I’ve got to admit. I’m guilty of leading with the bad news. We all have excuses for focusing on the fear. I am afraid of how slowly security is moving versus how fast attackers are innovating.
After all, the news is concerning. AI-powered attacks are here, as confirmed by recent reports from Anthropic, OpenAI, Google, and just last week, our friends at Stanford. Complex campaigns orchestrated via agentic AI and including reconnaissance, adaptation, novel malware, and hidden C2 are happening. They are our new reality.
Nonetheless, I have hope and optimism. More than that, I have absolute conviction that open societies, when pressed, do what they need to do to overcome challenges. First we try everything else, and then we do the right thing at a scale, pace, and intelligence that changes everything.
What gives me hope is that I am now seeing defenders of infrastructure and critical enterprises increasingly leverage our AI-based detection intelligence layer.
Today’s novel attacks increasingly slip past rules and ML-based perimeter defenses and get into our homes and enterprises without triggering an alarm. But once inside, DeepTempo interprets what the activity is trying to do, even when individual signals appear routine.
From “What’s misconfigured?” to “What can actually be attacked?”
A few years ago, Wiz changed cloud security by asking a better question.
Before Wiz, vulnerability management largely meant lists:
- lists of CVEs
- lists of misconfigurations
- lists of things that might matter
Security teams were drowning in theoretical risk.
Wiz reframed the problem. Instead of asking what is vulnerable, they asked what is reachable, what is exposed, and what attack paths actually exist.
By unifying cloud configuration, identity, and network reachability into a single graph, Wiz surfaced the paths an attacker could realistically take. That shift mattered more than any single feature. Wiz didn’t just add another scanner. They recentered posture security around attack paths.
Critically, they did it in a way that automatically adapted to each environment. As they say at Wiz, time to value is value.
Detections face a similar challenge
The great thing about flow and network logs is that they are almost impossible to spoof or avoid. The problem is that they have historically been extremely hard to use at scale. Systems designed to make sense of these logs often take months to deploy and tune, and even longer to adapt to new environments.
Prior-generation detection systems, including network-centric tools, UEBA platforms, and many SIEM-based detections, tend to rely on:
- dozens of bespoke ML models
- heavy feature engineering based on human expertise
- per-customer tuning and retraining cycles
- packet capture, SPAN ports, or proprietary collectors
- appliances and tightly coupled pipelines
These systems can work, but only with significant effort and long time to value. Each environment effectively becomes its own research project.
More importantly, these approaches are good at detecting activity, but struggle to assess the intent behind observed behavior.
Wiz showed the way
Seen clearly, Wiz’s contribution extends beyond CSPM.
Wiz demonstrated that:
- rule sprawl could be replaced with a unified representation
- per-customer tuning could be automated away
- attacker intent could be reasoned about by modeling relationships, not alerts
They did this for posture.
What was missing was the behavioral analog. What if defenders could understand the intent behind behavior, with short time to value and without the overhead of traditional detection systems?
DeepTempo applies the same principle to detection
What Wiz did for posture, DeepTempo does for detection.
Instead of treating alerts or anomalies as the unit of analysis, DeepTempo models sequences of activity and asks what those sequences are trying to accomplish.
DeepTempo uses a deep learning foundation model that we built called a LogLM (Log Language Model) to learn how systems normally behave by analyzing ordered sequences of telemetry. LogLM encodes and clusters these sequences into a behavioral embedding space based on structure, timing, and relationships.
Importantly, a LogLM alone does not label activity and does not decide what is malicious.
A set of classifiers interprets the behavioral representations produced by our LogLM. These classifiers assign intent, distinguish benign operational behavior from attacker behavior, and map malicious sequences to MITRE ATT&CK. Related malicious sequences are then grouped into a single attack.
The separation is deliberate:
- The foundation model learns behavior
- Classifiers assign intent
- The system presents attacks, not alerts
How this differs from traditional NDR
Network Detection and Response tools emerged to make sense of network telemetry by flagging suspicious activity. In practice, most NDR systems focus on identifying anomalous events or short windows of behavior and raising alerts when something looks off.
That approach has two structural limitations.
First, NDR systems tend to operate at the event or alert level. Even when they use machine learning, they often rely on dozens of bespoke models, hand-engineered features, and environment-specific tuning. This makes them slow to deploy, brittle across environments, and noisy when attackers deliberately stay within normal operating ranges.
Second, NDR systems primarily detect motion, not meaning. They can tell you that something unusual happened on the network, but they struggle to explain what that activity is trying to accomplish.
DeepTempo takes a different approach.
DeepTempo does not attempt to replace network telemetry. It changes how that telemetry is understood.
From alerts to intent
Traditional detection systems are optimized to generate alerts. An alert tells an analyst that something happened and that it may be suspicious. What it does not tell them is why it matters.
As environments grew more complex, alert volumes grew faster than analyst capacity. Detection systems responded with correlation rules, enrichment pipelines, and dashboards. But these approaches still start from the same primitive: an alert triggered by a deviation, threshold, or signature.
Intent-based detection starts from a different place: rather than asking whether an event is unusual, DeepTempo asks what a sequence of activity is trying to accomplish.
That distinction matters because intent does not appear in single events. It emerges across time, relationships, and structure.
DeepTempo models sequences of activity and uses LogLM to learn their behavioral structure. Classifiers then interpret those behaviors to assign intent and map malicious sequences to MITRE ATT&CK. Related malicious sequences are grouped into a single attack object.
This fundamentally changes the analyst experience:
- Instead of dozens of alerts, analysts see a small number of attacks.
- Instead of raw signals, they see interpreted intent.
- Instead of manual correlation, they get a coherent narrative of adversary behavior.
DeepTempo does not attempt to reconstruct a full ordered kill chain or predict attacker progression. It identifies malicious sequences within broader attacker workflows and groups them into attacks that are understandable and actionable.
The result is not just fewer alerts. It is a shift from detection as signal generation to detection as understanding.
Why this wasn’t possible before
DeepTempo’s approach could not have worked a decade ago. Not because the idea was wrong, but because the prerequisites did not exist.
First, data simply wasn’t retained long enough. Sequence-level modeling requires access to long horizons of telemetry. Historically, flow logs and other high-volume signals were sampled, truncated, or discarded due to cost. Without persistent history, intent cannot be inferred because intent emerges across sequences, not individual events.
Second, detection systems were built around hand-engineered features. Most ML-based detection relied on human intuition to decide what mattered: ports, counters, ratios, and thresholds. That approach does not scale to the combinatorial complexity of modern environments and collapses when attackers deliberately stay within expected ranges.
Third, the modeling techniques themselves were limited. Earlier systems operated on events, short sliding windows, or aggregated metrics. They lacked the ability to learn structure across hundreds of ordered interactions and reason about relationships, timing, and progression within a sequence.
What changed is not just more data or more AI.
Cloud-scale data lakes made it possible to retain and query massive volumes of telemetry cost-effectively. Modern streaming pipelines made it feasible to construct and process sequences in near real time. And deep learning foundation models made it possible to learn behavioral structure directly from data without brittle feature engineering.
DeepTempo’s LogLM is an example of this shift. It is an encoder-only foundation model designed to learn behavioral similarity across sequences of activity. It does not label attacks or assign intent. That interpretation is performed by classifiers layered on top.
Finally, modern environments now emit the kinds of telemetry that carry intent signals. Flow logs, DNS logs, WAF logs, and access logs from data platforms and SaaS services provide continuous, hard-to-evade visibility into how systems interact.
DeepTempo starts with flow data because it is ubiquitous, difficult to evade, and rich enough to reveal behavioral structure. The underlying approach is not tied to any single signal source.
Intent-based detection as a new intelligence layer
Detection has evolved in response to scale, but its core assumptions have remained largely unchanged.
Rules and signatures gave way to anomaly detection. Anomaly detection gave way to correlation. Each step addressed volume, but none addressed understanding.
DeepTempo represents a different architectural shift.
It separates detection into three layers:
- Behavior learning through a foundation model
- Intent interpretation through classifiers
- Operational abstraction through attack grouping
This allows DeepTempo to sit above existing detection and telemetry systems rather than replacing them.
SIEMs, NDRs, and data platforms remain responsible for collecting and retaining signals. DeepTempo consumes that data and adds a layer most detection systems lack: intent-aware interpretation.
In practice, this means DeepTempo does not compete with existing tools. It makes them more effective by transforming alerts and events into intent-driven understanding.
The good news
Attackers are moving faster. AI has increased their speed and creativity.
Defenders now have something comparable: foundation models trained on real behavioral data, interpreted through intent rather than brittle rules. Wiz proved that security categories could be reset by asking better questions. DeepTempo applies that lesson to detection. This is not about adding another alert. It is about changing what defenders can understand, and how quickly they can act.
If AI threats are a top concern, please get in touch with us. We’ll run a 30 day assessment for you free of charge and identify threats lurking in your environment that your current tools have missed. Submit this form to get started.
