Multiphase Prompt Engineering Workflow: Mastering Network Security with AI Tools
AI tools in network security need precise prompt engineering workflows. A multiphase approach automates security analyses, identifies threats, and develops response strategies. This post breaks down a concrete workflow. We examine the prompts, explain techniques, and offer insights for advanced users.
Overview
The workflow comes from a Reddit post. Despite a network block (\”You’ve been blocked by network security\”), it shows how to structure multiphase prompt workflows. The author uses AI models like GPT-4 or Claude for step-by-step network security analyses. The workflow has four phases: 1) Initial Log Analysis, 2) Anomaly Identification, 3) Countermeasure Development, 4) Report Generation. Each phase builds on the previous one with specific prompts. This reduces errors, increases accuracy, and saves time.
Prompt Analysis
Phase 1: Initial Log Analysis
The Prompt
Role: You are an experienced network security analyst with 10 years of experience in analyzing firewall and system logs.
Context: I will give you an excerpt from a firewall log (CSV format). The log contains timestamps, source IP, destination IP, port, protocol, and status. Analyze the data for suspicious activities such as port scans, denial-of-service (DoS) attacks, or unusual connections.
Task: Identify all anomalies, list them with timestamp and IP addresses, and provide a brief threat level assessment (low, medium, high).
Output Format: Present the results as a numbered list. Each entry should follow this format: [Timestamp] - [Source IP] -> [Destination IP] - [Anomaly Type] - [Threat Level].
Constraints: Only consider connections logged in the last 24 hours. Ignore internal IPs (192.168.x.x). Do not use external tools or databases.Components
Role/Persona: The role as an experienced network security analyst gives the model a clear domain perspective. This increases the chance of precise, domain-specific responses. Specifying 10 years of experience reinforces authority.
Context: The context specifies the data source (firewall log in CSV format) and relevant fields (timestamps, IPs, port, protocol, status). This reduces interpretation ambiguity. Mentioning specific attack types guides the analysis toward known threats.
Task: The task is clearly defined: identify, list, and assess anomalies. The requirement for a threat level forces a qualitative evaluation.
Output Format: The structured format (numbered list with defined syntax) facilitates machine processing. It ensures consistent results.
Constraints: The restrictions (only last 24 hours, ignoring internal IPs, no external tools) prevent overengineering. They reflect real security policies.
Phase 2: Detailed Anomaly Investigation
The Prompt
Role: You are a threat intelligence specialist focused on analyzing network anomalies.
Context: Based on the previous analysis, the following anomalies were identified: [List of anomalies]. Investigate each anomaly in depth. For each IP address (source and destination), research possible known threats (e.g., known malware C2 servers, botnet activity). Use your internal knowledge of current threats (as of 2023).
Task: Create a detailed report for each anomaly including: 1) Description of the anomaly, 2) Possible threat classification (e.g., APT, ransomware, phishing), 3) Recommended next steps (e.g., block IP, archive logs, notify team).
Output Format: Use Markdown headings (##) for each anomaly. Within each section, use bullet points for the three items.
Constraints: Do not provide false or speculative information. If unsure, mark the anomaly as \"unknown.\" Limit yourself to a maximum of 5 anomalies.Components
Role/Persona: The role as a threat intelligence specialist expands the perspective to threat analysis. This is a natural progression from the first phase.
Context: The context refers to the results of the previous phase. This creates a seamless workflow. The instruction to use internal knowledge makes the prompt self-contained.
Task: The task is divided into three sub-points: description, classification, next steps. This forces a comprehensive analysis.
Output Format: Markdown format with headings and bullet points enhances readability. The structure works for both humans and machines.
Constraints: The restriction against providing speculative information increases reliability. Limiting to 5 anomalies prevents information overload.
Phase 3: Develop Response Strategy
The Prompt
Role: You are an incident response manager with experience in coordinating security incidents in corporate networks.
Context: Based on the detailed analysis of the anomalies (see previous phase), response strategies must now be developed. The anomalies affect critical systems (database servers, domain controllers). The prioritized threats are: [List of threats with levels].
Task: Develop a multi-stage response plan. The plan should include the following phases: 1) Immediate actions (within 15 minutes), 2) Short-term actions (within 24 hours), 3) Long-term actions (within 1 week). Each phase should contain specific actions, responsible roles, and expected outcomes.
Output Format: Use a table with columns: Phase, Action, Responsible Role, Expected Outcome. Add an introduction describing the overall context.
Constraints: Assume a medium-sized company (500 employees). Consider compliance requirements (e.g., GDPR, ISO 27001). Do not use unrealistic resources (e.g., dedicated SOC team).Components
Role/Persona: The role as an incident response manager brings a strategic perspective. This is key for response plans that go beyond technical details.
Context: The context specifies the affected systems and prioritized threats. Mentioning company size and compliance creates realistic framework conditions.
Task: The task is divided into three time phases. This forces prioritization and temporal staging. The requirement for concrete actions and responsibilities enhances feasibility.
Output Format: A table provides a quick overview. The introduction ensures context.
Constraints: The restrictions ensure the plan is practically applicable. This prevents ideal but unimplementable solutions.
Phase 4: Report Generation
The Prompt
Role: You are a technical writer specializing in security reports.
Context: Summarize the results of the previous three phases into a final security report. The report is intended for management (CTO, CISOs). Use clear, non-technical language, but maintain technical accuracy.
Task: Create a report with the following sections: 1) Executive Summary, 2) Summary of Anomalies (with threat levels), 3) Response Plan (in table format), 4) Recommendations for Future Prevention. The report should be a maximum of 2 pages long (approx. 1000 words).
Output Format: Use professional Markdown with headings, bullet points, and a table. Add a list of Key Takeaways (3-5 points) at the end.
Constraints: Avoid jargon that is incomprehensible to non-technical readers. Explain necessary technical terms in parentheses. Do not give exaggerated calls to action (e.g., \"immediate action required\"), but remain objective.Components
Role/Persona: The role as a technical writer ensures clear, understandable communication. This is important for reports to decision-makers.
Context: The context summarizes the previous phases and defines the target audience. This influences tone and language. The requirement of a maximum of 2 pages forces conciseness.
Task: The task structures the report into four sections. The Executive Summary summarizes the key points for management.
Output Format: Professional Markdown with Key Takeaways facilitates readability and decision-making.
Constraints: Avoiding jargon and explaining terms ensures comprehensibility. Objective language promotes rational decisions.
Frequently Asked Questions
How do I avoid hallucinations in multiphase workflows?
Set constraints that force the model to mark uncertainties (e.g., \”unknown\”). Use fact-based roles. Critically review the results of each phase before passing them to the next phase.
Which AI models are best suited for network security?
GPT-4, Claude 3, and specialized models like SecurityBERT are suitable. GPT-4 offers good reasoning capabilities. Claude 3 excels at analyzing large contexts. SecurityBERT is pre-trained on security data.
How many phases should a workflow ideally have?
3-5 phases are optimal. Fewer phases can lead to superficial results. More phases increase complexity and error proneness. Each phase should offer clear added value.
Can I automate the workflow?
Yes, with tools like LangChain or AutoGPT you can chain the phases. Pay attention to error handling and validation.
How do I ensure consistency between phases?
In each phase, refer to the results of the previous phase (e.g., \”Based on the previous analysis\”). Use consistent formats and logically building roles.
What if the model delivers incorrect results in a phase?
Implement a validation loop. Have the model review its own results or use a separate instance for plausibility checking. Document error sources.
Source
Based on this article.
