On Ground Labs
← Back to Agentic Engineering

SUTRAM

Who's reading yesterday's logs?

The Problem

A credential gets misused at 2:14 PM. A DNS query hits a suspicious domain at 2:12 PM from the same host. A new service account appears on a different machine at 2:18 PM. Three log sources, three entries that look harmless on their own. Together, they're the opening moves of a lateral movement chain. Nobody notices.

Every organization with a network generates millions of log lines a day. Firewall logs, authentication logs, DNS queries, endpoint telemetry. These logs contain the evidence of every attack that has ever touched the network. Real-time systems -- SIEMs, NDR, XDR -- apply pre-built rules to catch known patterns as they happen. They're good at what they're told to look for. But the hardest attacks are the ones no rule anticipated.

The people who are supposed to catch what the rules miss are overwhelmed. In the majority of breaches, alerts were generated but ignored -- the signal was there, and nobody had time to act on it. SOC analysts are drowning in false positives, burning out, and leaving the profession. The gap between what automated rules can detect and what a skilled human investigator can discover keeps widening, and nobody is filling it.

There is no practical "morning audit" -- no systematic, after-the-fact review of what happened across all log sources yesterday. The logs sit there. The evidence decays. The attackers who evade pre-built rules get months of free movement.

What We're Exploring

Current security tools detect what they're programmed to detect. We're investigating whether an AI system can do what an experienced analyst does -- review yesterday's logs, form its own theories about what happened, test those theories against the evidence, and surface attack chains that no pre-built rule anticipated.

The picture we're working toward: every morning, an automated investigator has already reviewed the previous day's activity across all log sources. It has correlated events across firewalls, authentication systems, DNS, and endpoint telemetry. It surfaces a short report: here are the suspicious chains we found, here is the evidence for each one, here is why we think they matter. An analyst opens their day with findings, not a queue of ten thousand alerts to triage.

This is retrospective by design. Not another real-time alerting system competing for attention in an already overwhelmed SOC. A daily, systematic review of what already happened -- the audit that nobody has time to do manually.

Getting there raises questions we find genuinely hard:

  • Open-ended investigation. Pre-built rules check for known patterns. How does an automated system decide what to look for when it hasn't been told what to find? How does it follow a thread from a suspicious event to a full attack narrative without someone defining the investigation steps in advance?
  • Cross-source reasoning. The most dangerous attacks are invisible in any single log source. Only correlating across firewalls, authentication, DNS, and endpoints reveals the chain. How does an automated investigator connect evidence across systems that were never designed to talk to each other?
  • Evaluation without ground truth. In real environments, you often don't know what attacks occurred. How do you measure whether an investigator found something real versus generated a plausible-sounding false narrative?

    • We're evaluating against public benchmark datasets that contain labeled multi-day attack scenarios -- brute force, infiltration, botnet, lateral movement -- where the ground truth is known. The test is whether the system can discover these attack chains from daily log data without being told what to look for.

    Status

    Active Research