Incident management · Production

Behind the scenes of Elastic Security's generative AI features: a quantitative approach to prompt tuning and LLM evaluation

The problem

Elastic's Security GenAI team needed a robust, reproducible way to evaluate LLM prompt quality and compare model providers at scale; the initial approach relied on manual spreadsheet-based testing that was effective but time-intensive and did not scale as more features were added.

Workflow diagram · grounded in source
1
User submits request
trigger
“from when it gets a user request to when it generates the response”
2
RAG retrieval via Elasticsearch
ai_action
“We use Elasticsearch as a vector database to power retrieval augmented generation (RAG) functionality”
3
LLM response generation
ai_action
“we use LangGraph to design and run our AI Agent workflows behind the scenes”
4
Real-time rubric evaluation
validation
“The rubric prompt checks in real time if the LLM output is good enough”
5
Regeneration on failure
feedback_loop
“if not, it will go back to the initial generator LLM to regenerate a response”
6
Response displayed
output
“when the response is displayed”
Reported outcome

Elastic transitioned from manual to automated LLM evaluations using LangSmith and LangGraph, building a framework that enables quantitative comparison of prompts and models, with a real-time rubric check in production that regenerates responses if they fall below quality standards.

Reported metrics
Evaluation workflow improvementsignificantly improving our workflow
Prompt accuracy threshold for acceptance85%
Reported stack
Elastic AI AssistantAttack DiscoveryAutomatic ImportLangSmithLangGraphElasticsearchES|QL
Source
https://www.elastic.co/blog/elastic-security-generative-ai-features
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

Elastic transitioned from manual to automated LLM evaluations using LangSmith and LangGraph, building a framework that enables quantitative comparison of prompts and models, with a real-time rubric check in production…

What tools did this team use?

Elastic AI Assistant, Attack Discovery, Automatic Import, LangSmith, LangGraph, Elasticsearch, ES|QL.

What results were reported?

Evaluation workflow improvement: significantly improving our workflow; Prompt accuracy threshold for acceptance: 85% (source-reported, not independently verified).

How is this incident management AI workflow structured?

User submits request → RAG retrieval via Elasticsearch → LLM response generation → Real-time rubric evaluation → Regeneration on failure → Response displayed.