AVDA: Autonomous Vibe Detection Authoring for Cybersecurity

Computer Science > Cryptography and Security [Submitted on 26 Mar 2026] AVDA: Autonomous Vibe Detection Authoring for Cybersecurity Fatih Bulut, Carlo DePaolis, Raghav Batta, Anjali Mangal With the rapid advancement of AI in code generation, cybersecurity detection engineering faces new opportunities to automate traditionally manual processes. Detection authoring -- the practice of creating executable logic that identifies malicious activities from security telemetry -- is hindered by fragmented code across repositories, duplication, and limited organizational visibility. Current workflows remain heavily manual, constraining both coverage and velocity. In this paper, we introduce AVDA, a framework that leverages the Model Context Protocol (MCP) to automate detection authoring by integrating organizational context -- existing detections, telemetry schemas, and style guides -- into AI-assisted code generation. We evaluate three authoring strategies -- Baseline, Sequential, and Agentic -- across a diverse corpus of production detections and state-of-the-art LLMs. Our results show that Agentic workflows achieve a 19\% improvement in overall similarity score over Baseline approaches, while Sequential workflows attain 87\% of Agentic quality at 40\times lower token cost. Generated detections excel at TTP matching (99.4\%) and syntax validity (95.9\%) but struggle with exclusion parity (8.9\%) and logic equivalence (18.4\%). Expert validation on a 22-detection subset confirms strong correlation between automated metrics and practitioner judgment (\rho = 0.64, p < 0.002). By integrating seamlessly into standard developer environments, AVDA provides a practical path toward AI-assisted detection engineering with quantified trade-offs between quality, cost, and latency. Subjects: Cryptography and Security (cs.CR); Software Engineering (cs.SE) Cite as: arXiv:2603.25930 [cs.CR]   (or arXiv:2603.25930v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2603.25930 Focus to learn more Related DOI: https://doi.org/10.1145/3803437.3805261 https://doi.org/10.1145/3803437.3805261 https://doi.org/10.1145/3803437.3805261 Focus to learn more Submission history From: Muhammed Fatih Bulut [view email] [v1] Thu, 26 Mar 2026 21:52:33 UTC (516 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-03 Change to browse by: cs cs.SE References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)