As IoT environments grow more complex, security operations are reaching a point where labor-intensive, manual approaches are no longer sufficient. Hitachi’s “AI for Security” is a portfolio of AI technologies that covers the entire lifecycle, from product planning and design to operations, reducing dependence on individual expertise while enhancing security quality.
In particular, our vulnerability management technology automatically analyzes the impact of vast amounts of vulnerability data on relevant products and generates checklists in Japanese, enabling even personnel with limited security expertise to make sound judgments while reducing investigation time by approximately 45%. The technology also supports Product Security Incident Response Teams (PSIRTs)[p1.1] in the manufacturing sector, where the need to comply with international regulations, including the EU’s Cyber Resilience Act (CRA)[p2.1], is increasing. To learn more about this technology, we interviewed Nobuyoshi Morita[p3.1], Senior Researcher, and Momoka Kasuya[p4.1], Researcher, of the Security & Trust Research Department, Systems Innovation Center, Digital Innovation R&D, Research & Development Group, Hitachi, Ltd.
(Note: Titles and affiliations are as of the time of the interview.)
By Kazumichi Moriyama, Science Writer
The Limits of Labor-Intensive Security Operations and the Need for Structured Data
Hitachi announced that it will enhance its PSIRT solutions with the launch of its generative AI-based Vulnerability Analysis Service[p7.1] on March 5, 2025, designed to supplement the expertise required to address vulnerabilities in the security of IoT products and systems. This technology leverages generative AI to automate the analysis of vulnerability information, enabling design and development engineers with limited security expertise to make timely decisions. In simple terms, it is an initiative to improve security operations through AI, ensuring security by supporting the operations of customers with limited expertise without relying on experts.
Each year, about 30,000 new vulnerabilities are registered in the Common Vulnerabilities and Exposures (CVE) database. Furthermore, amid the tightening of international regulations, including the EU’s CRA, which will become fully applicable in December 2027, the burden on PSIRTs in the manufacturing sector is growing heavier by the day. Because about 30,000 new vulnerabilities are registered each year, PSIRTs must go back through hundreds of thousands of past records during the operational phase to determine whether they are relevant to their products. The cost of cross-referencing this vast volume of data against their own Software Bill of Materials (SBOM) to identify risks requiring action has become physically unmanageable, placing an enormous burden on design and development teams.
For personnel with limited security expertise, vulnerability information alone is often insufficient even to determine which parts are relevant to their products. The current framework cannot keep pace with expanding product portfolios and increasing service scale. As a result, overreliance on experts turns the judgment process into a black box, creating the risk that management will be unable to make timely decisions on issues such as whether to apply patches or suspend services.
In other words, what is required is not simply an automation tool, but rather the standardization of security operations—using AI to structure the thought processes of experts and enable anyone to make logical decisions.
How to Manage Risk in Systems That Cannot Be Easily Shut Down
By leveraging generative AI, the service analyzes vulnerability information that would otherwise require specialized expertise and provides checklists covering only the conditions under which vulnerabilities may have an impact. It is designed for OT/critical infrastructure domains, such as healthcare, industrial equipment, and automotive, where products and services are not easily updated and where stopping operations is difficult or extremely costly, supporting the secure development and operation of such products and services.
While IT security principles value confidentiality and integrity—requiring immediate patching or system shutdown when risks arise—these domains prioritize availability. Updates are difficult, as patching without due consideration can lead to costly revalidation and recertification, as well as social and economic losses. Even when vulnerabilities are reported, it is often unclear what to check and how to verify it, making immediate patching difficult. As a result, responses are often handled in a manner that depends heavily on individual security experts.
This is why risk mitigation is critical. With this vulnerability management technology, anyone can determine, based on AI-generated checklists, that an attack may occur if all listed conditions are met. In other words, if evidence shows that avoiding specific configuration conditions prevents a vulnerability from being triggered, operations can continue without immediate patching or system shutdown.
How Generative AI Extracts Logical Structure to Enable Advanced Analysis and Countermeasures for All
How does it work in practice? The vulnerability management process consists of three key stages: detection, triage, and assessment of whether countermeasures are required. Hitachi has developed three core technologies that logically structure the process from vulnerability detection through impact assessment.
In detection, SBOMs are accurately matched with vulnerability information. Generative AI uses context to absorb variations in product names, versions, and other descriptions, enabling precise mapping. This automatically narrows down investigation targets and significantly reduces the workload in the initial phase.
In triage, priorities are quantitatively assessed. For large volumes of items not yet handled, the order in which action should be taken is determined based on risk. This avoids confusion in the initial stages of operation and enables limited resources to be focused on high-priority items. This triage technology, however, is still under research and development.
In the assessment of whether countermeasures are required, vulnerability information and patches are analyzed to automatically generate decision logic and extract specific conditions for impact assessment. By providing a basis for logically consistent continued operations without specialized expertise, this clarifies what should be checked and in what order.
The key point is that generative AI is applied not to simple summarization or search, but to the logical structuring of vulnerability trigger conditions—Boolean Logic Extraction. It does not simply determine whether there is an impact. A technology is also under research that uses vulnerability information such as CVEs to extract and analyze the conditions under which a vulnerability may be triggered—such as software versions, the use of certain functions, how arguments are handled, and network configurations—and outputs a decision table structured as logical conditions (AND/OR).
This enables analysts to determine whether all of the specified conditions must be met or whether any one of them is sufficient, allowing them to make sophisticated security judgments simply by checking their own product specifications. In short, by following the checklist, they can determine whether a vulnerability could actually be triggered in the product. The technology has received positive evaluations for reducing investigation time by approximately 45% compared with conventional methods. Automatically generated checklists can also help standardize quality by eliminating differences in skill levels among personnel and preventing omissions.
Its value extends beyond simply shortening investigation time. A key feature of this technology is the ability to provide a logical basis for continued operation. By formalizing the conditions under which a vulnerability will not be triggered, it supports continued operations while ensuring safety and avoiding unnecessary system shutdowns.
Internal Deployment and Compliance with Global Regulations
Today, security compliance has become a prerequisite for market entry. The EU’s CRA requires long-term vulnerability management for digital products even after they are placed on the market, along with prompt reporting in the event of an incident. With the EU’s CRA introducing reporting obligations in 2026 and becoming fully applicable in 2027, moving away from manual management has become essential.
Hitachi is using this technology internally, positioning itself as the first customer, “Customer Zero,” within actual operations in the Connective Industries Sector[p8.1], while strengthening and expanding its capabilities. Its ultimate goal is not only to improve efficiency in the operational phase, but also to use AI to ensure consistency throughout the entire product lifecycle. To achieve this, agent-based AI will be deployed to autonomously perform cross-functional analysis of software execution paths, network configurations, and even design documents, enabling more advanced and precise impact assessment. Regulatory checks at the planning stage will be seamlessly integrated with the development, testing, and operational phases to automate compliance.
“Without relying on security experts, we secure our customers’ operations and systems. We also use AI to support their operations across the entire product lifecycle, contributing to greater efficiency, accuracy, and safety,” the two said. “AI for Security” demonstrates what distinguishes Hitachi’s AI from that of other companies: it is tuned to deliver greater reliability.
