The AI Arms Race Hits the SOC: Is Your Security Ready for AI Attackers?

SAN FRANCISCO, CA – June 03, 2026 – The world of cybersecurity has long been a cat-and-mouse game, but the mouse just got a jetpack. Artificial intelligence, once a theoretical tool for adversaries, is now a force multiplier, driving an 89% year-over-year increase in AI-enabled attacks. In this new reality, where breakout times are measured in seconds and, as security firm DeepTempo notes, 82% of intrusions arrive without any malware, the old rulebooks are becoming obsolete.

In response, a new front is opening in the cyber arms race—one fought not with signatures and firewalls, but with competing AI. This week, DeepTempo, a pioneer in behavioral threat detection, launched its Intelligent Defense Platform. The move signals a critical shift in the industry, moving beyond retrofitting old systems and toward building an AI-native foundation designed to fight machine-speed attacks with machine-speed intelligence. The platform is an intelligence layer designed to make existing security infrastructure smarter, faster, and more effective against an enemy that thinks and acts in ways humans can't predict. “When 82% of intrusions arrive without malware and breakout times are measured in seconds, you need a system to decide what actions to take and to capture end-to-end performance for continuous improvement,” said Evan Powell, CEO and Founder of DeepTempo. The question for every business leader is no longer if they will face AI-powered threats, but if their defenses are intelligent enough to fight back.

The Behavioral Shift: Fighting Intent, Not Signatures

For years, security operations centers (SOCs) have relied on identifying known threats—a specific malware signature, a malicious IP address, a suspicious file hash. This approach is fundamentally reactive. In the age of AI-driven attacks, it’s also fundamentally broken. Adversaries now use AI to generate polymorphic attacks that change their signature with every execution and orchestrate complex, low-and-slow campaigns that mimic legitimate user behavior. These threats leave no traditional fingerprints.

DeepTempo’s answer is LogLM, the foundation model powering its new platform. This is not a general-purpose Large Language Model (LLM) like those used for writing emails or code, repurposed for security. It is a “vertical foundation model” purpose-built to understand what the company calls the “language of logs.” Trained on billions of log entries, LogLM learns the fundamental grammar of how systems, users, and applications are supposed to interact. By understanding the baseline of normal behavior, it can identify attacker intent even when the specific actions are novel.

This “zero-shot detection” capability is the core of the platform’s promise. It can reportedly spot a new attack variant on day zero because it recognizes the underlying malicious behavior, not just a familiar signature. In recent deployments, including one at a major telecom provider monitoring 70 million devices, the company claims LogLM has achieved false positive and false negative rates below 2%, and in some cases under 1%, without requiring the constant, costly retraining that plagues traditional anomaly detection systems. It’s a shift from looking for a needle in a haystack to building a magnet that only attracts needles.

An Amplifier, Not a Replacement

For any CISO who has overseen a multi-year, multi-million-dollar security stack implementation, the phrase “rip and replace” is a nightmare. DeepTempo appears to have understood this well. The Intelligent Defense Platform is not positioned as another monolithic solution demanding the abandonment of existing investments. Instead, it’s designed as an intelligence amplifier.

Its pluggable architecture allows it to sit on top of an organization’s existing data infrastructure, such as data lakes from Snowflake, and integrate with telemetry pipelines from partners like Cribl. It then feeds its high-fidelity, context-rich detections into the tools security teams already use, like SIEMs from Splunk or various SOAR platforms. The goal is to make every part of the existing security stack more effective.

This approach carries significant economic implications. The partnership with Cribl, for example, is designed to streamline data pipelines, filtering out low-value “noise” telemetry before it ever reaches an expensive SIEM. By only sending enriched, high-value data, DeepTempo claims it can help organizations achieve up to 45% lower SIEM costs. This is a compelling proposition in a field where data volumes—and their associated costs—are exploding. By augmenting rather than replacing, the platform allows organizations to leverage a state-of-the-art AI defense engine without starting from scratch, turning their existing security investments into a smarter, more coordinated system.

The Dual Mandate: Open Source Meets Proprietary Power

In a field often characterized by opaque “black box” solutions, DeepTempo is pursuing a fascinating dual strategy that combines proprietary power with open-source transparency. The core detection engine, LogLM, is a patented and closely guarded asset. However, the operational framework for acting on those detections is increasingly open.

In March, the company launched Vigil, the first fully open-source AI SOC platform. Governed by an Apache 2.0 license, Vigil provides a transparent, extensible framework of specialized AI agents and multi-agent workflows designed to automate incident response, threat hunting, and forensic analysis. It ships with over 7,200 detection rules and more than 30 integrations, allowing security teams to see, modify, and contribute to the logic that drives their automated defenses.

The Intelligent Defense Platform integrates with Vigil, creating a powerful synergy. The proprietary LogLM provides the best-in-class, high-fidelity signal—the “what.” The open-source Vigil provides a trusted, customizable, and community-vetted framework for taking action—the “how.” This dual approach directly addresses the market's need for both cutting-edge performance and operational transparency. It allows organizations to harness the power of a sophisticated foundation model without ceding complete control to a vendor’s closed ecosystem, building a foundation of trust that is critical for automating high-stakes security decisions.

The New Frontline: From the Cloud to the Edge

Industry analysts are sounding the alarm. Gartner lists AI security platforms as a top trend for 2026, while Forrester predicts that the rise of agentic AI—autonomous systems that can take action on their own—will lead to major public breaches this year. The threat is no longer confined to the data center; it’s everywhere.

DeepTempo's strategy reflects this reality, offering deployment options that span cloud, hybrid, and on-premises environments. Critically, it also provides “distilled” versions of its LogLM that can run on small systems at the edge. This extends state-of-the-art behavioral detection to critical infrastructure and even mobile “fly-away kits,” environments where traditional, heavyweight security tools are impractical.

Ultimately, the launch of platforms like this one underscores a profound transformation in cybersecurity. The fight is moving faster than human operators can manage, and the nature of the threat has become more intelligent and abstract. Defending the modern enterprise is no longer about building higher walls, but about cultivating a deeper, more intuitive understanding of the environment within those walls. Success in this new AI arms race will depend on an organization's ability to adopt and operationalize this new form of machine-speed intelligence.