
**Brennan Lodge** uses **BSides Las Vegas** as a venue to argue that **retrieval-augmented generation (RAG)** and the **Model Context Protocol (MCP)** are practical, mostly **open-source** building blocks for **defensive** workflows—not a replacement for analysts, but a way to reduce **alert fatigue**, accelerate **threat-intel** alignment, and drag **GRC** out of spreadsheet purgatory. The talk is structured as **good / bad / ugly** AI in security: opportunities (**information overload**, **talent gaps**), risks (**shadow AI**, **opaque token costs**), and cultural failure modes (**Clippy** redux). Lodge grounds claims in personal experimentation: a **<$500** (historical) budget target, **~10 second** response goals, **ChromaDB** + **LangChain** + **sentence-transformers** stacks, and two open projects—**Arsenal Forge** (MCP + RAG for SOC-style enrichment) and **Open Audit Caddy** (policy/compliance mapping with **BERT**-style classifiers). A recorded demo shows **MITRE** mapping for a **Splunk** detection, **CISA** advisory context, and a **memory** server logging queries for transparency.
AI review
A competent practitioner’s map of RAG+MCP for SOC and GRC enablement, with a solid demo and sane cautions—but it is architecture advocacy more than novel security research.