ADT-4 Pro Model Release:The definitive threat intelligence for the AI eraRead the research paper

ADT Threat Reasoning

Not rules.
Not alerts.
Reasoning.

PulseADT builds hypothesis chains - structured theories of attacker intent, kill-chain position, and next move - updated in real time as signals arrive. Multiple hypotheses run in parallel. The engine acts on the one that reaches certainty first.

Start free trial Full ADT model overview
0.6s
Reasoning cycle
4 layers
Signal sources fused
100%
Explainable decisions
PulseADT · Threat Reasoning Engine · Live
REASONING
SIG
Endpoint
Unusual child process: winword.exe → powershell.exe -enc [base64]
SIG
Network
DNS beaconing: 10s interval · subdomain rotation · external C2 pattern
SIG
Identity
Service account lateral auth attempt · never-before-seen target host
ADT
Reasoning
Hypothesis-chain: Cobalt Strike staging → credential harvest (conf. 0.96)
ADT
Reasoning
Alt path: phishing macro delivery (conf. 0.61) · tracking concurrently
ACT
Engine
Primary hypothesis confirmed · blast radius scoped · containment authorised
reasoning cycle0.6s · parallel hypotheses · primary confirmed
0.6s
Reasoning cycle
Signal-to-hypothesis update, median
∞
Hypothesis persistence
No detection window - dormant threats stay tracked
100%
Explainable decisions
Full reasoning trace with every action
4 layers
Signal fusion
Endpoint, network, identity, cloud - one context

Parallel Hypothesis Chains

Every attack understood as a hypothesis - not an alert.

When PulseADT sees a suspicious signal, it doesn't fire an alert. It builds a hypothesis: a structured theory of what the attacker is doing, where they are in the kill-chain, and what their likely next move is. Multiple competing hypotheses are pursued in parallel - the engine updates confidence scores in real time as new signals arrive, and acts on the one that reaches threshold first.

Multiple simultaneous hypothesis chains per incident - no single-track alert logic
Confidence scoring updated continuously as new signals are ingested
Competing hypotheses track different attacker intent models in parallel
Hypothesis resolution: the engine converges on the most evidence-supported path
Zero wasted signal - low-confidence paths stay active until definitively dismissed
0.6sMedian reasoning cycle - from new signal to updated hypothesis confidence across all active pathsContinuous, not batch-scheduled

Cross-Layer Signal Fusion

Endpoint, network, identity, and cloud - one reasoning context.

Most detection tools reason in silos. An EDR sees the endpoint. A SIEM aggregates logs. Neither understands the attacker's full picture. PulseADT's reasoning engine fuses signals from every layer simultaneously - endpoint telemetry, network flows, identity events, and cloud API activity - into a single shared reasoning context per attacker, not per alert.

Unified reasoning context spanning endpoint, network, identity, and cloud layers
Cross-layer signal correlation: one event in context strengthens another hypothesis
Attacker-centric view: all signals attributed to a threat actor, not a device or IP
Dynamic signal weighting: high-fidelity sources contribute more to hypothesis confidence
Telemetry gap detection - flags when a data source goes dark mid-reasoning
4 layersSimultaneously fused into one reasoning context - endpoint, network, identity, and cloudNo siloed detection logic

Continuous Threat Reasoning

Reasoning never stops - even when the attacker goes quiet.

Sophisticated attackers deliberately slow down. They insert artificial delays, blend into normal traffic, and wait out detection windows. PulseADT's reasoning engine has no detection window - it maintains open hypothesis chains indefinitely, correlating new signals against historical context days or weeks old. A dormant threat stays tracked.

Persistent hypothesis chains - active until definitively resolved or dismissed
Historical context window: new signals evaluated against weeks of prior telemetry
Dormant threat tracking: quiet attackers remain hypothesised and tracked
Re-activation: a hypothesis boosts in confidence the moment new matching signals arrive
Temporal correlation - slow-burn multi-stage attacks detected across extended timeframes
∞Hypothesis chains stay active with no expiry - dormant threats remain tracked indefinitelyNo detection window, no quiet period exploitable

Explainable Reasoning Output

Every conclusion shown - not just the verdict.

When PulseADT acts, analysts and auditors can see exactly why. Every containment decision is backed by a structured reasoning trace: the signals observed, the hypothesis that was built, the confidence progression, the competing hypotheses that were dismissed, and the policy check that authorised the action. No black-box verdicts. Full verifiability.

Full reasoning trace: signals → hypothesis → confidence → policy → action
Competing hypothesis log: shows what else was considered and why it was dismissed
Confidence progression timeline - auditable history of why confidence grew
Plain-language summary generated per incident for analyst and board reporting
Cryptographically sealed reasoning records for regulatory evidence packages
100%Of automated actions accompanied by a full, auditable reasoning trace - no black-box verdictsExplainable by design

The difference

Rules tell you
what happened.
Reasoning tells you why.

Signature-based detection and static correlation rules only trigger when something known happens. PulseADT's reasoning engine understands attacker behaviour - and builds a picture of what is happening before it matches any known pattern.

Deep dive: the full ADT model
Rules / ML Alerts
ADT Threat Reasoning
Rule triggers produce an alert - no reasoning about attacker intent
Hypothesis chains reason about intent, kill-chain stage, and next move
Each alert treated independently - no cross-event context
All signals fused into one attacker-centric reasoning context
Detection windows: attackers slow down to evade
Persistent hypothesis chains - dormant threats stay tracked indefinitely
Analyst must manually correlate to understand the full attack
Full reasoning trace delivered with every incident - no manual correlation
Black-box ML verdict: no explanation, no auditability
100% explainable: signal → hypothesis → confidence → action, every time
0.6s
Reasoning cycle
∞
Hypothesis persistence
100%
Explainable
4 layers
Signal fusion

Replace alerts
with answers.

Deploy PulseADT and replace thousands of disconnected alerts with hypothesis-chain reasoning that tells you exactly what the attacker is doing - and stops them before they finish.

Start free trial Talk to sales