Sweet Security revolutionized detection and response for the cloud with its LLM-powered cloud detection engine that identifies unified attacks and breaks down security silos across multiple cloud layers. 

Now, we’re taking it a step further with our new LLM-powered storytelling capability—a breakthrough in incident response that turns complex attack activity into a clear, step-by-step narrative.

From Fragmented Alerts to a Coherent Story

Every cloud detection and response platform offers some form of an attack graph that maps an attacker’s lateral movement. These graphs are detailed and accurate, yet still require analysts to manually reconstruct an attacker’s activity to understand how various indicators connect. This slows investigation times and ultimately leads to longer response times/ higher MTTR.

Sweet Security eliminates this pain point by providing a human-readable story of each attack. Instead of isolated alerts, we write a comprehensive, ordered sequence of every action taken by an attacker—including every script executed, every command run, and the intent behind each step. This transforms raw security data into a clear storyline, allowing analysts to immediately understand what happened and act decisively.

Real-World Impact: Detecting and Resolving an Incident in Minutes

Sweet’s LLM-powered storytelling capability has already helped customers dramatically reduce their investigation times. Here’s an example of how one of our customers in the blockchain space used Sweet’s attack storyline to resolve a Red Team incident in just 7 minutes:

Incident Overview - Unauthorized access attempt to AWS resources via `payload.sh`

A series of suspicious activities were detected, beginning with the execution of a payload script designed to access sensitive AWS resources. The adversary attempted to retrieve an admin password from S3 and delete VPC flow logs to evade detection.

Step 1: Understand What Happened and its Impact Through a Story

Sweet listed out in a story-like format exactly what occurred and the steps that were taken by the adversary. This story helps security analysts understand:

• If the incident is a false positive 
• What team or team member needs to be assigned to investigate 
• What's the urgency of the incident 

Step 2: Investigate and Close the Incident 

Next, Sweet highlighted the top events that took place and a timestamp of when each took place. 

What was the customer able to immediately glean from this? 

✔ That the attacker executed a payload script and installs an AWS CLI to interact with cloud resources 

✔ That the attacker gained temporary access to AWS credentials 

✔ That sensitive information was targeted for exfiltration in an S3 bucket but was not successful

✔ That attempts were made to erase logs but it was not successful 

‍Step 3: Respond and Close the Incident 

Even though the attacker was not successful in exfiltrating data or erasing cloud logs, they still managed to get inside the environment, move laterally, and have complete control over one of the pods. 

So what can the security analyst do next?

1. Verify the Identity:
   
   • If the activity originates from outside the organization, it's almost certainly an attack.
   • If it's an internal identity, investigate further—are the credentials stolen, or is this a case of misconfigured permissions or poor security practices? Either way, it needs to be addressed.
2. Confirm and Contain the Attack:
   
   • If it's an actual attack, secure the affected pod to prevent further exploitation.
   • Identify how the attacker gained access—was it through an unpatched vulnerability, an exposed SSH connection, or another entry point?
3. Resolve and Close the Incident:
   
   • After pinpointing the root cause and implementing necessary security measures, the analyst can close the investigation—often within just 2-5 minutes.

Why Storytelling Matters in Cloud Security

With Sweet Security’s LLM-powered storytelling capability, security teams no longer need to sift through disconnected alerts, raw logs, or complex attack graphs to understand what happened. By presenting a clear, structured narrative, Sweet enables:

• Faster Investigations – Analysts instantly see the full attack sequence, reducing time to resolution.
• Improved Decision-Making – Every step of an attack is contextualized, eliminating guesswork.
• Stronger Response Strategies – With a clear picture of attacker intent and execution, security teams can respond proactively rather than reactively.