AVDA: Autonomous Vibe Detection Authoring for Cybersecurity

arXiv:2603.25930v1 Announce Type: new
Abstract: With the rapid advancement of AI in code generation, cybersecurity detection engineering faces new opportunities to automate traditionally manual processes. Detection authoring — the practice of creating executable logic that identifies malicious activities from security telemetry — is hindered by fragmented code across repositories, duplication, and limited organizational visibility. Current workflows remain heavily manual, constraining both coverage and velocity. In this paper, we introduce AVDA, a framework that leverages the Model Context Protocol (MCP) to automate detection authoring by integrating organizational context — existing detections, telemetry schemas, and style guides — into AI-assisted code generation. We evaluate three authoring strategies — Baseline, Sequential, and Agentic — across a diverse corpus of production detections and state-of-the-art LLMs. Our results show that Agentic workflows achieve a 19% improvement in overall similarity score over Baseline approaches, while Sequential workflows attain 87% of Agentic quality at 40$times$ lower token cost. Generated detections excel at TTP matching (99.4%) and syntax validity (95.9%) but struggle with exclusion parity (8.9%) and logic equivalence (18.4%). Expert validation on a 22-detection subset confirms strong correlation between automated metrics and practitioner judgment ($rho = 0.64$, $p < 0.002$). By integrating seamlessly into standard developer environments, AVDA provides a practical path toward AI-assisted detection engineering with quantified trade-offs between quality, cost, and latency.