Unleashing the Power of Multiple AI Layers for Detecting Unknown Cybersecurity Threats


This blog is authored by Amir Shachar, Chief Data Scientist at Skyhawk Security.

If you are reading this blog, you are probably wondering how to detect unknown unknowns in the realm of cybersecurity. The very nature of these unknown threats makes them difficult to detect using conventional security measures. However, by leveraging a platform that harnesses the power of machine learning to decipher behavioral intent, we can uncover these elusive threats. In this blog, we will explore the concept of unknown unknowns in cybersecurity, discuss the importance of identifying behavioral intent, and introduce the Skyhawk Synthesis Security Platform—a cutting-edge solution that employs multiple layers of machine learning to detect both known and unknown attack patterns. 

What is an unknown unknown? 

To grasp the concept of unknown unknowns, we must first define them. In the context of security, unknown unknowns refer to attack patterns that are unfamiliar to security researchers while it used in the wild (also referred to as zero-day attacks). They are activities that are not yet considered to be suspicious or malicious. Many existing tools focus on known attack patterns, but what about those that are yet to be discovered? This is where the concept of unknown unknowns becomes crucial. 

Skyhawk Synthesis Detects the Unknown Unknowns 

 The Skyhawk Synthesis Security Platform stands out by utilizing three layers of machine learning to identify threats, ensuring that no threat actors can infiltrate your cloud infrastructure undetected or misuse your valuable assets. Let’s explore these layers in detail:

1. Malicious Behavior Indicators (MBIs):

MBIs are activities that Skyhawk has identified as suspicious behaviors. This is done by tailored behavioral modeling of each object and environment detecting deviation from the normal behavioral in relation to the object and the object groups. The art underneath is which behaviors are monitored and the richness of the model parameters.

2. Attack Sequence Assembly:

Leveraging AI and machine learning, the platform correlates MBIs to form an event sequence, providing a comprehensive view of the incidents. This analysis allows the security team to understand the context and easily perform the initial incident triage in order to resolve the alert efficiently. The platform utilizes advanced machine learning models to accurately identify the intent behind the observed sequence of events. It is also determining severity of the incident factoring in additional context such as the potential business impact and access to sensitive data enabling a comprehensive assessment of the threat’s severity. 

3. Early Detection with ChatGPT:

Integration with large language models such as ChatGPT enhances Skyhawk Security’s capability to identify malicious actors 78% faster. ChatGPT acts as 1000 Virtual Incident Responders (VIR), evaluating the attack sequence and increasing confidence in determining malicious intent earlier in the sequence. 

The result of these three layers of machine learning and AI working together is the ability to detect unknown attack patterns without the need for a closed set of predefined polices.  

Unknown unknown is something like a connection or steps that the attacker takes that do not seem like an attack; we didn’t see enough activities for it to seem suspicious or malicious; we want to be able to detect the malicious behavior before it happens – that is why it is called an unknown unknown; find connections in the data that are not straightforward for the experts, but AI expert (not a human) or machine can detect it 

How does that differ from other detection tools using AI? 

Most AI-based tools focus solely on the first layer, detecting MBIs. However, without considering context and the past sequence of events, these tools often generate an overwhelming number of alerts due to frequent anomalies in cloud environments. This flood of alerts burdens security teams and delays effective response, making them primarily useful for forensics after weeks of malicious activity. 

The more sophisticated tools rely on predefined sets of combinations deemed indicative of malicious intent. Consequently, they suffer from a limited scope, detecting only a predefined and narrow range of attack patterns. 

In contrast, Skyhawk Synthesis goes beyond these limitations by analyzing attack sequences and detecting a broad spectrum of attack patterns, without relying on a closed set of predefined policies. 

Example of Unknown Unknowns 

In this image, we see an example of an unknown unknown. Machine learning models look for behaviors and correlate those behaviors. If the alignment of those behaviors shows malicious intent in the cloud, then it is determined to be a threat. Skyhawk Synthesis does not look for specific patterns to identify threats, it aligns many actions and behaviors to find the threats. The first layer of AI is indicated at the atomic indicator, and the second layer combines the activities into a comprehensive attack story. With visibility into the entire story, we are able to assess the intent and alert on the sequence to prevent the breach. 


In the ever-evolving landscape of cybersecurity, detecting unknown threats is a paramount challenge. By leveraging the power of multiple AI layers, such as behavioral modeling, attack sequence analysis, intent determination, and early detection through ChatGPT integration, the Skyhawk Synthesis Security Platform offers a comprehensive solution. With the ability to detect both known and unknown attack patterns, it empowers organizations to stay one step ahead of threat actors and safeguard their valuable assets. 


Continuous evolving clouds with continuously evolving threats need continuous threat exposure management (CTEM). This programmatic approach to managing threat exposures can help organizations dramatically reduce breaches. Many organizations are well on their way. According to a Gartner Peer Insights survey,

Cloud SecurityAIData BreachThreat Detection

Please check out this guest blog post by Alex Sharpe, a Cyber Security Expert with decades of experience. The SEC Cybersecurity Rule is designed to provide transparency so investors can make information decisions. The rule effectively imposes two requirements on

Cloud SecurityAIData BreachThreat Detection

Security teams are quickly realizing the benefits of Generative AI and are incorporating this technology into their security products for earlier detection of risks in the environment. AI can help security teams better recognize and resolve threats and exposures in

Cloud SecurityAIData BreachThreat Detection

Can you believe that re: Invent ended only 10 days ago! Skyhawk had a great event – great conversations, a great product launch and lots of coverage. So, what did we learn? Purple team is “the perfect use case for

Cloud Security

This blog is authored by Amir Shachar, Chief Data Scientist at Skyhawk Security. If you are reading this blog, you are probably wondering how to detect unknown unknowns in the realm of cybersecurity. The very nature of these unknown threats

AIThreat Detection

Walking around cyber security trade shows, you can’t help but notice how standard pen tester booths are. Pen testers, or penetration testers, simulate an unauthorized attack where they purposely try to infiltrate your network or cloud to uncover security gaps.

Cloud Security

Thanks For Reaching Out!

One of our expert will get back to you
promptly at asafshachar@gmail.com

Fill out the form and we'll schedule your demo
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.