🛡️

SOC Threat Intelligence Foundation Model

Security teams stitch endpoint, cloud, DNS, network, auth, and email signals across separate detectors. Each surface trains its own classifier on its own features and ships its own alert pipeline. This demo collapses ten of those signals into one shared model. A small cyber telemetry encoder turns 64 events x 15 normalized fields into 960 pseudo-tokens. The frozen LFM2.5-350M backbone processes the sequence with attention LoRA, and ten task heads predict in parallel: attack presence, risk score, current attacker stage, likely next tactic, next event type, response actions, identity compromise, lateral movement, exfil likelihood, and benign-admin confounder. Adding a new SOC signal is a head, not a model.

Ten SOC signals from one read of the telemetry window. Attack presence, risk, current stage, next tactic, next event type, response actions, identity compromise, lateral movement, exfil likelihood, and benign-admin confounder — all back together in ~10ms warm on H100.

Sees the sequence, not just the row. Reads the full 64-event window with attention, so it catches multi-step attack trajectories (discovery → credential access → lateral movement) that flat-feature alert classifiers miss.

Forecast plus verdict, not just verdict. Per-window prediction includes the likely next tactic and next event type, so the model surfaces 'where this is going' alongside 'what this is.'

Benign-admin confounder head. Dedicated head to suppress false positives on backup, patching, admin shells, and IT automation — the operational lookalikes that drown analysts in noise.

The Problem

SOC teams maintain separate detectors and classifiers per signal (verdict, risk, stage, forecast, response). Each is its own pipeline and refresh cadence. Cross-surface signals get lost because each model sees only its slice. A discovery + credential-access trajectory that predicts both 'lateral movement next' and 'identity compromise' is invisible to a model trained on either one.

How LFM Compares

Per-task gradient-boosted trees, rules, and point classifiers per SIEM lane. Each new business question (urgency, next tactic, exfil likelihood) is a new pipeline, a new model, and a new deployment.

What LFM Unlocks

One model where today there are five to ten. Verdict, risk, stage, next-tactic forecast, and reviewer signals share the same foundation, the same deployment, and the same audit trail. Adding a new SOC signal — next-technique, persistence risk, or a custom analyst label — is a new head, not a new model.

64 events × 15 fieldsCyber telemetry encoderFrozen LFM2.5-350M + LoRA10 SOC heads

Ten SOC signals — verdict, risk, stage, next-tactic, identity, lateral movement, exfil, response, next-event, benign-admin — from one read of the 64-event window, in roughly ten milliseconds warm on H100.

SOC Scenario

Loading held-out anchors…

Select an anchor to run the ten-head SOC inference.

This demo is fine-tuned on sample data. Results improve with your data.

Build Your Model on Workbench →Talk to Our Team