Retrieval-augmented generation (RAG) is a design pattern that combines a language model with an external retrieval layer, such as a document store, search index, or knowledge base. Instead of answering only from its training data, the model first fetches relevant material and then uses that material to generate a response.
In cyber security, RAG matters because it changes both accuracy and risk. It can improve defensive tools by grounding answers in approved policies, ticket history, or threat intelligence, reducing hallucinations. But the retrieval layer also becomes an attack surface: poisoned documents, weak access controls, and prompt-injection content can steer the model toward unsafe or misleading output. Good defenses include strict source permissions, content validation, ranking and filtering of retrieved text, logging, and human review for sensitive actions. In short, RAG is useful when organizations want AI output tied to trusted data, but only if the data pipeline is secured like any other critical system.