A Private AI Standard for Cyber Red and Blue Team Exercises
- Jun 4
- 4 min read
Helping cybersecurity teams use private AI for telemetry review, evidence analysis, and human-validated decision support

Cybersecurity teams are being asked to adopt Artificial Intelligence, but many organizations are still working through a practical question:
How should cyber teams use AI responsibly with real security telemetry, logs, alerts, threat intelligence, and evidence?
ISAUnited is developing the RBEX Private AI Standard, a two-part standards release focused on using private AI as a controlled analysis capability for cyber team Red and Blue Engineering Exercises. This standard is not designed to replace analysts, engineers, architects, or leadership judgment. It is not an autonomous response model. It is a recommended approach for using private AI in a read-only, evidence-based, and human-validated manner.
Why This Standard Matters
Many organizations already collect security data across identity systems, cloud platforms, endpoint tools, SaaS applications, SIEMs, ticketing systems, and threat intelligence sources.
The challenge is not just collecting the data. The challenge is turning that data into useful exercise analysis, detection review, defensive improvement, and after-action learning.
The RBEX Private AI Standard is being developed to help organizations use private AI to support this process without exposing sensitive data to unapproved tools or allowing AI to take uncontrolled action.
How This Relates to Continuous Threat Exposure Management (CTEM)
Continuous Threat Exposure Management is helping organizations think more continuously about exposure, validation, and improvement. The RBEX Private AI Standard takes a different but complementary angle: how cyber teams can use a private, organization-controlled AI capability to review telemetry, analyze evidence, validate detections, support Red and Blue Engineering Exercises, and produce human-validated decision support. Vendor tools can help identify and validate exposure. RBEX Private AI focuses on the team-owned analysis layer.
What the Standard Will Cover
The standard will focus on how private AI can support RBEX activities, including telemetry review, evidence analysis, detection validation, control gap review, threat map support, after-action reporting, and recurring readiness reviews. The standard will remain vendor-neutral. It will not require a specific AI provider, cloud provider, SIEM, endpoint tool, or security platform.
Instead, it will define the recommended structure, governance, readiness expectations, usage model, and human validation practices needed to use private AI safely and effectively during cyber team Red and Blue Engineering Exercises.
Part 1: Capability and Readiness
Capability, Governance, and Readiness Requirements
Part 1 will focus on what organizations should have in place before using private AI for RBEX.
This includes the recommended capability model, governance expectations, data source readiness, log preparation, evidence storage, retrieval design, access control, privacy boundaries, auditability, and human validation requirements. This part is intended for executives, cybersecurity leaders, application teams, cloud teams, data teams, GRC teams, and security architecture stakeholders.
Part 2: Operations and Use Playbook
Telemetry Review, Evidence Analysis, and Human Validated Decision Support
Part 2 will focus on how RBEX teams use an approved private AI capability during exercises.
This includes role-based workflows, prompt structure, telemetry review, red team analysis, blue team detection review, engineering gap review, threat map support, after-action outputs, and a recurring RBEX cadence. This part is intended for exercise managers, red teams, blue teams, cybersecurity engineers, security architects, and executive reporting users.
What Private AI Should Do in RBEX
The RBEX Private AI Standard will position private AI as an analysis assistant.
Private AI may help teams review approved telemetry, summarize exercise evidence, map observed activity to threat paths, compare red team actions against blue team detections, identify telemetry gaps, draft after-action findings, and support human decision-making.
The AI output should remain draft until reviewed and validated by authorized humans.
What Private AI Should Not Do
The standard will also define clear boundaries.
Private AI should not execute production changes, disable accounts, modify security controls, trigger containment actions, generate unauthorized offensive instructions, or create final RBEX findings without human validation. This boundary is important. RBEX is focused on controlled analysis, evidence review, and readiness improvement, not uncontrolled automation.
Who This Is For
The RBEX Private AI Standard is being developed for organizations that want a responsible way to use private AI with their own security data. It is relevant for cybersecurity leaders, red teams, blue teams, security engineers, security architects, application teams, cloud teams, data teams, GRC teams, and executives evaluating private AI investment. It also supports organizations that may already have private AI capability and need a structured way to apply it to cybersecurity exercises.
Standards Release Preview
The RBEX Private AI Standard is currently in development as a two-part ISAUnited standards release. The goal is to help cybersecurity teams use private AI in a way that is practical, controlled, evidence-based, vendor-neutral, and aligned to Red and Blue Engineering Exercises.
Stay informed as ISAUnited’s Task Group ISAU-TG54-2025 develops the RBEX Private AI Standard. Subscribe for updates on the release of Part 1: Capability and Readiness and Part 2: Operations and Use Playbook at ISAUnited.org.
ISAUnited is also advancing the professional pathway for practitioners who support authorized red and blue team exercises through the Certified Professional Red Team Engineer (CPRTE) credential and the Red Recon Mission Pack. Together, they help cybersecurity practitioners move beyond tool use and into disciplined Red Team Engineering—focused on lawful scope, threat-informed exercise design, architecture exposure mapping, evidence, and defensive improvement. As RBEX and Private AI mature, the Red Team Engineer role will become even more important for helping organizations conduct safer, smarter, and more defensible adversarial exercises.



