elastic
diff --git a/‎docs/serverless/AI-for-security/attack-discovery.mdx‎
Lines changed: 3 additions & 2 deletions b/‎docs/serverless/AI-for-security/attack-discovery.mdx‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎docs/serverless/AI-for-security/images/attck-disc-example-disc.png‎
-108 KB b/‎docs/serverless/AI-for-security/images/attck-disc-example-disc.png‎
-108 KB
diff --git a/‎docs/serverless/images/attack-discovery/attack-discovery-full-card.png‎
222 KB b/‎docs/serverless/images/attack-discovery/attack-discovery-full-card.png‎
222 KB
diff --git a/‎docs/serverless/images/attack-discovery/attck-disc-example-disc.png‎
-108 KB b/‎docs/serverless/images/attack-discovery/attck-disc-example-disc.png‎
-108 KB
@@ -38,7 +38,7 @@ When you access Attack discovery for the first time, you'll need to select an LL
 2. Select an existing connector from the dropdown menu, or add a new one. 
 
 <DocCallOut title="Recommended models">
-While Attack discovery is compatible with many different models, refer to the <DocLink slug="/serverless/security/llm-performance-matrix"> Large language model performance matrix </DocLink> to see which models perform best.
+While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3.5 Sonnet. In general, models with larger context windows are more effective for Attack discovery.
 </DocCallOut>
 
 ![Attack discovery empty state](../images/attack-discovery/attck-disc-select-model-empty-state.png) 
@@ -54,6 +54,7 @@ Attack discovery is in technical preview and will only analyze opened and acknow
 ![AI Assistant knowledge base menu](../images/attack-discovery/attck-disc-alerts-number-menu.png)
 
 
+
 <DocCallOut title="Important">
 Attack discovery uses the same data anonymization settings as <DocLink slug="/serverless/security/ai-assistant">Elastic AI Assistant</DocLink>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. 
 </DocCallOut>
@@ -69,7 +70,7 @@ Each discovery includes the following information describing the potential threa
 - The number of associated alerts and which parts of the [MITRE ATT&CK matrix](https://attack.mitre.org/) they correspond to.
 - The implicated entities (users and hosts), and what suspicious activity was observed for each.
 
-![Attack discovery detail view](../images/attack-discovery/attck-disc-example-disc.png)
+![Attack discovery detail view](../images/attack-discovery/attack-discovery-full-card.png)
 
 <div id="workflows"></div>
 ## Incorporate discoveries with other workflows