Threat intelligence that requires human analysts to synthesise before it becomes actionable has a structural timing problem. The average dwell time for an advanced persistent threat in a European enterprise network through 2020 was measured in weeks to months — but the window in which a SOC analyst can act on an indicator before the attacker pivots, rotates infrastructure, or completes their objective is measured in hours. This gap is not primarily a tooling problem; it is an architecture problem. The systems we built for threat intelligence over the preceding decade were designed to support human workflows: feed aggregation, indicator enrichment, SIEM ingestion, analyst triage. Each step added latency. What we need instead is a detection and correlation layer that operates continuously at machine speed, where the human analyst's role shifts from synthesising raw data to validating machine-generated hypotheses and directing investigation.
The distinction we draw between rule-based and model-based detection is worth articulating precisely. A rule-based SIEM detection — for example, a Sigma rule that fires on a specific sequence of Windows Event IDs associated with pass-the-hash lateral movement — is explicit, auditable, and low false-positive once tuned. Its weakness is coverage: it only detects what it was written to detect. A novel initial access technique or a living-off-the-land approach that stays within legitimate administrative tooling will not trigger rules written against previously observed TTPs. Model-based detection trained on representations of normal behavioural baselines — network flow timing, authentication sequence distributions, API call patterns — has a fundamentally different detection surface. It can surface anomalies that have no prior indicator signature, which is precisely where advanced actors operate. We are not saying rule-based detection is obsolete; we are saying it needs a complementary layer that can reason about behavioural deviation rather than indicator matching.
By early 2021, we had spent two years tracking the architectural evolution in detection engineering across the European financial services and critical infrastructure sectors. The pattern that emerged from conversations with security operations teams at Dutch banks, Belgian energy utilities, and German industrial companies was consistent: the investment in SIEM platforms (commercial SIEM platforms and their predecessors) had produced data lakes of telemetry that organisations could not query fast enough to support real-time detection. The log correlation queries that produced meaningful detection required query times that made interactive investigation impractical. The SOC analysts who were most effective were not the ones with the most rules; they were the ones who had built mental models of their environment's normal behaviour patterns and could spot deviations intuitively. The question we kept asking was: can that intuition be encoded, and can it run faster than the human analyst?
The early graph neural network approaches to network anomaly detection that began appearing in academic research around 2019 and 2020 were technically promising but operationally immature. The false positive rates in production environments were initially too high for SOC workflows where analyst trust is the bottleneck — if a model fires on too many benign events, analysts stop paying attention to its alerts. The companies we found credible were those that had thought seriously about the confidence calibration problem: how do you present a model-generated anomaly alert to a tired analyst at 2am in a way that gives them enough context to make a triage decision in thirty seconds? This is a product problem as much as a model problem, and the teams that understood both were rare. It shaped how we thought about the threat intelligence platform space entering Fund II.