All that said, when a friend of mine (Evan Powell) reached out with a new company he was starting in stealth, my attention was piqued. This particular individual was someone I had worked with in the past. He has successfully started 5 enterprise startups and is no joke. That got me to the table and to be honest I am glad I showed up. What he had was something totally new and beyond anything I had seen before.
The idea sounded simple in concept, but it was something that many companies had proven was actually an extremely complex issue to solve. How do you build an AI system that can use the strengths of AI to catch hackers and detect intrusions in progress? Seems like with the context windows and prediction capabilities of AI systems that should be pretty simple, right? Wrong. You can’t just fine-tune GPT 2.5 to read logs and understand them. Others have tried. The results have typically been worse than just running really large brittle rule sets. False positives and negatives are both issues that plague these systems.
False negatives mean you missed an event, and that means someone could have just gotten away with valuable data or worse. False positives can be even worse since they then need to be verified. Many institutions have so many false positives that they simply could never verify them all, and they end up discarding large buckets of them. The term “sampling” basically means taking the full bucket of events and trying to select a few as a reflective distribution of the whole dataset. So what you end up with is a smaller bucket that only has maybe 2–10% of your total events. When you handle things this way, you basically ignore most of the events your system identifies, and you end up with something where now not only did someone squeeze by and pull off an attack, but they did so in full view of all your security and got away with it. At that point, how is your security system anything better than an expensive act you put on to help you sleep at night?
So AI has some issues. As I stated earlier, we can’t just pull an LLM off of HuggingFace and fine-tune it to do what we need. When trying, the number of issues you would have to fight would take more time than starting from scratch, and the results would be abysmal. Hallucinations alone would be such a challenge we would be out of business as a company before we even got off the ground. Not to mention the cost in compute to properly fine-tune something that size. If it was that easy, there would be 100 companies out there already doing it.
On top of this, a lot of the strategies employed out there are more like trying to replace the human in the SOC with an AI. Companies are just trying to make a robot SOC operator while still leaving all the issues their cybersecurity systems have intact. This is like putting a supercharger on your lawnmower. It really won’t mow the grass any better, and you kind of are solving a problem that doesn’t really exist. So to stretch the analogy to its breaking point, let’s examine how we can cut the grass faster maybe without even using a lawnmower.
Evan had this crazy idea and had worked out a pre POC using a new approach to this issue. His idea was to make a whole new kind of AI model that instead of trying to find a needle in the haystack simply lights the haystack on fire and sees what needles are left in the ashes. This is the basis for the startup, and we affectionately call it a LogLM.
Enter stage right a brilliant engineer named Josiah. Josiah has an interesting background. He spent time in a SOC but also has a very solid understanding of AI and the capabilities to think outside the box when it comes to the issue at hand. Now we have the expertise and are able to run full speed toward the goal.
So what makes the LogLM special? Among a number of things, it isn’t trained to detect specific hacks. We don’t feed it large rule sets or MITRE ATT&CK patterns and have it comb the logs looking for pattern matches. We train it on what normal non-malicious traffic looks like and then let it loose. It examines Netflow and other flow logs and puts sequences into a high dimensional hyperspace — things that look unusual are flagged as anomalies. Or in simple english we just look for things that don’t seem like they would happen if things functioned normally. Operators can then test those sequences and determine if the event was actually a malicious event or simply something abnormal on the network.
So we have the idea; now we need to build it. We get the hardware together and build a simple POC model. There are a lot of test datasets we can use, but the Canadian Institute of Cybersecurity, “CIC”, has some really solid Netflow datasets from medium-sized networks that we can use to prove things out. Since we are building something totally new a lot of the setup work and tooling was stuff we had to build from scratch. After significant effort on the front end, we do the first few runs and boom — our F1 scores are good. Not just okay but like really, really good. Like better than any system I am aware of, commercial or otherwise. We just took a science project and before we realized it, we had a product that could well be the holy grail of the cyber industry. Now I make this sound simple but it is crazy how much new thinking and effort went into this. Really a testament to the talents on the engineering team.
Further testing with other datasets confirmed that the results weren’t a fluke. Some tests hit as high as 98% F1 scores. To make things even better, we don’t need to install agents on the network devices or anything that would stress or load the network. We just consume the most useless of logs and turn them into the clearest insights possible for what is happening on a network at any given time.
So now we have something interesting that I am genuinely excited about. The icing on the cake is that this type of system can even detect unknown attacks before they are identified and categorized. When you remove anything normal, everything you are left with is suspicious. That simple concept has the ability to turn the cybersecurity industry upside down.
So where are things now? Well, we just released a first consumable version of our product on the Snowflake marketplace. We have a lot of dev work still to do, but the road is clear and each new challenge that comes up gets solved quickly by the engineering team. We really do have a best-in-class group of engineers. Product market fit isn’t something that we need to find because the market has been begging for this product since the inception of network security. All we need to do is provide the offering and make sure it lives up.
The future is bright, and for the first time in history, we have the chance to get ahead of the attackers who attack our systems.
