Microsoft CTI-REALM: Benchmarking AI for Real-World Detection Engineering

Microsoft’s new CTI-REALM benchmark is notable because it moves the conversation about AI in cybersecurity away from trivia and toward operational value. Instead of asking whether a model can merely identify a threat technique, the benchmark tests whether an AI agent can read a threat report, interrogate telemetry, iterate on KQL queries, and ultimately produce validated detections that work in realistic environments. That distinction matters because detection engineering is where cyber threat intelligence becomes useful in practice, and Microsoft is positioning CTI-REALM as a way to measure whether agents can truly help defenders do that work at scale.
The release also fits a broader pattern in Microsoft’s security strategy: the company has been steadily expanding AI-assisted defense across Defender, Entra, and Security Copilot while arguing that security is a team sport and that model diversity matters. CTI-REALM gives that message a concrete evaluation layer, one that could influence how vendors, security teams, and model builders judge whether agentic AI is ready for real-world security operations. Just as important, the benchmark’s early results suggest the challenge is not simply raw model capability, but tool use, reasoning style, and the messy realities of multi-stage detection workflows.

Background​

The security industry has spent years building benchmarks for threat intelligence and cyber reasoning, but many of those evaluations stop short of the moment that matters most: creating a detection rule that can actually catch an attack. Microsoft says CTI-REALM was designed to close that gap by testing end-to-end detection engineering rather than isolated knowledge recall. In other words, it does not just ask whether an agent understands a report; it asks whether the agent can convert that understanding into operational logic.
That shift reflects a broader frustration with older benchmark designs. Many prior tests measure whether a model can name a MITRE technique, summarize a report, or classify an attack pattern, which is useful but incomplete. Microsoft’s own framing describes CTI-REALM as a benchmark for operationalization, not recall, and that is an important distinction for enterprise buyers who need outcomes rather than impressive-sounding answers.
The benchmark also builds on recent Microsoft research into security workflow automation. Earlier work such as ExCyTIn-Bench focused on investigation tasks and multistage agent behavior, while CTI-REALM extends the concept into detection rule generation. That progression is significant because detection engineering is typically where ideas become measurable defensive controls, not just analysis artifacts. Microsoft’s own recent security blog posts show a company increasingly focused on agentic workflows, from hunting queries to incident summarization to AI protection controls across the stack. (microsoft.com)
There is also a business context here. Microsoft says it processes more than 100 trillion security signals a day across endpoints, cloud, identity, and threat intelligence, which underscores why automation is becoming central to modern defense. At that scale, even modest improvements in analyst throughput, detection coverage, or rule quality can have outsized effects. Benchmarks like CTI-REALM are meant to answer a practical question: can an AI agent help security teams produce better detections faster, and can that be shown objectively?

Why this benchmark matters now​

The timing is not accidental. Agentic AI has become a major theme in security, and Microsoft has spent the past year expanding its AI-first security narrative across product announcements, research posts, and platform updates. In that environment, customers increasingly need a way to separate promising demos from tools that can stand up to adversarial, real-world use.
CTI-REALM also arrives in a period when organizations are asking sharper questions about AI governance, validation, and safety. For security teams, the issue is not whether AI can generate text; it is whether it can produce a trusted detection rule that maps correctly to telemetry and survives review. That makes the benchmark relevant not just to researchers, but to CISOs who want evidence before permitting agentic workflows into production.

• It measures a workflow, not a quiz.
• It focuses on validated detections, not generic summaries.
• It connects AI output to real telemetry and ground truth.
• It is designed to be useful to both researchers and practitioners.

---

How CTI-REALM Works​

CTI-REALM, or Cyber Threat Real World Evaluation and LLM Benchmarking, simulates the kind of work a detection engineer or threat hunter would actually perform. According to Microsoft’s description and the associated paper, agents are asked to examine public threat reports, explore schemas and telemetry, generate KQL queries, refine those queries through iteration, and produce Sigma rules or equivalent detection logic. The benchmark then scores both the final output and the path taken to reach it. (arxiv.org)
That trajectory-based scoring is one of the benchmark’s most interesting design choices. It recognizes that detection engineering is a process of incremental narrowing, where intermediate decisions matter almost as much as the final rule. If an agent misidentifies the attack technique, chooses the wrong data source, or overfits its query, the final score may look poor even if the language model’s prose appears convincing.

A workflow, not a trivia test​

Microsoft says CTI-REALM was designed specifically to avoid the limitations of static CTI questions. Instead of treating threat intelligence as a multiple-choice problem, the benchmark places the model into a tool-rich environment with access to resources like CTI repositories, schema explorers, a Kusto query engine, MITRE ATT&CK references, and Sigma rule databases. That is closer to the real analyst loop than anything a simple text benchmark can capture. (arxiv.org)
This matters because detection engineering is rarely a single-step task. Analysts often read one report, map it to techniques, inspect available telemetry, write a query, find false positives, and then refine the detection several times before they trust it. CTI-REALM tries to model that friction, which is exactly why it is more demanding than trivia-style evaluation.

• Read a threat report.
• Identify techniques and likely telemetry sources.
• Draft an initial query.
• Test and refine against observed data.
• Produce a validated detection rule.

Why Sigma and KQL are central​

The benchmark’s emphasis on Sigma and KQL is especially practical. Sigma gives defenders a portable, community-friendly rule format, while KQL is central to Microsoft’s cloud and security analytics ecosystem. By asking agents to work in those representations, CTI-REALM tests whether a model can translate analysis into something defenders can actually deploy or adapt.
That makes the benchmark much more relevant to enterprise SOC teams than a generic coding task would be. A model that can talk about an attack is not necessarily useful if it cannot generate precise detection syntax or account for the quirks of a cloud environment. CTI-REALM tries to measure that difference directly.

---

The Dataset and Scope​

Microsoft says the benchmark was curated from 37 public CTI reports drawn from sources including Microsoft Security, Datadog Security Labs, Palo Alto Networks, and Splunk. The selection was not random. The reports were chosen because they could be faithfully simulated in a sandbox and because the resulting telemetry was suitable for detection-rule development. (arxiv.org)
The benchmark spans three platforms: Linux endpoints, Azure Kubernetes Service (AKS), and Azure cloud infrastructure. That mix is important because it covers both endpoint-style tradecraft and cloud-native attack paths, where the telemetry is often distributed, noisier, and harder to correlate. The result is a more realistic evaluation surface than a single-system benchmark can provide.

Why platform diversity changes the difficulty​

The difficulty gradient Microsoft reports is revealing. The paper and summary indicate performance is strongest on Linux, lower on AKS, and worst on cloud infrastructure, which makes intuitive sense. Cloud attacks often require correlation across multiple logs, identities, services, and management planes, making the detection logic substantially more complex. (arxiv.org)
That gap should matter to defenders. Many organizations already know how to write an endpoint rule that catches a suspicious process tree, but far fewer can reliably detect a cloud intrusion that spans control plane activity, identity misuse, and service-level abuse. A benchmark that exposes this disparity is useful because it shows where AI agents are most likely to fail.

• Linux telemetry is comparatively direct.
• AKS introduces orchestration complexity.
• Cloud infrastructure demands multi-source correlation.
• The hardest detections are often the most business-critical.

Ground truth is the real prize​

The benchmark’s value depends heavily on ground truth. Microsoft says CTI-REALM scores outputs against validated attack telemetry, not subjective human judgment, which is exactly what gives the benchmark credibility. Without that layer, an agent could generate something plausible but incorrect, and the evaluation would still look favorable.
This is also what makes the benchmark useful for iteration. If a model fails because it selects the wrong technique, that is a different problem from failing because it writes syntactically broken KQL. Fine-grained ground truth lets researchers and product teams distinguish between those failures and tune the workflow accordingly.

---

What the Results Suggest​

Microsoft evaluated 16 frontier model configurations on CTI-REALM-50, the 50-task subset spanning all three platforms. The broad takeaway is that even the strongest models are far from solving end-to-end detection engineering reliably, but the benchmark does reveal meaningful patterns in how different systems behave. (arxiv.org)
The top performers are not just the models with the largest parameter counts or the flashiest branding. Instead, performance appears to hinge on tool use, iterative reasoning, and the ability to stay focused during multi-step workflows. That is a useful reminder that detection engineering is as much about disciplined procedure as it is about language fluency.

The model ranking is only part of the story​

Microsoft reports that Anthropic models led the benchmark overall, with Claude occupying the top positions, while the GPT-5 family showed a more nuanced pattern. Within that family, medium reasoning apparently outperformed high reasoning, suggesting that more deliberation is not always better in an agentic setting. (arxiv.org)
That finding is easy to misread, so it is worth being careful. It does not mean reasoning is bad; it means that in a tool-heavy workflow, overthinking can introduce inefficiency, distraction, or self-reinforcing error. In practical terms, defenders may need different reasoning settings for different tasks rather than assuming one “best” model mode exists.

• Tool use can matter as much as model size.
• Iteration is essential for better detection logic.
• Excessive reasoning may slow or distort results.
• The “best” model may vary by workflow stage.

Smaller models still have room to grow​

Another useful result is that structured guidance can close part of the performance gap between smaller and larger models. Microsoft says that giving a smaller model human-authored workflow tips closed roughly a third of the gap to a much larger model, primarily by improving threat-technique identification. That is encouraging for enterprises that may not want to deploy the largest and most expensive models for every task. (arxiv.org)
This is also a practical clue for product design. If a smaller model can improve significantly with better prompts, memory, or workflow scaffolding, then the bottleneck may not be raw intelligence alone. It may be the quality of the operational environment around the model.

---

Why Tooling Matters More Than Trivia​

One of the clearest messages from CTI-REALM is that tools are not optional. Microsoft says removing CTI-specific tools degraded every model’s output, with the largest impact on final detection quality rather than intermediate steps. That suggests the tools are helping models cross the last mile from analysis to usable defensive output. (arxiv.org)
This aligns with what many security teams already know intuitively. A model that has access to structured CTI references, schema explorers, and a query engine has a much better chance of building the right detection than one that is forced to improvise from memory. For defenders, the takeaway is simple: agentic systems should be judged by how they use tools, not just by whether they can chat about them.

The workflow is the product​

In many AI demos, the model seems strong because it can paraphrase attack reports beautifully. But paraphrase is not defense. The real value is whether the model can perform the chain of actions that lead to a high-confidence rule, and whether it can do so with enough consistency to support human review.
That is why CTI-REALM feels more aligned with security operations than benchmark theater. It treats the workflow as the product: the model must understand the threat, identify the right telemetry, query the right data, and produce something that can survive scrutiny. That is a far higher bar than answering questions about adversary behavior.

The human in the loop still matters​

Even with a benchmark like this, Microsoft is not suggesting that AI should replace detection engineers outright. The benchmark itself reinforces the need for human review, because validated rule generation is still a high-stakes task. In practice, the best use case may be a hybrid one, where agents draft, test, and refine while analysts approve and harden the output.
That is likely the most realistic enterprise deployment path. AI can reduce toil, speed exploration, and expand coverage, but the final decision about what goes into production should remain with a trained defender. That caution is not a weakness; it is exactly what responsible adoption looks like.

---

Competitive Implications​

CTI-REALM also has implications beyond Microsoft’s own research agenda. Security vendors, AI labs, and benchmark builders are all trying to define what “good” looks like for agentic cyber defense, and Microsoft is clearly aiming to shape that standard. By open-sourcing the benchmark, it invites comparison while also nudging the market toward more realistic evaluation criteria. (arxiv.org)
That can be both helpful and strategic. Helpful, because the industry desperately needs more grounded benchmarks. Strategic, because if Microsoft’s framing becomes the default, then competitors will be measured against its definition of operational usefulness rather than against more abstract AI capability metrics.

A challenge to benchmark complacency​

CTI-REALM implicitly criticizes the older habit of testing only CTI recall or classification. It suggests that security AI is mature enough to be judged on whether it can actually build detections, not just whether it can label threats. For rivals, that raises the bar materially.
It also pressures teams to improve the entire system around the model: prompts, tooling, guardrails, memory, and evaluation. A vendor cannot simply claim “our model understands cyber” if it cannot turn intelligence into a rule that survives ground-truth scoring. That is a much harder sell, but also a more honest one.

• Benchmarks will likely shift toward workflow realism.
• Vendors may need stronger tool orchestration.
• Evaluation will increasingly include intermediate steps.
• Buyers will demand evidence, not just claims.

Implications for enterprise buyers​

For enterprise security leaders, the benchmark offers a new procurement lens. Instead of asking whether an AI assistant can summarize incidents, they can ask whether it can generate and validate detections across their actual telemetry. That is a more meaningful measure of business value, especially in organizations where detection engineering is a backlog, not a luxury.
The competitive angle may also push vendors to differentiate on data access and integration quality. If the model is only as useful as the telemetry and CTI context it can reach, then the winning platforms may be the ones that best connect to real enterprise data rather than those that merely boast the strongest benchmark scores.

---

Enterprise vs Consumer Impact​

CTI-REALM is a security benchmark, but its implications are uneven across audiences. For consumer users, the effect is mostly indirect: better validation of security AI should eventually yield stronger products, fewer false positives, and safer automation. For enterprises, the impact is immediate because detection engineering is a core operational function with direct cost, staffing, and risk implications.
That distinction matters. Consumer AI products can tolerate some novelty, but security operations cannot. A detection rule that misses an intrusion or floods the SOC with noise has real consequences, which is why Microsoft’s emphasis on validated outputs feels especially important. In this space, pretty language is not enough.

For security teams​

Security teams may benefit most from a benchmark that isolates where agentic systems succeed and fail. If an AI tool struggles with technique extraction but performs well on query refinement, then managers can place guardrails around the weak stage while allowing automation elsewhere. That level of granularity is operationally useful.
It also makes it easier to justify adoption internally. CISOs often need more than vendor demos; they need evidence that a tool improves analyst output without introducing unacceptable risk. CTI-REALM gives them a language for that discussion.

For model builders​

Model developers get a different signal. The benchmark suggests that better cyber AI is not just about scaling laws or generic reasoning upgrades. It is about helping models behave well in structured, multi-step workflows where tools, memory, and disciplined iteration matter.
That could encourage a wave of security-specific tuning, retrieval design, and agent orchestration work. It may also steer vendors away from the idea that one general-purpose model can solve every security task equally well. In practice, specialization may win.

---

Microsoft’s Security Strategy in Context​

CTI-REALM does not exist in isolation. Microsoft has been steadily building a security narrative around AI-first defense, including Security Copilot agents, AI protections, and research that emphasizes practical automation rather than abstract model demos. Recent Microsoft Security blog posts show repeated attention to AI-assisted detection, incident summarization, hunting queries, and the protection of AI systems themselves. (microsoft.com)
This matters because CTI-REALM can be read as both research and positioning. Research, because it contributes a useful benchmark to the field. Positioning, because it supports Microsoft’s larger argument that it is not merely shipping AI features, but also defining how they should be measured and governed.

Open source as strategy​

Microsoft says CTI-REALM is open source and intended for broad industry use. That openness is important, because benchmarks gain legitimacy when others can reproduce, challenge, and extend them. It also helps Microsoft align its security research with its platform ecosystem while still appearing collaborative rather than closed.
Open source can, of course, be both principled and tactical. It builds credibility, drives adoption, and shapes the evaluation landscape. For security researchers, that is beneficial so long as the benchmark remains transparent, reproducible, and resistant to overfitting.

The broader agentic shift​

The benchmark also sits neatly inside the wider rise of agentic AI. Microsoft’s own recent messaging about autonomous and ambient security indicates a belief that agents will increasingly perform meaningful operational tasks, from governance to investigation to response. CTI-REALM tests a particularly difficult slice of that future.
That makes the benchmark timely. If the industry is going to trust agents with more security work, it needs ways to measure whether those agents actually improve outcomes. CTI-REALM is one attempt to provide that measurement.

---

Strengths and Opportunities​

CTI-REALM has several strong points that make it especially relevant to security professionals, researchers, and product teams. Its biggest advantage is that it tests a real workflow instead of an academic shortcut, and that makes the results more actionable. It also opens up room for better model design, better guardrails, and better human-machine collaboration.

• It evaluates end-to-end detection engineering rather than isolated knowledge.
• It includes ground-truth scoring, which improves trust in the results.
• It spans multiple platforms, including Linux, AKS, and Azure cloud.
• It rewards tool use and iterative refinement, which mirrors real analyst work.
• It creates a repeatable way to compare models across the same tasks.
• It can help enterprises identify where AI adds value and where human review is still required.
• It may accelerate better security-specific prompt design and agent orchestration.

Risks and Concerns​

The benchmark is useful, but it should not be mistaken for a guarantee of safe or production-ready detection automation. Like any evaluation, it reflects the environments and tasks it was built to measure. There is also a real risk that vendors will overstate benchmark wins without translating them into durable operational outcomes.

• It may encourage benchmark overfitting if models are tuned too narrowly to the tasks.
• Public CTI reports may not reflect every adversary technique or enterprise environment.
• Strong benchmark performance does not guarantee low false positives in production.
• Cloud and hybrid environments in the real world can be even messier than sandboxed simulations.
• Organizations may misread benchmark success as permission to reduce analyst oversight too aggressively.
• The complexity of tool chains could introduce new failure modes if integrations are brittle.
• Security teams may still need extensive customization for their own telemetry and data sources.

---

Looking Ahead​

The biggest question now is whether CTI-REALM becomes a one-off research artifact or the beginning of a broader movement toward operationally realistic security AI evaluation. If the industry embraces benchmarks that measure actual detection outcomes, then the next generation of security tools will likely be judged much more harshly — and much more fairly. That would be a good thing.
The other question is how quickly vendors and practitioners turn benchmark lessons into real products. If smaller models improve with workflow guidance, as Microsoft suggests, then there is room for lightweight, specialized security agents that assist analysts without pretending to replace them. But if the hardest cloud scenarios remain brittle, then human expertise will continue to dominate the most critical parts of detection engineering.

• Watch whether other vendors publish comparable end-to-end detection benchmarks.
• Track whether model gains hold up outside curated tasks and into live SOC workflows.
• Look for more research on tool-augmented agents in security operations.
• Pay attention to whether cloud detection remains the hardest domain.
• Monitor how quickly enterprises adopt AI-assisted rule generation with human review.

Microsoft has done the market a favor by turning a vague promise — “AI for cybersecurity” — into something measurable. CTI-REALM does not solve detection engineering, and it does not eliminate the need for expert analysts, but it does make the state of the art easier to evaluate. That is exactly the kind of pressure the security industry needs if agentic AI is going to earn a place in the SOC, not just a place in the slide deck.

---

Source: Microsoft CTI-REALM: A new benchmark for end-to-end detection rule generation with AI agents | Microsoft Security Blog