Reco reduced incident response time by 63% with Amazon Bedrock

Reco integrated Amazon Bedrock into its SaaS risk analysis system and trained it to turn raw security alerts into comprehensible incident stories. As a result, the company's clients resolve suspicious activity noticeably faster, and first-line teams escalate cases to experts less frequently.

Why Alerts Slow Down Operations

A modern security alert rarely looks like a ready-made answer to the question of what exactly happened and how dangerous it is. It is usually an array of structured fields, technical indicators, and JSON events that an engineer must manually parse, correlate with other signals, and translate into plain language for colleagues. Time is lost at this stage, along with the chance to respond quickly to a genuinely important threat. The more SaaS services a company uses, the higher the volume of such notifications and the harder it becomes to separate noise from events requiring immediate attention.

Reco had two applied objectives. The first was to ensure that an analyst could understand the meaning of an alert without lengthy manual decoding of fields and relationships. The second was to go beyond a brief summary and immediately suggest how to continue the investigation and what to do next. For a SOC this is critical: it is one thing to spot a suspicious login or anomalous user behavior, and quite another to quickly understand the potential damage, incident priority, and specific steps for verifying and mitigating the risk.

How the Generator Works

To solve this task, Reco uses an Alert Story Generator powered by Anthropic Claude in Amazon Bedrock. The system takes a specific alert, retrieves its metadata and examples of past analyses, and then assembles a contextual prompt. A key role was played by the shift from a zero-shot to a few-shot approach: carefully selected reference examples noticeably improved the stability and structure of the model's responses. Additionally, Reco selects examples dynamically — depending on the alert's source and type — so that the model relies not on a generic template but on relevant scenarios.

• Converting raw JSON into a short, comprehensible description
• Highlighting key risks, potential damage, and response priority
• Generating ready-made investigation queries
• Preparing a summary understandable to both the security team and business stakeholders
• Generating risk mitigation recommendations without manual assembly of steps

The pipeline that follows is fairly straightforward: the user selects an alert in the interface, the system retrieves the JSON from the database, combines it with few-shot examples and so-called golden examples, and then sends the request to Claude Sonnet via Amazon Bedrock. The response is returned to the client already in the form of a ready-made interpretation and a list of actions. The entire setup is deployed on AWS: microservices run on Amazon EKS, contextual data is stored in Amazon RDS for PostgreSQL, interface access is protected by AWS WAF, and delivery is accelerated by Amazon CloudFront. Separately, Reco uses Bedrock prompt caching, which helped reduce inference latency by 75%.

What Changed for the SOC

The most important thing in this case is the measurable effect, not just a pretty interface on top of an LLM. According to Reco's data, investigation time improved by 54%, because analysts no longer need to build queries from scratch and manually interpret every field in an alert. Incident response time decreased by 63%: the system immediately offers prioritized recommendations that can be put to work without lengthy preliminary preparation. This is especially noticeable on the first line of support, where previously many cases had to be quickly handed off to more expensive and scarce specialists.

The communication effect is equally important. Security teams constantly work at the intersection of technology and business, and here time losses often arise not only from analysis but also from translating technical details into language understandable to executives and adjacent teams. Reco addresses this problem by turning a dry set of signals into a self-contained explanation with context, risk assessment, and next steps. As a result, analysts dig deeper precisely where it is needed, rather than spending time on the mechanical assembly of queries, retelling logs, and repeated explanations for non-engineering participants in the process.

What This Means

The Reco case shows that generative AI in security is beginning to deliver value not at the demo level but within the operational loop with specific metrics. The main benefit here is not that the model can explain alerts, but in compressing the time between the appearance of a signal, understanding the risk, and taking action. For the enterprise market, this is one of the most practical LLM implementation scenarios: less manual routine, faster initial triage, and a more predictable response process.