Threat Detection with AI: From Rules to Models
Moving into practical applications
Artificial threat detection started with rules: signatures, static indicators, and hand-crafted correlation rules in systems like firewalls and traditional SIEMs. Rules still work well for known threats because they are precise and explainable. The limitation is scale: modern environments produce huge volumes of logs and telemetry, and attackers continually change techniques. That gap is why organisations are moving from rule-dominant defences to model-driven detection that uses statistics and machine learning to find unknown and subtle threats.
The transition began with applying straightforward anomaly detection and statistical models to logs and network flows. Over the last decade, researchers and vendors shifted toward deep learning and sequence models that treat logs like language. DeepLog, a widely cited academic system, models system logs with an LSTM sequence model to learn normal patterns and flag deviations; it helped demonstrate that models can detect anomalies without explicit signatures and can scale to large log sets.
How do I get started?
In practice, modern detection uses a hybrid stack. Knowledge bases and behavioural frameworks remain essential. The MITRE ATT&CK framework, for example, maps attacker tactics and techniques so defenders can link detections to realistic adversary behaviour and plan controls. ATT&CK complements models by providing the ontology and detection goals that data-driven systems should cover. Combining model outputs with ATT&CK-aligned detection logic helps teams prioritise alerts and translate model signals into actionable response steps.
For a practical investigation into MITRE application, see the _secpro 10-part series, starting here:
For implementers, moving from rules to mature models means three practical changes: collect and shape the right data, adopt incremental modelling approaches, and build monitoring and governance around the models. Data is foundational. Capture structured logs, process events into normalised fields, keep context (user, host, process), and keep retention long enough to learn normal seasonal patterns. Many teams start by augmenting their existing SIEM with extracted features for sessions, authentication, file access, and lateral movement indicators, then feed those features into lightweight models before moving to deeper sequence models.
Getting dirty hands
Start small and iterate. Implement a behaviour analytics capability (often called UEBA) that learns typical user and device patterns and surfaces deviations. UEBA systems use unsupervised and semi-supervised ML to generate risk scores for accounts and assets; they usually integrate with existing alerting and case management so analysts can validate and tune outputs. Beginning with a UEBA layer lets teams see tangible reductions in low-value alerts while keeping rules for well-known signatures.
Model selection and training should match the detection goal. For single-event signatures, simple supervised classifiers can work if you have labelled attack examples. For sequences and multi-step attacks, recurrent models or Transformers that learn event order and context are more effective. Use public research as a starting point, with papers like DeepLog (PDF) illustrating sequence modelling on logs, and then tailor models to your environment. For scarce labelled data, rely on anomaly detection, synthetic injection testing, and red-team exercises to generate meaningful signals.
Operationalising models requires three production practices. First, build evaluation pipelines: use replayed historical telemetry and carefully designed holdout sets to measure detection performance against known attack scenarios and false-positive rates. Second, implement model monitoring to track data drift, alert volumes, and performance degradation. Third, ensure human-in-the-loop review: pair model alerts with analyst feedback to create labelled examples for continuous retraining. These steps keep models accurate and reduce analyst fatigue.
Governance and risk management are non-negotiable. NIST’s AI Risk Management Framework (PDF) provides practical guidance for managing AI lifecycle risks, including robustness, explainability, and governance—topics that map directly to security systems that make or assist decisions. Adopt a risk-based approach: document the model purpose, expected benefits, limitations, and failure modes before deployment. Maintain versioning, audit logs, and a rollback plan for model changes.
Adversaries target the models themselves. Adversarial machine learning shows that attackers can craft inputs to evade or poison models, reduce detection accuracy, or cause false alarms. Treat models as another attack surface. Harden training pipelines against poisoning, validate inputs, use ensembles and randomised checks, and maintain signature-based fallbacks for critical detections. Conduct adversarial testing and red-team the models to measure resilience and sharpen defences.
Explainability matters for analyst adoption. Models that provide interpretable evidence—event sequences, key features, or mapped ATT&CK techniques—are easier to trust and act on. Where possible, surface the top contributing features or the subsequence that triggered the anomaly and show how that maps to known tactics. This approach reduces the “black box” perception and accelerates triage.
Concrete steps for a team ready to adopt AI-based detection: first, inventory your telemetry and instrument the gaps; second, run a pilot using UEBA or a simple anomaly detector on a high-value domain (for example, privileged logins); third, integrate outputs with SOC workflows so analysts can label and tune; fourth, apply sequence models for multi-step detection after you have stable features and feedback loops; and finally, formalize governance using AI risk practices and red-team exercises. Each step should keep a rules-based fallback and retain the ability to write new rules when a model misses a clear signature.
Costs and resource planning are realistic concerns. Initial experiments can run on modest infrastructure; however, production at scale needs storage, feature pipelines, and model-serving capacity. Cloud vendors and specialised security ML platforms can accelerate adoption, but be mindful of vendor risk and data residency. Keep a focus on total cost of ownership: analyst time saved, reduction in mean-time-to-detect, and fewer false positives are the practical ROI metrics.
Evolving to improve practice
Shifting from rules to models is not a replacement but an evolution. Rules are precise and fast for known threats; models extend coverage to unknown, subtle, and behaviour-driven attacks. The most effective security programs blend both, anchored by frameworks like MITRE ATT&CK and governed through risk management principles such as NIST’s AI RMF.
Start with data hygiene, iterate with pilots, monitor continuously, and test adversarially. Those practical steps will let teams adopt AI for threat detection in a way that is measurable, defensible, and operationally valuable.