Unleashing the Power of Multiple AI Layers for Detecting Unknown Cybersecurity Threats


This blog is authored by Amir Shachar, Chief Data Scientist at Skyhawk Security.

If you are reading this blog, you are probably wondering how to detect unknown unknowns in the realm of cybersecurity. The very nature of these unknown threats makes them difficult to detect using conventional security measures. However, by leveraging a platform that harnesses the power of machine learning to decipher behavioral intent, we can uncover these elusive threats. In this blog, we will explore the concept of unknown unknowns in cybersecurity, discuss the importance of identifying behavioral intent, and introduce the Skyhawk Synthesis Security Platform—a cutting-edge solution that employs multiple layers of machine learning to detect both known and unknown attack patterns. 

What is an unknown unknown? 

To grasp the concept of unknown unknowns, we must first define them. In the context of security, unknown unknowns refer to attack patterns that are unfamiliar to security researchers while it used in the wild (also referred to as zero-day attacks). They are activities that are not yet considered to be suspicious or malicious. Many existing tools focus on known attack patterns, but what about those that are yet to be discovered? This is where the concept of unknown unknowns becomes crucial. 

Skyhawk Synthesis Detects the Unknown Unknowns 

 The Skyhawk Synthesis Security Platform stands out by utilizing three layers of machine learning to identify threats, ensuring that no threat actors can infiltrate your cloud infrastructure undetected or misuse your valuable assets. Let’s explore these layers in detail:

1. Malicious Behavior Indicators (MBIs):

MBIs are activities that Skyhawk has identified as suspicious behaviors. This is done by tailored behavioral modeling of each object and environment detecting deviation from the normal behavioral in relation to the object and the object groups. The art underneath is which behaviors are monitored and the richness of the model parameters.

2. Attack Sequence Assembly:

Leveraging AI and machine learning, the platform correlates MBIs to form an event sequence, providing a comprehensive view of the incidents. This analysis allows the security team to understand the context and easily perform the initial incident triage in order to resolve the alert efficiently. The platform utilizes advanced machine learning models to accurately identify the intent behind the observed sequence of events. It is also determining severity of the incident factoring in additional context such as the potential business impact and access to sensitive data enabling a comprehensive assessment of the threat’s severity. 

3. Early Detection with ChatGPT:

Integration with large language models such as ChatGPT enhances Skyhawk Security’s capability to identify malicious actors 78% faster. ChatGPT acts as 1000 Virtual Incident Responders (VIR), evaluating the attack sequence and increasing confidence in determining malicious intent earlier in the sequence. 

The result of these three layers of machine learning and AI working together is the ability to detect unknown attack patterns without the need for a closed set of predefined polices.  

Unknown unknown is something like a connection or steps that the attacker takes that do not seem like an attack; we didn’t see enough activities for it to seem suspicious or malicious; we want to be able to detect the malicious behavior before it happens – that is why it is called an unknown unknown; find connections in the data that are not straightforward for the experts, but AI expert (not a human) or machine can detect it 

How does that differ from other detection tools using AI? 

Most AI-based tools focus solely on the first layer, detecting MBIs. However, without considering context and the past sequence of events, these tools often generate an overwhelming number of alerts due to frequent anomalies in cloud environments. This flood of alerts burdens security teams and delays effective response, making them primarily useful for forensics after weeks of malicious activity. 

The more sophisticated tools rely on predefined sets of combinations deemed indicative of malicious intent. Consequently, they suffer from a limited scope, detecting only a predefined and narrow range of attack patterns. 

In contrast, Skyhawk Synthesis goes beyond these limitations by analyzing attack sequences and detecting a broad spectrum of attack patterns, without relying on a closed set of predefined policies. 

Example of Unknown Unknowns 

In this image, we see an example of an unknown unknown. Machine learning models look for behaviors and correlate those behaviors. If the alignment of those behaviors shows malicious intent in the cloud, then it is determined to be a threat. Skyhawk Synthesis does not look for specific patterns to identify threats, it aligns many actions and behaviors to find the threats. The first layer of AI is indicated at the atomic indicator, and the second layer combines the activities into a comprehensive attack story. With visibility into the entire story, we are able to assess the intent and alert on the sequence to prevent the breach. 


In the ever-evolving landscape of cybersecurity, detecting unknown threats is a paramount challenge. By leveraging the power of multiple AI layers, such as behavioral modeling, attack sequence analysis, intent determination, and early detection through ChatGPT integration, the Skyhawk Synthesis Security Platform offers a comprehensive solution. With the ability to detect both known and unknown attack patterns, it empowers organizations to stay one step ahead of threat actors and safeguard their valuable assets. 


The EU Network and Information Security (NIS) Directive will be update to a newer version, NIS2 on 17 October 2024.  NIS1 was signed exactly 8 years ago, on July 2016 with the aim of achieving “a high common level of security

Cloud SecurityCloud BreachData BreachDDoS

At the RSA conference there was a CISO panel, talking about the perils of becoming a CISO. Joe Sullivan, the CISO of Uber who just avoided jail time but did have to pay a $50,000 fine has noticed a real

ManagementAICloud BreachCloud SecurityData BreachThreat Detection

Euro 2024 viewership has been strong throughout the event and millions of visitors and viewers of the games themselves are also expected. Berlin alone is expected to host 2.5 million tourists during the month of the games. Such a large

Cloud SecurityAICloud BreachData BreachThreat Detection

According to Gartner, 75% of organizations have a Continuous Threat Exposure Management program in place or are evaluating it. Why are so many organizations embracing this approach? In our opinion, it is the embracing of continuous feedback. As Skyhawk focuses

Cloud SecurityAICloud BreachData BreachThreat Detection

One of the reasons security teams are not successful is they are always looking back, looking back at the breach or the exposure or the alert. They are not able to look forward to prevent the breach, exposure, or alert

Cloud SecurityAICloud BreachData BreachData ScienceThreat Detection

At Skyhawk, we have always known that CSPM, and even the next-gen of CSPM known as CNAPP, is not enough.  In fact, by 2026, 50% of the attack surface will not be patchable, meaning CSPM/CNAPP solutions will not be effective.

Cloud SecurityAICloud BreachData BreachData ScienceThreat Detection

Thanks For Reaching Out!

One of our expert will get back to you
promptly at asafshachar@gmail.com

See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.