Panther AI (Beta)
Overview
Panther AI encompasses a set of generative AI features aimed at accelerating your detection and response workflows. It operates with the persona of a security engineer and has access to many of the same tools available to human users of Panther.
Panther AI can quickly assess data, such as alerts and logs, to rapidly deliver insights. You can run predefined workflows or ask your own questions to Panther AI—it will leverage its available tools (such as querying the data lake) to answer them, generally much faster than a human analyst would be able to.
Panther AI uses Claude AI models by Anthropic through Amazon Bedrock. Panther AI does not use your data for AI training—learn more about data security below.
Where to use Panther AI
Use Panther AI in the Panther Console when:
Analyzing alerts:
AI alert triage: Gather information about and analyze an alert.
Alert list AI summary: Summarize your alerts list.
Summarizing Search results:
Search results AI summary: Summarize a set of result events.
Asking general questions:
Overview dashboard: Ask Panther AI anything—in the Overview dashboard entry point, there is no context-dependent data being analyzed (like an alert or log events in the above entry points), which means it's a good place to ask general security questions.

When using Panther AI triage and summarization as well as running your own prompts, you may want to view previous responses or rename, pin, save, or delete certain interactions. Learn how to perform these actions in Managing Panther AI Response History.
There are also AI GraphQL API operations available to Cloud Connected customers and SaaS customers with "pass-through billing"—view them in the GraphQL API schema.
Separate from Panther AI, Panther also offers an MCP server.
Enabling Panther AI
To use Panther AI features, your Panther instance's Enable Panther AI setting must be set to ON
and your user role must have the Run Panther AI permission. If you have a Cloud Connected Panther instance, you must also enable certain AI models in AWS.
To enable Panther AI:
In the upper-right corner of your Panther Console, click the gear icon (Settings) > General.
On the Panther AI tab, click the Enable Panther AI toggle to
ON
.The Enable Panther AI setting is set to
OFF
by default, and can only be updated by a user with the Edit Settings & SAML Preferences permission.Once Enable Panther AI is set to
ON
, the Run Panther AI permission will be:Granted automatically to the default Admin role.
Available to assign to additional roles. Learn how to update a role's permissions here.
If you have a Cloud Connected Panther instance, follow the instructions on the AWS Add or remove access to Amazon Bedrock foundation models documentation to request access to the following foundation models in the region your Panther instance is deployed in:
Claude 4.0 Sonnet v1 (
anthropic.claude-sonnet-4-20250514-v1:0
)Claude 3.7 Sonnet v1 (
anthropic.claude-3-7-sonnet-20250219-v1:0
)Claude 3.5 Sonnet v1 (
anthropic.claude-3-5-sonnet-20240620-v1:0
)Claude 3.5 Sonnet v2 (
anthropic.claude-3-5-sonnet-20241022-v2:0
)Claude 3.5 Haiku v1 (
anthropic.claude-3-5-haiku-20241022-v1:0
)
How Panther AI uses your data
Panther AI does not use your data for AI training. Your prompts and Panther AI responses are stored in your dedicated, single-tenant AWS account (like your logs).
You can enable Panther-managed detections for Amazon Bedrock to monitor its activity. If you are a Cloud Connected customer, you can also set up Amazon Bedrock Guardrails for extra protection.
AI permissions and scope
Panther AI assumes the role and associated permissions of the user running it—i.e., the user logged into the Console where AI operations are being run, or the user executing AI-related API calls.
This means Panther AI will not perform read or write operations the current user could not perform themselves. This includes log type access restrictions, if set for that user role.
AI prompt settings
Use AI prompt settings to tailor AI-generated content in Panther to your preferences. AI settings are universally applied to all AI entry points in Panther, but are specific to each Panther user.
To set your AI prompt settings:
Navigate to one of the AI prompt bars in the Panther Console:
On the right side of the prompt bar, click the Edit prompt settings icon:
.
Set the response length setting.
Click Save Settings.
Response length
The response length setting determines the size of the AI output and the amount time Panther AI spends "thinking." The shorter the response length setting value, the less closely Panther AI considers the details of the input, and the faster the model runs.
The response length AI setting has three possible values:
Short: Runs quickly and produces a brief summary.
Medium: Elaborates more than Short, but is usually shorter than five paragraphs.
Long: Allows Panther AI to conduct an intricate analysis, and can produce very long and detailed outputs.

Citations
When Panther AI aids in triaging or summarizing your data, it will return links to relevant data so you can verify its findings. Citations may include alerts, detections, and/or data queries.

Tools
Panther AI has access to has access to many of the same tools available to human users of Panther. When running tools (either in the Console or programmatically), Panther AI has the same permissions set as the current user. In general, Panther AI decides when to use a certain tool based on the task you give it. When entering your own prompt, you can direct it to use certain tools, if desired.
Alert management
alertListTool
: List recent alerts, with filtering optionsalertTool
: Get detailed alert information, including comments and associated eventscommentTool
: Add comments to alertsresolveAlertTool
: Resolve alerts with status updates
Data search and analysis
logSearchTool
: Find specific log records by attribute/value pairslogSketchTool
: Generate activity histograms across time periodscolumnSummaryTool
: Analyze distribution of attribute valuessqlTool
: Execute custom SQL queries for complex analysis
Detection management
detectionListTool
: List available detectionsdetectionTool
: Get detection metadata and codedetectionWriterTool
: Create new detections
Schemas and metadata
logTypesTool
: List available log typeslogTypeSchemaTool
: Get column details for specific log types
Query (Saved Search) management
listSavedQueriesTool
: List queries (Saved Searches)savedQueryWriterTool
: Created a Saved Search in SQL reusequeryResultsTool
: Retrieve query results
Enrichment and context
enrichmentTool
: Look up entity information (IPs, users, etc.)userListTool
: List Panther usersuserTool
: Get details about a user
AI responses
aiResponseTool
: Access AI response history
Last updated
Was this helpful?