How the network detection stack got here
Most NDR products were designed in an era where unencrypted protocols were common, perimeter inspection points were dense, and lateral movement happened over relatively visible channels. That world is gone. Three structural shifts produced the current detection gap.
Encryption became the default. TLS 1.3 hides server name indication and certificate details that earlier versions exposed. Internal services use mTLS by default in modern architectures. Service meshes encrypt east-west traffic as a baseline configuration. Packet inspection that was useful in 2018 is not useful against 2026 traffic.
Traffic volume shifted east-west. Cloud-native architectures decompose applications into many small services that communicate constantly. Microservices architectures, container orchestration, and service-to-service authentication produce more internal traffic than internet-bound traffic in most modern environments.
Inspection points became sparse. Public-cloud environments do not provide the inline inspection points enterprise networks did. Inspecting all VPC traffic via a network appliance is expensive, latency-adding, and architecturally awkward. Most cloud environments do not do it. They emit flow telemetry instead.
These shifts together describe the gap. Most traffic, encrypted, between internal services, with limited inline inspection.
What the attacker is doing in this gap
Real attacker activity that uses east-west encrypted channels follows a small number of patterns.
Internal lateral movement. Once an attacker has a foothold, the next operations happen between internal hosts. Service-to-service authentication, internal SaaS APIs, file shares, internal git repositories, build artifacts. All encrypted. All routine in normal operations.
Internal command and control. Compromised hosts inside the enterprise can use legitimate internal services as control channels. Internal chat platforms, internal storage buckets, internal git repositories all support write operations that an attacker can use to coordinate compromised hosts without ever sending traffic out of the perimeter.
Quiet enumeration. Internal directory services, internal API discovery, internal certificate authorities. Each of these exposes information about the environment that an attacker uses to plan further movement.
Pre-exfiltration staging. Before data leaves the environment, attackers typically stage it on internal infrastructure they control or have compromised. The staging activity is east-west, encrypted, and looks like a backup or replication job to surface inspection.
In each case, the activity is detectable. The signal is not in the encrypted payload. The signal is in the flow metadata, the timing, the asymmetry, and the context.
What the telemetry actually carries
Even without packet payloads, encrypted east-west traffic produces telemetry with substantial signal.
- Flow records. NetFlow, VPC Flow Logs, sFlow. Source, destination, ports, protocol, byte counts, packet counts, timing.
- Connection asymmetry. The ratio of bytes sent to bytes received. Normal client behavior produces predictable asymmetry per protocol. Attacker behavior often produces different asymmetry.
- Timing structure. Periodicity, jitter, and inter-arrival distributions of flows. Even when individual flows look routine, their temporal arrangement carries signal.
- Connection graph topology. Which hosts talk to which other hosts, with what frequency. Internal communication patterns are surprisingly stable in most environments. New patterns are visible.
- TLS fingerprinting metadata. JA3, JA4, JA4S. Even without seeing the certificate, the structure of the TLS handshake reveals something about the client.
A model that reads these signals together, in sequence, with context, can detect activity that no single signal would reveal alone.
What we built into LogLM to read this signal
The work to make LogLM useful against encrypted east-west traffic was specific and substantial.
Pretraining on flow logs at scale. The training corpus included substantial volumes of flow telemetry across cloud, data center, and OT environments. The model learned the structure of flow data directly: how byte-asymmetry, timing, and protocol distribute under legitimate workloads, and how they distribute under common attacker activity.
Embedding the connection graph as context. Individual flows are not interpretable in isolation. A connection from host A to host B is meaningful in the context of the connection graph host A normally participates in. The model architecture had to handle this graph context efficiently. Engineering work went into making the context representation tractable at production volumes.
Adversarial coverage for east-west specifically. Pretraining on benign flow data alone produces a model that is fluent in legitimate flow patterns. Detecting attacker activity required adversarial coverage in the training corpus. We invested in labeling work that covered lateral movement, internal C2, internal enumeration, and pre-exfiltration staging across multiple environment types.
Evaluation on encrypted-only signal. The accuracy figures we publish hold up when the model only has encrypted east-west telemetry available. This was a specific evaluation track because customers need to know what the model does when payloads are not visible. The result: the published detection rates apply to flow-only telemetry, not just to environments with full packet capture.
How DeepTempo's LogLM detects east-west threats
In production, the model surfaces several categories of east-west attacker activity directly from flow telemetry. Internal C2 beaconing through legitimate internal services. Lateral movement that lands in unusual graph regions. Pre-exfiltration staging distinguishable in flow telemetry alone. Quiet enumeration across internal services in patterns that match attacker reconnaissance rather than legitimate workload discovery.
Each is a category that signature-based and threshold-based tools either miss outright or detect only after the activity has progressed too far for response to be useful.
