This knowledge base article outlines the core use cases for the Protos AI platform, organized by user persona. Each section provides the operational framework, required data inputs, and expected outcomes to streamline security operations.
How to Use This Guide
This document is designed to help security teams operationalize Protos AI. For each task, ensure the Input data is formatted correctly to receive the optimized Output. You can use the mock data provided in the Attachments section of each persona category to test the workflows.
Table of Contents:
Persona | Task | Primary Objective |
CISO | High-level situational awareness of major attacks. | |
CISO | Monitoring supply chain and vendor risk. | |
CISO | Identifying anomalies and control failures internally. | |
CISO | Tailored reporting for stakeholders during/after events. | |
CTI | Correlating disparate events into targeted campaigns. | |
CTI | Mapping attacker behaviors to MITRE ATT&CK. | |
CTI | Detecting signals from criminal marketplaces/forums. | |
CTI | Profiling specific groups and tooling changes. | |
CTI | Adding context and attribution to raw indicators. | |
CTI | Checking historical logs against new intelligence. | |
CTI | Sequencing multi-sensor logs to track lateral movement. | |
Vulnerability Management | Mapping trending CVEs to specific internal assets. |
Persona: CISOs
This persona focuses on high-level oversight, third-party risk, and executive reporting to ensure organizational resilience.
Task: Daily Threat Brief
Op type: Daily
Objective: Address the question: “What should I worry about today?" by providing contextualized daily summaries of major attacks.
Input (Data Processed by Protos AI): Asset inventory, Business unit / critical system mapping, OSINT (news, advisories), Commercial CTI feeds, Vulnerability intelligence.
Output (Outcome from Protos AI): Executive-level daily threat brief with relevance scoring and asset impact.
Prompt (copy-paste into Protos AI):
Summarize the most significant cyber attacks, campaigns, or exploit activity from the past 24 hours affecting the [industry] sector in [region]. Identify key threat actors, TTPs, and exploited vulnerabilities, and map them against my asset inventory to highlight any potential exposure or required action.
Sample Attachments to include with prompt (click to download):
Task: Daily Brief on Third-Party Breaches
Op type: Ad-hoc / Daily
Objective: Monitor supply chain risk by tracking vendor exposure or breach incidents over the past 24 hours.
Input (Data Processed by Protos AI): Vendor list, Critical services mapping, Ransomware leak sites, Breach disclosures, Dark web monitoring.
Output (Outcome from Protos AI): Vendor-specific incident alerts with downstream impact assessment.
Prompt (copy-paste into Protos AI):
Monitor cyber incidents and ransomware activity affecting third-party vendors. Using the provided vendor list, identify confirmed incidents, assess potential impact based on vendor criticality, and prioritize findings. Provide an executive summary with clear recommended actions.
Sample Attachments to include with prompt (click to download):
Task: Daily Brief on Internal Risk Areas
Op type: Daily
Objective: Address the question: “What’s happening inside my environment?” by summarizing anomalies and control failures.
Input (Data Processed by Protos AI): SOC/MISSP data (uptime, config, logs), Identity Access Management (IAM), Data Loss Prevention (DLP), GRC platform.
Output (Outcome from Protos AI): Prioritized internal threat signals correlated with external intelligence.
Prompt (copy-paste into Protos AI):
Analyze SOC/MSSP outputs, security controls, IAM events, and DLP alerts from the past 24 hours. Highlight suspicious behavior, assess severity, and provide prioritized findings with recommended actions.
Sample Attachments to include with prompt (click to download):
Task: Crisis & Incident Reporting
Op type: Ad-hoc
Objective: Provide stakeholders with necessary information during or after a security incident.
Input (Data Processed by Protos AI): Incident investigation report, Forensics reports, Timelines.
Output (Outcome from Protos AI): Stakeholder-specific incident summaries (exec, technical, regulatory).
Prompt (copy-paste into Protos AI):
Using provided investigation data, generate tailored summaries for executive, technical, and regulatory stakeholders. Explain the "what, why, and how" including root cause and remediation.
Sample Attachments to include with prompt (click to download):
Persona: Cyber Threat Intelligence (CTI)
This persona focuses on deep technical analysis, threat actor profiling, and proactive hunting.
Task: Campaign Investigation & Identification / Mapping
Op type: Daily / Ad-hoc
Objective: Assess possible campaigns based on disparate events.
Input (Data Processed by Protos AI): CTI feeds, OSINT, Malware reports, Actor databases, Raw artifacts (logs, phishing emails).
Output (Outcome from Protos AI): Investigation report on targeted campaign identification.
Prompt (copy-paste into Protos AI):
Correlate CTI feeds, malware reports, and raw artifacts to determine if they belong to a coordinated campaign. Identify shared infrastructure, TTP overlaps, and provide attribution confidence levels.
Sample Attachments to include with prompt (click to download):
Task: TTP Extraction
Op type: Daily / Weekly
Objective: Extract structured attacker behaviors from threat reports.
Input (Data Processed by Protos AI): Threat reports (OSINT, commercial, malware).
Output (Outcome from Protos AI): Structured MITRE ATT&CK TTP mappings.
Prompt (copy-paste into Protos AI):
Extract and normalize attacker tactics, techniques, and procedures (TTPs) from reports. Map them to MITRE ATT&CK and highlight novel tradecraft.
Sample Attachments to include with prompt (click to download):
Task: Dark Web Monitoring
Op type: Daily / Weekly
Objective: Detect early threat signals from criminal ecosystems.
Input (Data Processed by Protos AI): Dark web forums, Marketplaces, Leak sites, Credential dumps.
Output (Outcome from Protos AI): Curated dark web intelligence summary with confidence scoring.
Prompt (copy-paste into Protos AI):
Monitor forums and leak sites for mentions of the organization or industry. Summarize relevant discussions or data leaks and assess impact.
Sample Attachments to include with prompt (click to download): [No attachments needed for this example]
Task: Threat Actor Tracking
Op type: Monthly
Objective: Profile threat actor groups and recent activities.
Input (Data Processed by Protos AI): OSINT, Threat actor databases, Campaign reporting, Malware intelligence.
Output (Outcome from Protos AI): Updated threat actor profiles and activity summary.
Prompt (copy-paste into Protos AI):
Profile specific actors (e.g., FIN7) targeting specific regions/sectors over the last 12 months. Summarize TTP changes, tooling updates, and targeting shifts.
Sample Attachments to include with prompt (click to download): [No attachments needed for this example]
Task: IOC Enrichment
Op type: Weekly
Objective: Add intelligence context to raw Indicators of Compromise.
Input (Data Processed by Protos AI): Raw IOCs, Enrichment sources, OSINT, Commercial feeds.
Output (Outcome from Protos AI): Enriched IOCs with attribution and confidence scores.
Prompt (copy-paste into Protos AI):
Determine if IOCs are malicious or benign. Attribute them to known actors/campaigns and flag false positives or expired infrastructure.
Sample Attachments to include with prompt (click to download):
Task: Retrospective Threat Hunting
Op type: Monthly
Objective: Search historical logs for hits on new IOCs from recent advisories.
Input (Data Processed by Protos AI): Historical network logs, OSINT threat advisories.
Output (Outcome from Protos AI): Historical IOC matches and exposure analysis.
Prompt (copy-paste into Protos AI):
Search the past 30 days of network logs to identify hits on newly provided IOCs.
Sample Attachments to include with prompt (click to download):
Task: Timeline Reconstruction (Multi-Sensor)
Op type: Daily or Ad-hoc
Objective: Sequence logs from multiple sensors to rebuild an end-to-end attacker timeline.
Input (Data Processed by Protos AI): EDR events, Auth logs, VPN logs, Network logs.
Output (Outcome from Protos AI): Unified attacker activity timeline.
Prompt (copy-paste into Protos AI):
Stitch together EDR events, auth logs, and VPN records to determine entry points, lateral movement, and data staging behavior.
Sample Attachments to include with prompt (click to download):
Persona: Vulnerability Management
This persona bridges the gap between external threats and internal asset exposure.
Task: Threat Advisory to Exposure Mapping
Op type: Daily
Objective: Identify CVEs from latest advisories and map them to potentially impacted internal assets.
Input (Data Processed by Protos AI): Emerging vulnerability reports, Internal asset maps, VM Intelligence, External CTI.
Output (Outcome from Protos AI): Daily contextualized threat advisory with immediate identification of assets at risk.
Prompt (copy-paste into Protos AI):
Write a threat advisory on vulnerabilities trending over the past 30 days. Map these against the asset inventory to highlight impacted assets, business units, and IT custodians.
Sample Attachments to include with prompt (click to download):