Operational technology environments present detection challenges that standard IT security tools were never designed to solve. Industrial control systems use specialized protocols like Modbus. They operate continuously with zero tolerance for disruption. And they require detection systems that understand the semantic meaning of industrial network traffic, not just signature matches or deviation scores.
The Technology Advancement Center (TAC) operates sophisticated OT ranges in Columbia, Maryland that simulate real-world critical infrastructure: manufacturing facilities, municipal water systems, power grid operations. These ranges serve as proving grounds for emerging security technologies. When TAC needed to validate AI-powered threat detection for their industrial control system networks, they deployed DeepTempo's LogLM foundation model to process flow captures and identify attack patterns in environments where traditional signature-based tools provide limited coverage.
What was deployed
DeepTempo processed raw flow data from TAC's OT range containing both normal operational traffic and simulated attacks. The system converted packet captures into behavioral timelines of flows between endpoints, then processed them through the LogLM foundation model to assign intent and MITRE ATT&CK categories. LogLM learned structural patterns that distinguish malicious behavioral timelines from operational activity.
Critically, the deployment required no fine-tuning or retraining on TAC's specific environment. LogLM operated in zero-shot mode, detecting attacks based solely on structural signatures learned during pre-training. The model had never seen TAC's industrial protocols, network topology, or operational workflows before deployment, yet identified malicious behavioral timelines with high accuracy.
Integration with CloudCurrent's VStrike Platform provided operators with storyline capabilities that synchronized DeepTempo detections with OT telemetry data. This created a unified operational picture where network-based threats could be correlated with physical process impacts. The deployment validated both on-premise architecture for air-gapped environments and secure integration with cloud-hosted services.
The system processed industrial protocols without requiring per-environment tuning, baseline establishment, or fine-tuning. Zero-shot detection meant LogLM identified attacks on first exposure to TAC's environment. Each behavioral timeline was evaluated independently based on its structural signature. Attackers can make individual flows appear normal by using legitimate protocols, respecting rate limits, and staying within approved services. They cannot make the behavioral timeline structure normal while accomplishing reconnaissance, lateral movement, or command injection objectives. The structure itself reveals intent.
What was observed
DeepTempo successfully identified all simulated attacks in the test scenarios without any fine-tuning on TAC's environment. LogLM assigned MITRE ATT&CK categories with confidence scores: 83% of detected malicious behavioral timelines were classified as reconnaissance, 17% as command and control. False positive rates remained minimal due to clear separation between benign operational traffic and malicious activity. This zero-shot accuracy demonstrated that the foundation model had learned generalizable structural signatures of attack intent.
Analysis of LogLM's internal representations showed distinct clustering patterns achieved through zero-shot inference. Benign operational traffic clustered separately from malicious behavioral timelines without any tuning on TAC's specific environment. This separation occurred without manual baseline establishment or environment-specific training. The foundation model had learned structural patterns that distinguish normal industrial operations from attack behaviors. Operators could see why specific behavioral timelines were flagged as malicious based on their structural characteristics relative to known benign patterns.
VStrike integration enabled operators to replay security events and step through attack progressions with full context. When DeepTempo flagged a reconnaissance behavioral timeline, operators could visualize affected endpoints in their network topology, review the sequence of flows that triggered detection, and correlate network activity with operational telemetry. This capability proved valuable for incident response and training purposes. Security teams could document exactly how attacks manifested in their OT environment and understand the relationship between network-based detection and physical process impacts.
The deployment demonstrated zero-shot generalization across OT environments without retraining. TAC's ranges simulate diverse industrial scenarios: manufacturing assembly lines, water treatment facilities, electrical grid operations. LogLM detected attack patterns across these varied contexts because it learned the structural signatures of malicious intent rather than environment-specific baselines. A reconnaissance behavioral timeline has distinctive structure whether it occurs in a water treatment SCADA network or a manufacturing floor. The foundation model recognizes this structure without prior exposure to the specific environment.
Technical observations
Detection occurred at the behavioral timeline level, not at individual flow events. A single reconnaissance behavioral timeline might contain dozens of flows, each appearing normal when examined in isolation: legitimate DNS queries, standard service connections, approved protocol usage. The structural relationship between these flows, the timing patterns, the service selection sequence this is what revealed reconnaissance intent. LogLM identified these structural signatures and assigned intent categories.
This approach differs fundamentally from anomaly detection, which measures deviation from baseline. Sophisticated attackers deliberately operate within baseline constraints. They use approved services, respect rate limits, and avoid unusual protocols. Traditional anomaly systems struggle to detect these attacks because nothing deviates from normal ranges. DeepTempo detects them because the behavioral timeline structure itself is abnormal, regardless of whether individual flows fall within expected parameters.
Lessons learned
OT environments require detection systems that understand industrial protocols without disrupting operations. DeepTempo's agentless architecture processes network flow data passively. No agents run on industrial controllers. No inline inspection blocks critical communications. The system observes behavioral timelines and assigns intent based on structural patterns. This design aligns with OT security requirements: continuous monitoring, minimal false positives, zero operational disruption.
Zero-shot detection eliminates deployment friction in critical infrastructure. Traditional security systems require weeks or months of baseline establishment, tuning thresholds, and learning environment-specific patterns before they become effective. LogLM detected attacks immediately upon deployment without observing TAC's environment first. This capability proves essential for organizations that cannot afford extended tuning periods or that operate in dynamic environments where baselines become stale quickly.
Integration capabilities matter as much as detection accuracy. Security teams need to visualize threats in operational context, correlate network detections with process telemetry, and replay incidents for investigation. The CloudCurrent VStrike Platform integration demonstrated how AI-powered detection combines with advanced visualization to create actionable intelligence. Operators could see not just that an attack occurred, but where it targeted their infrastructure, what it attempted to accomplish, and how it manifested in network traffic patterns.
Flexible deployment models enable adoption in diverse environments. Some critical infrastructure organizations require on-premise deployment in air-gapped networks. Others prefer cloud-hosted managed services. DeepTempo supports both architectures with identical detection capabilities. The foundation model operates the same way regardless of deployment location. This flexibility proved essential for TAC's evaluation, as their ranges simulate both highly secure government facilities and commercial infrastructure with cloud integration.
Closing note
The TAC deployment validated that deep learning foundation models can provide high-accuracy threat detection in operational technology environments through zero-shot inference. By learning structural signatures of malicious intent rather than relying on signatures or anomaly scoring, DeepTempo detected sophisticated attacks while maintaining minimal false positive rates without any environment-specific tuning. The combination of LogLM's intent detection and CloudCurrent's VStrike Platform visualization created a detection system that security teams could trust in environments where false alarms and missed detections both carry unacceptable risk. For the full case study check out this link.
As critical infrastructure faces increasingly sophisticated threats from nation-state reconnaissance to ransomware campaigns targeting industrial control systems detection capabilities must evolve beyond signature matching and baseline deviation. Foundation models that understand the semantic meaning of network behavior provide a path forward: detecting attacks based on what they attempt to accomplish, not just how they differ from historical patterns.
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
