Skip to content

Redesign Security LLM performance matrix (#7146)#7193

Open
dhru42 wants to merge 6 commits into
mainfrom
dhru42/7146-llm-matrix-redesign
Open

Redesign Security LLM performance matrix (#7146)#7193
dhru42 wants to merge 6 commits into
mainfrom
dhru42/7146-llm-matrix-redesign

Conversation

@dhru42

@dhru42 dhru42 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Redesigns and refreshes the Large language model performance matrix for Elastic Security page per #7146.

The previous page listed six flat capability columns evaluated on the legacy AI Assistant and a single average score. This change turns the page into workflow-specific guidance:

  • Replaces the six flat columns with an Agent Builder capability breakdown: seven sub-capabilities (Alert Analysis, Entity Analytics, Threat Hunting, Detection Rules, Workflow Authoring, Triggering Workflows, Multi-Step Executions) rolling up into an Overall Agent Builder Score, plus Attack Discovery and Automatic Migration, all rolling up into an Overall Score (default sort).
  • Refreshes all model scores with the latest evaluation results (proprietary + open-source tables).
  • Shows real per-capability scores instead of "Not recommended" labels, and makes the recommendation rule explicit: any score of 5 or below for a capability means the model is not recommended for that task.
  • Adds a "How the scores are calculated" section explaining the two rollups, plus plain-language definitions for each Agent Builder sub-capability.

Closes #7146

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes
  • No

Tool(s) and model(s) used: Cursor (Claude)

Replace the six flat AI Assistant capability columns with an Agent Builder
capability breakdown: seven sub-capabilities rolling up into an Overall Agent
Builder Score, plus Attack Discovery, Automatic Migration, and a rolled-up
Overall Score (default sort).

Refresh all model scores from the latest evaluation and show real per-capability
scores instead of "Not recommended" labels, with a clear rule that any score of
5 or below means the model is not recommended for that task. Add plain-language
definitions for each Agent Builder sub-capability.

Co-authored-by: Cursor <cursoragent@cursor.com>
@dhru42 dhru42 requested a review from a team as a code owner July 2, 2026 21:44
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Elastic Docs AI PR menu

Check the box to run an AI review for this pull request.

  • Review docs changes (docs-review). Status: not started.

Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🔍 Preview links for changed docs

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

dhru42 and others added 2 commits July 2, 2026 17:54
Prefix the seven sub-capability column headers with "Agent Builder:" so it's
clear those columns belong to the Agent Builder capability, since Markdown
tables can't span a single grouping header across multiple columns.

Co-authored-by: Cursor <cursoragent@cursor.com>
Make the seven Agent Builder sub-capability column headers plain (non-bold) and
keep the roll-up columns (Overall Agent Builder Score, Attack Discovery,
Automatic Migration) and Overall Score bold, so the top-line scores stand out
against the sub-capability detail.

Co-authored-by: Cursor <cursoragent@cursor.com>
dhru42 and others added 2 commits July 2, 2026 18:15
Remove the explanatory sentence about showing real scores instead of a
"Not recommended" label, keeping only the concise threshold statement.

Co-authored-by: Cursor <cursoragent@cursor.com>
Remove the "applies equally to AI Assistant or Agent Builder" sentence and state
that the matrix tests each model across Agent Builder, Attack Discovery, and
Automatic Migration.

Co-authored-by: Cursor <cursoragent@cursor.com>
Bold the Overall Agent Builder Score data cells (Overall Score cells were already
bold) so both roll-up columns are visually partitioned from the individual
sub-capability scores.

Co-authored-by: Cursor <cursoragent@cursor.com>

@natasha-moore-elastic natasha-moore-elastic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for opening the PR, @dhru42! Left a few questions and minor suggestions, but looks good overall.

# Large language model performance matrix for {{elastic-sec}} [llm-performance-matrix]

This page summarizes internal test results comparing large language models (LLMs) across {{elastic-sec}} [AI chat](/explore-analyze/ai-features/ai-chat-experiences.md) and AI-powered feature use cases. These ratings apply equally whether you're using [AI Assistant](/solutions/security/ai/ai-assistant.md) or [Agent Builder](/solutions/security/ai/agent-builder/agent-builder.md). To learn more about these use cases, refer to [AI-powered features](/explore-analyze/ai-features.md#security-features).
This page summarizes internal test results comparing large language models (LLMs) across {{elastic-sec}} [AI chat](/explore-analyze/ai-features/ai-chat-experiences.md) and AI-powered feature use cases. The matrix tests each model across [Agent Builder](/solutions/security/ai/agent-builder/agent-builder.md), Attack Discovery, and Automatic Migration. To learn more about these use cases, refer to [AI-powered features](/explore-analyze/ai-features.md#security-features).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This page summarizes internal test results comparing large language models (LLMs) across {{elastic-sec}} [AI chat](/explore-analyze/ai-features/ai-chat-experiences.md) and AI-powered feature use cases. The matrix tests each model across [Agent Builder](/solutions/security/ai/agent-builder/agent-builder.md), Attack Discovery, and Automatic Migration. To learn more about these use cases, refer to [AI-powered features](/explore-analyze/ai-features.md#security-features).
This page summarizes internal test results comparing large language models (LLMs) across {{elastic-sec}} [AI chat](/explore-analyze/ai-features/ai-chat-experiences.md) and AI-powered feature use cases. The matrix tests each model across [Agent Builder](/solutions/security/ai/agent-builder/agent-builder.md), [Attack Discovery](/solutions/security/ai/attack-discovery.md), and [Automatic Migration](/solutions/security/get-started/automatic-migration.md). To learn more about these use cases, refer to [AI-powered features](/explore-analyze/ai-features.md#security-features).


## How the scores are calculated [_how_scores_are_calculated]

The matrix uses three top-line capability scores — **Agent Builder**, **Attack Discovery**, and **Automatic Migration** — that roll up into a single **Overall Score**. You can read the table top-down, from "how does this model perform across our AI features?" to "how good is it at the specific job I care about?"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The matrix uses three top-line capability scores — **Agent Builder**, **Attack Discovery**, and **Automatic Migration** — that roll up into a single **Overall Score**. You can read the table top-down, from "how does this model perform across our AI features?" to "how good is it at the specific job I care about?"
The matrix uses three top-line capability scores — Agent Builder, Attack Discovery, and Automatic Migration — that roll up into a single *Overall Score*. You can use the table to answer questions such as "How does this model perform across Elastic's AI features?" and "How good is it at the specific job I care about?"


The matrix uses three top-line capability scores — **Agent Builder**, **Attack Discovery**, and **Automatic Migration** — that roll up into a single **Overall Score**. You can read the table top-down, from "how does this model perform across our AI features?" to "how good is it at the specific job I care about?"

* **Overall Agent Builder Score** is the average of the seven Agent Builder sub-capabilities (Alert Analysis, Entity Analytics, Threat Hunting, Detection Rules, Workflow Authoring, Triggering Workflows, and Multi-Step Executions). It summarizes how well a model handles agentic Security work end to end.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* **Overall Agent Builder Score** is the average of the seven Agent Builder sub-capabilities (Alert Analysis, Entity Analytics, Threat Hunting, Detection Rules, Workflow Authoring, Triggering Workflows, and Multi-Step Executions). It summarizes how well a model handles agentic Security work end to end.
* **Overall Agent Builder Score** is the average of the seven Agent Builder [sub-capabilities](#_agent_builder_sub_capabilities). It summarizes how well a model handles agentic Security work end to end.

The matrix uses three top-line capability scores — **Agent Builder**, **Attack Discovery**, and **Automatic Migration** — that roll up into a single **Overall Score**. You can read the table top-down, from "how does this model perform across our AI features?" to "how good is it at the specific job I care about?"

* **Overall Agent Builder Score** is the average of the seven Agent Builder sub-capabilities (Alert Analysis, Entity Analytics, Threat Hunting, Detection Rules, Workflow Authoring, Triggering Workflows, and Multi-Step Executions). It summarizes how well a model handles agentic Security work end to end.
* **Overall Score** is the average of the Agent Builder, Attack Discovery, and Automatic Migration scores. It reflects how a model performs across the breadth of our AI features rather than any single workflow, and is the default sort for the tables below.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* **Overall Score** is the average of the Agent Builder, Attack Discovery, and Automatic Migration scores. It reflects how a model performs across the breadth of our AI features rather than any single workflow, and is the default sort for the tables below.
* **Overall Score** is the average of the Agent Builder, Attack Discovery, and Automatic Migration scores. It reflects how a model performs across the breadth of Elastic's AI features rather than any single workflow, and is the default sort for the tables below.

### What each Agent Builder sub-capability measures [_agent_builder_sub_capabilities]

* **Alert Analysis** — Triage an alert, reach the correct disposition, pull related alerts, and enrich with threat intel.
* **Entity Analytics** — Investigate hosts and users using purpose-built entity lookups and risk context.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just checking this is just for hosts and users and doesn't include services?

* **Overall Agent Builder Score** is the average of the seven Agent Builder sub-capabilities (Alert Analysis, Entity Analytics, Threat Hunting, Detection Rules, Workflow Authoring, Triggering Workflows, and Multi-Step Executions). It summarizes how well a model handles agentic Security work end to end.
* **Overall Score** is the average of the Agent Builder, Attack Discovery, and Automatic Migration scores. It reflects how a model performs across the breadth of our AI features rather than any single workflow, and is the default sort for the tables below.

### What each Agent Builder sub-capability measures [_agent_builder_sub_capabilities]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do these sub-capabilities correlate to the built-in Security skills? It seems like some of them match the skills, and some don't.

* **Detection Rules** — Author a working detection rule, grounded in research where requested.
* **Workflow Authoring** — Produce a valid, executable automation workflow (verified by actually creating, enabling, and running it).
* **Triggering Workflows** — Call the correct backed action for the task (for example, a hash lookup, an on-call schedule, or case creation).
* **Multi-Step Executions** — Chain several steps in the right order, carrying findings forward, without skipping or fabricating steps.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this refer to Workflows steps?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Internal]: Refresh + redesign the LLM Performance Matrix for Elastic Security

2 participants