As the volume of information to be processed within cyber crisis management cells grows, artificial intelligence appears as a tool that can automate certain tasks, accelerate the analysis of complex situations and facilitate the coordination of the actors involved. What remains to be determined is how to effectively integrate these capabilities within existing systems.
Organizations already rely on structured systems: procedures, decision-making cells, collaborative tools, cyber crisis management platforms and ITSM systems. AI must not replace these mechanisms, but rather integrate smoothly with them in order to improve their operational efficiency.
This integration relies largely on the technical architecture choices that make it possible to connect AI capabilities to existing systems. Several approaches are available today, each with its own advantages and limitations in terms of security, sovereignty, performance and implementation complexity.
Using online AI APIs: the fast track
The first approach consists of using AI services accessible via API in the cloud. Many providers now offer powerful models accessible in this way, making it possible to quickly integrate advanced features into existing tools.
In a cyber crisis management context, these APIs can be used to automate certain tasks at the heart of operational workflows:
- generating situation updates,
- summarizing information flows,
- drafting communication materials
- translating messages in an international context.
The main appeal of this approach lies in its simplicity of deployment and immediate access to the best-performing models on the market. Technical integration is generally quick and does not require specific infrastructure.
On the other hand, this option raises significant questions in terms of data security and digital sovereignty. Information related to a crisis can be sensitive: internal data, technical details about an attack, strategic information or confidential exchanges.
This approach is particularly relevant for uses with low information sensitivity, such as assisted drafting, translation or the summarization of generic content.
🔗 Read also: AI and crisis management: a powerful lever under certain conditions
Deploying local AI: control over data
A second approach consists of deploying AI models directly within the organization’s infrastructure, in an on-premise or private cloud environment.
This architecture generally relies on the use of open-source models, which can be run locally and integrated with internal systems. In a cyber crisis management program, these models can be connected to existing tools in order to directly process information from technical systems, incident tickets or internal documentation bases.
The major advantage of this approach is complete control over data flows. Sensitive information does not leave the organization’s infrastructure, which facilitates compliance with security requirements, regulatory constraints and sovereignty considerations.
In return, this option involves greater technical investment: compute infrastructure (notably GPUs), model operation, performance optimization and maintenance. While the performance of open-source models is progressing rapidly, it may in some cases remain slightly below that of the most advanced cloud services.
This approach is particularly well suited to organizations handling highly sensitive information, especially in regulated sectors or critical infrastructure.
AI agents: automating cyber crisis workflows
Beyond simply calling an AI model, some architectures rely on the deployment of intelligent agents capable of executing tasks within an operational workflow.
An AI agent can, for example:
- collect information from several tools;
- analyze the available data;
- generate a situation update;
- prepare documents for validation by the crisis cell.
In a cyber crisis management cell, these agents can play a role of continuous assistance, by automating certain repetitive and time-consuming tasks.
For example, an agent dedicated to situation tracking could aggregate information from technical systems, field reports and internal exchanges, then automatically produce a situation report at regular intervals.
Another agent could assist communications teams by preparing draft messaging tailored to the different stakeholders, based on reactions on social media.
This approach enables more advanced workflow automation, but it also requires rigorous governance. Human validation mechanisms, action traceability and decision oversight remain essential in order to prevent excessive automation in a context where human decisions remain central.
MCP servers: structuring access to data
A fourth approach relies on the use of MCP servers (Model Context Protocol), an emerging standard that makes it possible to organize AI models’ access to an organization’s data and tools, thereby ensuring their interoperability.
In this architecture, an MCP server acts as a structured interface between AI models and internal resources: documentation bases, crisis references, operational procedures, incident logbooks or business applications.
This approach makes it possible to precisely control the data accessible to the AI, while ensuring traceability and auditability of interactions.
In a cyber crisis management context, this makes it possible, for example, for an AI assistant to access specific resources:
- cyber crisis management and resilience tools;
- security solutions;
- business applications.
The AI can then produce analyses or recommendations by drawing directly on the organization’s internal references or by aggregating data from several sources.
While this architecture offers a high level of control and modularity, it remains relatively emerging and requires technical skills to implement.
Comparative table of AI integration approaches in cyber crisis management
| Approach | Sensitivity of data processed | Technical complexity | Main benefit | Main limitation |
| Cloud API | Low to moderate | Low | Speed of deployment and model performance | Data security and sovereignty concerns |
| Local AI | High | High | Full control over data flows | Infrastructure and maintenance requirements |
| AI agents | Variable | Medium | Automation of operational workflows | Need for governance and human oversight |
| MCP servers | High | High | Control over access to data and tools | Still-emerging technology requiring specific skills |
Conclusion: toward a hybrid architecture
In practice, the most advanced organizations are moving toward hybrid architectures combining several of these approaches.
Cloud APIs can be used for generic, low-sensitivity tasks such as translation or assisted drafting. Local models make it possible to process sensitive data within the internal infrastructure. AI agents orchestrate operational workflows, while MCP servers structure access to data and business tools. These different technical approaches can moreover be orchestrated together.
Integrating AI into cyber crisis management is therefore not simply a matter of adopting an additional tool. From this perspective, architecture and orchestration choices (cloud, local, agents, integration protocols) are the structuring elements of the transformation of cyber crisis management programs in the age of artificial intelligence.
🔗 Read also: AI and decision-making in cyber crisis management: benefits, biases and limits
FAQ: AI and cyber crisis management
Read the article
Publication of the ReCyF framework: ANSSI is concretely preparing organizations for the NIS2 era
6 July 2026Read the article
Offensive AI and the summer period: 5 actions to launch now to prepare your organization
6 July 2026Read the article