The Science Behind our Security – Part 2: The Models


This post about models in cybersecurity was written by Jennifer Gill, VP Product Marketing at Skyhawk.

In our first blog on the “Science Behind our Security”, we talked about the three pillars: Models, MBIs, and the Attack Sequence. In this blog, we will focus on the machine learning models. These models are a true differentiator for Skyhawk Security. I know, everyone says this, but in this blog, we will back it up.

Skyhawk Security has an amazing data science team – if you have watched our webinars or videos, you know I have raved about them. This team has taken machine learning models to the next level. Our solution has three levels of machine learning models to contextualize activities, events, and behaviors so that when your security team is alerted – you know it is an alert worth your while. This extensive analysis also means that you will not be overwhelmed with false positives and researching “alerts” that are a complete waste of the security team’s time.

Machine Learning Models Across the Cloud, for the Cloud, and in the Cloud

It is difficult for security teams to determine if a behavior, activity, or event is malicious or a threat, or just a one-off behavior. The data science team builds machine learning models at several layers within the environment, so you are only responding to actual threats:

  1. Skyhawk Security Cloud. This is an aggregate view of risk across all our customers’ clouds, for roles and assets within the cloud. The models at this level provide a very wide view of context and help assess the overall risk of the attack sequence. To learn more about our attack sequence, check out this blog on The Science Behind our Security.
  2. The Customer Cloud. Several models are created to detect threatening behaviors or events within each customer cloud. For example, models that are built to detect suspicious or malicious behaviors in the network.
  3. Users and Cloud Assets. Finally, the Data Science team creates models for users, roles, assets, and functions to look for suspicious network traffic or API usage.

The output from these models is correlated and contextualized. Many events are mapped into single malicious behavior indicators, which are then correlated into an attack sequence (learn more here). The models at the Skyhawk Security Cloud level assess the risk of the sequence and once a threshold has reached, they are raised to an alert. This is an unprecedented level of context that gives security teams the utmost confidence that the alerts they are responding to are realerts and require attention while eliminating false positives and preserving the productivity of the team.

Updated Daily

The data science team reviews and updates these models on a daily basis. This is extremely powerful for two important reasons:

  1. The daily updates eliminate drift ensuring the models are accurate. The models are always effective and up to date on the latest regular behaviors in the environment ensuring that the alerts that are raised in the environment are real.
  2. Daily updates mean threat actors cannot go around, outrun, or avoid Skyhawk Security models. Threat actors cannot anticipate or reverse-engineer our models because they change every day.


Skyhawk Security machine learning models are different because they are created for so many levels in the environment, to model so many different behaviors. These models are updated on a daily basis so threat actors cannot reverse-engineer these models and avoid them. The daily updates ensure threat actors cannot outrun Skyhawk Security.

Want to learn more about Skyhawk Synthesis? Check out our whitepaper on the Threats We Detect.


Continuous evolving clouds with continuously evolving threats need continuous threat exposure management (CTEM). This programmatic approach to managing threat exposures can help organizations dramatically reduce breaches. Many organizations are well on their way. According to a Gartner Peer Insights survey,

Cloud SecurityAIData BreachThreat Detection

Please check out this guest blog post by Alex Sharpe, a Cyber Security Expert with decades of experience. The SEC Cybersecurity Rule is designed to provide transparency so investors can make information decisions. The rule effectively imposes two requirements on

Cloud SecurityAIData BreachThreat Detection

Security teams are quickly realizing the benefits of Generative AI and are incorporating this technology into their security products for earlier detection of risks in the environment. AI can help security teams better recognize and resolve threats and exposures in

Cloud SecurityAIData BreachThreat Detection

Can you believe that re: Invent ended only 10 days ago! Skyhawk had a great event – great conversations, a great product launch and lots of coverage. So, what did we learn? Purple team is “the perfect use case for

Cloud Security

This blog is authored by Amir Shachar, Chief Data Scientist at Skyhawk Security. If you are reading this blog, you are probably wondering how to detect unknown unknowns in the realm of cybersecurity. The very nature of these unknown threats

AIThreat Detection

Walking around cyber security trade shows, you can’t help but notice how standard pen tester booths are. Pen testers, or penetration testers, simulate an unauthorized attack where they purposely try to infiltrate your network or cloud to uncover security gaps.

Cloud Security

Thanks For Reaching Out!

One of our expert will get back to you
promptly at

Fill out the form and we'll schedule your demo
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.