A major telecommunications provider needed a new way to protect almost 70 million customer devices from cyberattacks. Their existing security stack wasn’t built for the problem they now faced: most devices were unmanaged, most traffic was encrypted, and AI-backed attackers were inventing new tactics faster than static rules or known-bad indicators could keep up.
They needed a way to detect real attacks in real time, at national scale, using only the data already available in the network — without deploying agents, decrypting packets, or relying on payload inspection. The use of AI in attacks was driving the need for new solutions.
That requirement led them to evaluate DeepTempo’s LogLM, a deep-learning model designed to identify attack intent directly from NetFlow telemetry and adapt without continuous tuning.
The evaluation was driven by six requirements:
- Monitor threats across ~70M customer devices
- Operate without agents or special-purpose hardware
- Detect both known and novel attacks in near real time
- Maintain low false positives and false negatives
- Run on cloud-native infrastructure with reasonable CPU/GPU usage
- Adapt as traffic patterns change, without human rule maintenance
How the evaluation was structured
The telco provided full NetFlow telemetry from customer CPE and backbone infrastructure. No packet contents, no decrypted TLS, no identity metadata, and no host logs were used. All inference ran in real time.
The evaluation was executed in three phases:
Each phase was designed to answer a different operational question: Can flow-only detection work at all? Can it scale? And can it generalize?
Results: What LogLM detected
Phase 1 — Fine-tuned baseline (Test Set 1)
The first phase fine-tuned LogLM on 2% of the operator’s primary dataset and validated on the rest. This baseline established whether flow-only detection could surface intent without payloads or agents.
Takeaway: The model achieved high accuracy for most attack classes and surfaced intent as soon as the first relevant sequence appeared, demonstrating that flow-only detection was viable.
Phase 1 confirms that many attack types — including DDoS, injection, XSS, password abuse, scanning, and recon — leave enough signal in flows to detect immediately. It also identifies two limits: brute-force attacks required more time, and short infiltration events produced too little signal to classify reliably.
Note: MTTD is measured from the time DeepTempo receives the netflow. This number is therefore specific to the environment that it is deployed in.
Phase 2 — Full evaluation on remaining production traffic (Test Set 2)
Phase 2 applied the same fine-tuned model to the remaining 96% of the primary dataset. This step tested whether the results held under full real-world traffic conditions.
Takeaway: Detection performance remained high at scale, proving the model was not over-fitted to the fine-tuning slice, and the same edge cases remained.
Phase 2 demonstrates that the approach holds when scaled to the bulk of the operator’s traffic. The model continued to detect most attack types with strong accuracy, while brute-force and very short infiltration events remained the documented edge cases.
Phase 3 — Zero-shot generalization on new datasets (Test Set 3)
The final phase evaluated LogLM on two new datasets with no additional tuning. This tested whether the model could operate in real networks where traffic patterns shift constantly.
Takeaway: The model generalized well without retraining, retaining high performance against new traffic distributions.
Even in zero-shot mode, LogLM continued to surface high-signal attack types in real time, while infiltration and brute-force behavior remained the two predictable edge cases.
Consolidated results
Across all three phases, the model showed a consistent pattern: it detected high-signal attack types — such as DDoS, injection, XSS, password abuse, scanning, and reconnaissance — with strong accuracy and immediate detection, even as the dataset size and traffic conditions changed. These were the behaviors that produced enough observable activity in NetFlow to establish intent quickly.
The same two limitations repeated in every phase:
- Brute-force activity was detected, but not instantly. These attacks required more time and more sequences before crossing the model’s confidence threshold.
- Sparse pattern infill attacks continued to be the weakest class, not because the model failed, but because these attacks inherently leave almost no flow-level signal to learn from. That said the team and DeepTempo is already well on their way to developing innovative solutions to these problems.
The key outcome is that the model was not “tuned into” a single dataset — it retained high precision and low error rates even when applied to new traffic it had never seen before.
Business impact and industry implications
This evaluation demonstrated that real-time attack-intent detection is possible across almost 70-million-device footprint using only flow records, without agents, without payload inspection, and without rule maintenance. It also showed that a single model can continue to perform well across new datasets without retraining, which is a prerequisite for carrier-scale deployment.
- The system operated within the telco’s constraints: no agents, no deep packet inspection, no identity context, and no hardware refresh.
- Most attack classes were detected instantly, at high precision, with low false positives.
- The model maintained 96–98% F1 on new datasets, confirming generalization instead of tuning-specific success.
- The only systematic gaps were brute-force attacks (slow reveal of intent) and very short infiltration sequences (insufficient observable signal).
- The results led the operator to move forward with a paid production pilot.
For other telecom and large-scale service providers, the lesson is straightforward: if NetFlow is the only universal signal available, it can still be used for real-time threat detection — if the detection method is built to extract intent rather than match indicators.
Interested in trying DeepTempo in your environment? Please connect with us.
