Every signature-based security tool — IDS, AV, WAF — operates on the same assumption: we know what attacks look like, so we can recognise them when they happen. The problem is that attackers know this too.
Zero-day attacks, novel malware variants, and living-off-the-land techniques are specifically designed to look like normal activity to signature scanners. By definition, a signature database can't contain a signature for something it's never seen before.
IntelliSense takes a completely different approach: instead of learning what attacks look like, it learns what your environment looks like when it's healthy — and flags deviations from that baseline.
For each service entity in your environment, IntelliSense builds behavioural models across security-relevant dimensions:
In Q4 2024, a customer's auth-service began making outbound connections to an IP range it had never contacted before. The connections were low-volume (designed to evade threshold-based detection) and occurred during business hours (designed to blend with normal traffic).
IntelliSense flagged the anomaly within 4 minutes of the first connection — not because it recognised the attacker's IP address (it didn't), but because the outbound connection pattern deviated from the service's established baseline.
The CVE behind this incident wasn't published until 3 weeks after IntelliSense detected the anomaly. Every signature-based tool in the customer's environment missed it entirely. IntelliSense caught it because it was looking at behaviour, not signatures.
One of the most powerful applications of behavioural baselines is lateral movement detection. Attackers who have compromised one service will attempt to pivot to adjacent services — and this pivoting creates connection patterns that deviate from established baselines.
IntelliSense maps normal service-to-service communication patterns and flags when a service begins initiating connections to services it doesn't normally talk to. This catches lateral movement at the network layer, regardless of the technique used.
Behavioural anomaly detection has historically suffered from high false positive rates — any new service deployment, infrastructure change, or traffic pattern change looks like an anomaly. IntelliSense addresses this by correlating security anomalies with the change management context from the entity graph.
A new outbound connection initiated within 10 minutes of a deploy is treated differently than the same connection appearing with no associated change event. The entity graph context dramatically reduces false positives without reducing detection sensitivity.