Recursive Summarization in Security Incident ResponseToken Limitations in Security Incident Summarization The out-of-the-box Security Incident Summarization skill supports up to ~16,000 input tokens in its LLM API calls. For large security incidents, any payload exceeding this limit is truncated by the system using a default strategy that omits older activities during payload construction. As a result, the system may fail to capture the complete context of larger incidents. Recursive Summarization for Full Context To address this, customers can enable the recursive summarization option. This approach divides the input into smaller segments, generates summaries for each, and combines these responses to create a final input for the summary request, ensuring the full context is preserved. However, this method significantly increases the time taken to generate summaries due to multiple LLM calls made for chunked inputs. Balancing Performance and Context Our internal data discovery indicates that % of large security incidents is usually minimal and also our internal testing shows higher latency of ~50 sec for recursive summarization. Based on this recursive summarization is turned off out of the box. However customers can review the % of larger security incidents in their environment and decide whether enabling this option is suitable for their needs. Enabling Recursive Summarization If you need to enable recursive summarization, please contact ServiceNow Support for assistance.