Huntress Acquires Inside Agent: A New Era for Identity ProtectionFree Trial
Menu
InvestorsCareersBlogAboutAcademySupportContact
LoginSign up
AI DECISION LAYER · LLM-DRIVEN SECURITY REASONING · AUTONOMOUS ANALYSIS

Security decisions atmachine speed.Powered by AI reasoning.

Spakto's AI Decision Layer applies large language model reasoning to live attack graph data — autonomously analyzing attacker intent, predicting next steps, and prioritizing response actions with explainable, auditable logic.

See AI Reasoning DemoHow It Works
AI Decision Layer · Active

Not pattern matching.
Contextual reasoning.

Traditional ML flags anomalies. Spakto's AI layer understands attacker intent — reasoning about why an attacker is doing something, predicting what comes next, and recommending what to do about it. Every decision is explainable, auditable, and human-overridable.

Autonomous threat prioritization based on real attacker context
Explainable decisions with full evidence chain and reasoning trace
Attacker intent inference from behavioral signals across the attack graph
Next-step prediction using adversarial reasoning models
Natural language security findings for any audience (technical to board)
Continuous learning feedback loop from analyst actions
AI · LIVE DECISION OUTPUT
■ FINDING: FND-2024-00847
Timestamp: 2024-11-20T14:32:15Z
▸ Evidence Chain
·EDR: svchost.exe injection · WORKSTATION-14
·IAM: AssumeRole prod-admin from new IP
·CLOUD: S3:GetObject on prd-secrets bucket
·NET: SMB recon across 12 internal hosts
▸ Confidence Score
94%
▸ Reasoning Trace
1. EDR injection + IAM reuse = lateral movement
2. AssumeRole prod-admin = privilege escalation
3. S3 access + prd-secrets = data exfiltration
→ Next step: credential harvest or persistence
[Override][Accept][Full Trace]
<2s
AI Analysis Latency
100%
Decisions Explainable
80%
Tier-1 Triage Automated
Continuous
Reasoning Loop
Autonomous Reasoning Loop · Continuous

The AI
Reasoning Loop

Five stages run continuously — the AI observes the live attack graph, reasons about what it means, predicts what comes next, prioritizes response, and learns from analyst feedback. The loop never stops.

ADL · REASONING ENGINE · LOOP CYCLE 847,221 · ACTIVE
REASONINGENGINEOBSERVE01Live graph eventsREASON02LLM context analysisPREDICT03Next-step forecastPRIORITIZE04Risk rankingLEARN05Feedback integration
01OBSERVE

Graph Event Observation

  • Live attack graph signal ingestion
  • New node and edge detection
  • Behavioral baseline comparison
  • Anomaly flagging for AI analysis
02REASON

LLM Contextual Analysis

  • Security domain knowledge injection
  • Cross-signal context assembly
  • Attacker intent inference
  • MITRE ATT&CK technique mapping
03PREDICT

Next-Step Forecasting

  • Kill chain progression modeling
  • Likely-path probability scoring
  • Crown jewel exposure forecast
  • Attacker goal hypothesis generation
04PRIORITIZE

Risk-Based Ranking

  • Business impact weighting
  • Asset criticality scoring
  • Time-to-breach estimation
  • Response urgency classification
05LEARN

Feedback Integration

  • Analyst accept/override signals
  • False positive rate reduction
  • Environment-specific tuning
  • Model accuracy improvement loop
AI Reasoning vs ML Detection

Why LLM reasoning
outperforms ML detection

Traditional ML matches patterns. LLM-based AI reasons about attacker intent, behavior, and context — catching what pattern-matching systems can never see.

Dimension
Rules-based
Traditional ML
Spakto AI Layer ★
Detection method
Signature matching
Pattern anomaly
Contextual reasoning + intent
Novel attack coverage
Zero
Partial
Full (reasoning generalizes)
Decision explanation
Rule reference
Black-box score
Full evidence chain + trace
False positive rate
Very high
High
Low (context-aware)
Cross-domain visibility
None
Single-source
Full graph correlation
Attacker intent
No
No
Yes — inferred with confidence
Adapts to environment
Manual updates
Retraining required
Continuous feedback loop
Response guidance
Alert only
Alert + severity
Full playbook + next-step
94%
Detection accuracy on novel attacks
12×
Fewer false positives vs rule-based
<2s
Decision latency per threat
AI Capabilities · What Gets Decided

What the AI
decides for you

Four core AI capabilities run continuously across the live attack graph — each returning structured, explainable, auditable output that feeds directly into analyst workflow.

THREAT PRIORITIZATION

Ranks by attacker progression, not severity

Traditional scoring ranks by CVSS. Spakto AI ranks by how far along the kill chain the attacker already is, what assets are at risk, and how quickly they can reach crown jewels.

#1 CRITICALActive lateral movement → DC-0197%
#2 HIGHPrivilege escalation → prod-admin91%
#3 MEDIUMReconnaissance on backup systems82%
PATH PREDICTION

Forecasts next attacker steps before execution

Using adversarial reasoning models trained on thousands of attack chains, the AI predicts likely next moves with confidence scores — giving responders minutes of advance warning.

HIGH (89%)Next: Credential harvest on DC-01T1003
MED (71%)Next: Persistence via scheduled taskT1053
MED (64%)Next: Data staged for exfiltrationT1074
PLAYBOOK GENERATION

Creates step-by-step response with full context

Every high-confidence finding triggers automatic playbook generation — specific containment steps, network isolation commands, IAM revocation steps — ready for analyst review.

STEP 1Isolate WORKSTATION-14 from networkAuto
STEP 2Revoke svc-deploy IAM session tokensAuto
STEP 3Rotate prod-admin-role credentialsReview
EXECUTIVE NARRATIVE

Translates findings into board-ready language

One click converts the full technical attack chain into a plain-language board report — risk impact, business exposure, and recommended actions in C-suite language.

IMPACTActive threat to production environmentCRITICAL
EXPOSURECustomer data at elevated riskHIGH
ACTIONContainment underway, ETA 12 minutesAUTO
Explainable AI · Full Decision Trace

Every decision.
Fully explained.

Black-box AI in security is unacceptable. Every Spakto decision comes with a complete evidence chain, confidence score, step-by-step reasoning trace, and human override capability.

ADL · DECISION TRACE · FND-2024-00847 · LATERAL MOVEMENTCRITICAL · 94% CONFIDENCE
01 / EVIDENCE CHAIN
4 sources · 7 signals
EDRsvchost.exe process injection on WORKSTATION-14T1055
EDRMimikatz hash dump attempt — LSASS memory accessT1003
IAMsvc-deploy auth from new IP 185.220.101.xT1078
IAMAssumeRole prod-admin-role in AWST1078.004
CLOUDS3:GetObject on prd-secrets bucket (347 objects)T1530
NETSMB probe across 12 internal hostsT1021.002
CLOUDCloudTrail logging disabled in us-east-1T1562.008
02 / CONFIDENCE SCORE
94%High confidence — 7 corroborating signals from 4 sources
03 / REASONING TRACE
1. svchost injection + LSASS access = credential harvesting underway (T1003)
2. Successful AssumeRole on prod-admin = privilege escalation confirmed (T1078.004)
3. S3 access on prd-secrets = active data access on sensitive store (T1530)
4. CloudTrail disabled = attacker knows environment, covering tracks (T1562.008)
5. SMB recon on 12 hosts = lateral movement still in progress
→ Classification: Active multi-stage attack, lateral movement + exfil underway
→ Next predicted step: Credential persistence or ransomware staging
Evidence Chain7 signals · 4 sources · 100% traceable

Every signal used in the decision — timestamped, sourced, and mapped to MITRE ATT&CK. No black-box inputs.

Confidence Score94% · corroborated by 4+ sources

0-100% score with full explanation of contributing factors, alternative hypotheses, and uncertainty sources.

Reasoning Trace7 reasoning steps · fully auditable

Step-by-step logic the AI applied — each inference explicit, reviewable, and auditable for compliance.

Human OverrideOverride · Accept · Escalate · Feedback

One-click override on any AI decision. Overrides feed the learning loop — the AI improves from corrections.

Use Cases · Security Team Transformation

Transform your security
team's impact

From overwhelmed SOC teams drowning in alerts to IR teams racing to reconstruct attacks — the AI Decision Layer transforms every security function.

Overwhelmed SOC
80%
of tier-1 triage automated

Stop manually triaging thousands of daily alerts. The AI handles tier-1 triage, correlates signals into attack chains, and surfaces only what needs human attention — with full context and suggested response.

Before: 10,000 alerts/day, 4 analysts, 14h response time
After: 3-5 attack chains/day, AI context, <2h response
  • Automated tier-1 triage
  • Pre-analyzed attack chains
  • AI-suggested playbooks
  • Analyst focus on complex work
CISO Board Reporting
1-Click
board-ready risk narrative

AI generates plain-language risk narratives from technical attack graph findings — business impact, executive summary, and recommended actions — without manual translation by senior analysts.

Before: 4h analyst time to write executive summaries
After: AI narrative in 8 seconds, analyst-reviewed
  • Automatic executive translation
  • Business impact framing
  • Risk severity in C-suite language
  • Full technical appendix available
Incident Response
faster mean time to respond

AI predicts lateral movement paths before they complete, provides step-by-step response playbooks with full context, and gives responders a complete correlated timeline from the moment a case is opened.

Before: 48h to reconstruct attack timeline manually
After: Complete correlated timeline in minutes
  • Predictive lateral movement alerts
  • Automated response playbooks
  • Full correlated IR timeline
  • Patient-zero identification
AI Inference Engine · Architecture

The inference
engine architecture

A 4-layer inference stack processes live attack graph data through context assembly, LLM reasoning, and structured decision output — all within your deployment boundary, no external API calls.

ADL · INFERENCE ENGINE · STACK ARCHITECTURE · v2.4.1
LAYER 4: DECISION OUTPUTStructured findings · Playbooks · NarrativesJSON/NL · Human review · Override APILAYER 3: LLM INFERENCE CORESecurity-tuned LLM · Context window · ReasoningOn-prem · VPC-isolated · No external APILAYER 2: CONTEXT ASSEMBLYSignal enrichment · MITRE mapping · Graph joinAttack graph · Asset criticality · HistoryLAYER 1: SIGNAL INPUTAttack graph events · Normalized telemetryEDR · IAM · Cloud · Network · SIEM
L4Decision Output
  • JSON-structured findings with confidence
  • Natural language narratives for any audience
  • Step-by-step response playbooks
  • Human review queue with override support
  • Compliance-ready audit trail
L3LLM Inference Core
  • Security-domain fine-tuned LLM
  • Full context window over attack graph
  • On-premises or VPC-isolated inference
  • No raw telemetry to external APIs
  • <2 second end-to-end latency
L2Context Assembly
  • Correlated attack graph as structured input
  • MITRE ATT&CK enrichment injection
  • Asset criticality and exposure context
  • Historical attacker pattern retrieval
  • Dynamic context window optimization
L1Signal Input
  • Live attack graph event stream
  • 50+ source normalized telemetry
  • Real-time entity resolution output
  • Cross-domain correlation results
  • Streaming ingestion, zero batch
Threat Prediction · MITRE ATT&CK Matrix

Predict the attacker's
next move before it happens

For each active attack technique, the AI predicts the most likely next MITRE ATT&CK technique — giving your team advance warning before the attacker reaches the next stage.

ADL · THREAT PREDICTION · ACTIVE ATTACK · ATTACK-2024-0847 · UPDATING LIVE● LIVE
Current Technique
Detected Signal
Predicted Next
Confidence
Time Window
T1055 · Process Inject
svchost injection · WORKSTATION-14
T1003 · Credential Dump
94%
< 8 min
T1078 · Valid Accounts
svc-deploy auth from 185.220.x.x
T1021 · Remote Services
87%
< 15 min
T1078.004 · Cloud Acct
prod-admin AssumeRole success
T1530 · Data from Cloud
89%
< 5 min
T1021.002 · SMB/ADMIN
SMB probe to 12 internal hosts
T1047 · WMI Execution
76%
< 20 min
T1562.008 · Disable Log
CloudTrail disable us-east-1
T1074 · Data Staged
82%
< 12 min
87%
Next-technique prediction accuracy
4.2 min
Average advance warning time
94%
Kill-chain stage forecast accuracy
12 min
Mean time saved per incident

AI Decision Layer FAQs

Frequently asked
questions.

Still have questions?
Our security engineers answer within one business day.
Ask a question