And what does it tell us about Cybersecurity?
As the founding CEO of StackStorm and now DeepTempo, I’ve seen how the needs of CISOs and SOCs have changed over the last 10+ years.
When we started StackStorm, the cybersecurity landscape was different. Our power users rarely asked for more alerts — rather, they just wanted context and to handle the alerts they received in a better manner. Signatures, rules, and predefined playbooks formed the cornerstone of defense.
Incidentally — a little bit about StackStorm. Think of it as a SOAR that is more broadly applicable than only security. In fact recently an analyst called it one of the top 5 open source SOARs:
https://research.aimultiple.com/open-source-soar/
We called what we did event-driven automation. We sold StackStorm back in 2017 — our seed investor wanted a quick win — and the project lives on as a Linux Foundation project. It is used in security by many more advanced shops, including many managed security providers, sometimes just for the ChatOps support and other times for its ability to stitch together an enormous number of systems with rules and workflows before sending alerts downstream to Splunk. StackStorm is Python under the hood and saves enormous time even vs. vibe coding your way to system control and integrations.
Fast-forward to today, and the threat landscape has dramatically evolved. CISOs bellowing “don’t give me any more indicators” sound a bit less credible now that their systems cannot see or isolate common attacks. Signatures and traditional rule-based detections simply aren’t keeping up. According to CrowdStrike’s recent Threat Report, over 80% of today’s attacks bypass traditional signature-based systems, exploiting the gaps in rules and static detections. Novel attacks, including zero-days and advanced persistent threats (APTs), have soared. The National Vulnerability Database reported a record-setting 26,448 new Common Vulnerabilities and Exposures (CVEs) in 2022 alone, up sharply from approximately 12,000 when StackStorm was sold in 2017.
Living-off-the-Land (LotL) attacks have become common, using legitimate system tools to remain undetected by traditional methods. Symantec reports a staggering 150% increase in LoL techniques since 2019. Attackers are also leveraging Large Language Models (LLMs) to dynamically alter malware, craft sophisticated phishing campaigns, and evade legacy detection methods, further eroding the efficacy of static signatures.
According to the annual State of Cybersecurity survey by Scale Venture Partners — the #1 concern as of April 2025 by buyers is — you guessed it — AI-enabled attacks.
Customers are vulnerable, and they know it.
Despite these alarming shifts, many investors and a few users are chasing SOC-focused “AI” agentic solutions — essentially smarter but integration-limited variants of StackStorm’s approach. While AI-powered SOCs promise smarter correlation, they’re still reactive, focusing largely on known threats and requiring extensive configuration and training tailored to each environment. And the next time you hear a CISO bellowing about “we don’t need more indicators,” remind them that you cannot correlate, or automate, what you cannot see.
Machine Learning has earned a reputation as complex and unwieldy, often needing significant retraining for every new environment, resulting in high false positives and operational fatigue.
When I decide to again address security use cases, I started, as many founders would, from trying to deeply understand the real pain of security teams. What we want in cybersecurity isn’t actually better handling of alerts — it is to be safe.
By designing and pretraining a foundation Log Language Model (LogLM) — a deep learning model pretrained on vast quantities of flow logs — we can detect anomalies indicative of all sorts of attacks, including novel and stealthy attacks. This approach doesn’t just amplify traditional detection or address some of the drudgery of working in a SOC — it transforms it by much more accurately seeing attacks while providing the SOC with useful context. Because our LogLM is a foundation model, it requires little to no fine-tuning. Recently, we had an experience with a large public network provider where our LogLM was at 94% accuracy before fine-tuning and achieved 99% accuracy after 45 minutes of fine-tuning. Traditional ML would have required a number of bespoke models for that same customer, taking months to retrain and combine.
The rapid adaptability of the LogLM also allows it to be improved via our patent-pending active learning. This system catches changes in the distribution of the underlying data and allows for micro adjustments.
I would welcome your feedback. Having already helped to address event handling by building a top open source SOAR 10 years ago — this time around I decided to radically improve the accuracy and ease of use of systems to actually see what is happening. What am I missing? Do you agree that we actually need more indicators now, as long as they are the right ones, with low false positives, are adaptable, and can see the vast majority of today’s ever-evolving attacks?
From StackStorm to DeepTempo was originally published in DeepTempo on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from Stories by Evan Powell on Medium authored by Evan Powell. Read the original post at: https://medium.com/deeptempo/from-stackstorm-to-deeptempo-f93251e379a5?source=rss-36584a5b84a——2
