1. Collection Plane
Native collectors for endpoints (eBPF + ETW), network (NetFlow/IPFIX, Zeek), cloud (CloudTrail, Azure Activity, GCP Audit), identity (LDAP, SAML, OIDC), and SIEMs (Splunk HEC, QRadar DSM, Elastic Beats, Sentinel, Wazuh).
Architecture
Technology behind Ethereon.
An end-to-end inference plane purpose-built for behavioral threat detection at billion-event scale. Stream-first, ensemble ML, federated learning, autonomous response.
Stack Overview
Five layers, one inference plane.
2. Stream Normalization
Kafka-backed event bus, schema-registry-driven canonicalization to OCSF, enrichment with threat-intel + asset context. Sub-second p99.
3. Inference Plane
Per-entity behavioral baselines + ensemble anomaly detector (Isolation Forest, LSTM, transformer context model). GPU-backed with on-device fallback for air-gapped sites.
4. Decision Plane
Risk-graph correlation across entities, MITRE ATT&CK tactic inference, automated triage, and policy-driven response orchestration with human-in-the-loop overrides.
5. Federated Cloud
Models update across the global Ethereon fleet via differential-privacy gradient sharing. Customer data never leaves the customer's tenant — only model deltas.
6. Evidence Vault
Tamper-evident audit log (Merkle-tree backed) for every detection, decision, and response action. One-click export to ISO/GDPR/HIPAA/SOC 2 audit packs.
Detection Engine
How Ethereon scores anomalies.
An ensemble — not a single model — gives Ethereon both precision (low false-positive rate) and recall (catching novel attacks).
Isolation Forest
Fast, interpretable outlier detection across structured features. Catches lateral-movement, brute-force, and unusual data-volume signals in milliseconds.
LSTM Sequence Model
Recurrent network reads time-ordered events per entity. Picks up multi-step attack chains a flat model would miss — reconnaissance → escalation → exfiltration.
Graph Context Model
A small transformer reads the entity graph (who-talks-to-whom, who-runs-what). Anomalies are scored relative to peers in the same role/department/asset tier.
Pattern Library
Curated, behavior-only patterns for exploit primitives (heap spray, ROP, JIT spray, credential dumping cadence). Updated weekly via federated learning.
Anomaly score JSON
Every event Ethereon flags emits a structured record. SOAR-friendly, MITRE-mapped, and audit-ready by default.
{
"id": "evt_01HYJ7K2X4...",
"ts": "2026-04-25T11:24:08.214Z",
"tenant": "acme-corp",
"entity": {
"type": "user",
"id": "user:k.tanaka",
"department": "finance",
"role_baseline_age_days": 142
},
"event": "credential_access_unusual_host",
"anomaly_score": 0.94,
"confidence": "HIGH",
"model_contributions": {
"isolation_forest": 0.81,
"lstm_sequence": 0.97,
"graph_context": 0.93
},
"mitre_attck": ["T1003.001 - LSASS Memory"],
"recommended_action": "isolate_endpoint",
"evidence_uri": "ev://acme-corp/2026/04/25/evt_01HYJ7K2X4...",
"auto_response_eligible": true
} Privacy by Design
Federated learning, not data hoarding.
The Ethereon model gets smarter every day. Your data never leaves your tenant.
Differential Privacy
Gradient updates are noised before they leave the customer environment. Reconstruction attacks are mathematically bounded.
Customer Data Stays Put
Only model deltas — never raw events, never PII — leave your tenant. Audit logs prove it.
Air-Gapped Mode
For government and defense customers, Ethereon runs fully on-prem with offline model deltas via signed bundles.