Frequently Asked Questions

What is MixMode? 

MixMode is a self-learning Cybersecurity platform, protecting large entities with big data environments from known and novel attacks designed to bypass legacy rules-based defenses. Industry cyber leaders at global entities in banking, public utilities and government sectors rely on MixMode’s Third Wave AI to close gaps in visibility and detection across any data stream.

What makes MixMode different? 

MixMode is the only cybersecurity platform built on a patented and proprietary self-learning AI system born out of dynamical systems. With no rules or training data required, MixMode creates an ever-evolving forecast of what’s expected, in order to detect the unexpected in the form of known and novel attacks. MixMode is the Cybersecurity Intelligence Layer℠ that cements your defenses by detecting novel attacks designed to bypass legacy cybersecurity solutions, as well as efficiently detecting known attacks. 

What are the top 3 business impacts clients have experienced as a result of implementing MixMode? 

  1. Effectively detecting novel attacks missed by other cybersecurity software. (Ponemon research tells us that 80% of successful attacks are novel and cannot be caught by rules.) 
  2. Opportunities to streamline your program, for example: tool consolidation, decrease in false positives, lower storage costs, no rules, less reliance on human operators. 
  3. Comprehensive visibility of anomalous behavior across any data stream to detect both known and novel attacks in real-time. 

What makes mixmode’s system predictive? 

MixMode’s predictive capabilities are born out of the dynamical systems branch of applied mathematics. MixMode’s platform is a self-learning system that builds an understanding of complex environments to create an evolving forecast of what’s expected in a given context like time of day, day of week and how entities and users communicate. As a result, we can detect deviations from expected behaviors that are breadcrumbs, or precursors to a breach in real-time. For example, MixMode is able to detect beaconing intrusions that indicate an impending breach. This evolving forecast of what’s expected and real-time identification of deviations is essential to detecting and combating novel attacks.

How does mixmode Detect zero-day attacks? 

Rules-based detection systems, by their very nature, are not equipped to detect never-before-seen attacks. With no reliance on rules, MixMode’s platform identifies high risk anomalous behavior, allowing you to quickly detect and respond to Zero-Day attacks. The platform identifies anomalous ‘pre-attack’ or ‘pre-game’ behavior and alerts your SOC before an attack even gets underway. This ‘negative time to detection’ allows you to stay ahead of the adversary and mitigate business disruption. MixMode’s platform is purpose-built to generate predictive models of complex systems - allowing MixMode’s self-learning system to quickly detect low and slow, and adversarial AI attacks. 

You say you can address alert volumes. What about false negatives? 

MixMode was built to analyze the “health” of the network without rules or human intervention, and independent of any intel or notice feed. MixMode takes a unique approach in that we see both efficiency and effectiveness as two sides of the same problem: If you tackle the inefficiency inherent in handling all the alerts and false positives most security programs generate, you can more effectively zero in on the unknown or novel attacks that are designed to bypass legacy rules-based systems. The MixMode platform addresses both issues using a generative and predictive model to understand what is normal & expected and to elevate what deviates in real-time. Thus, MixMode minimizes BOTH the false positives AND the false negatives, and allows you to detect and prevent novel attacks before the damage is done. 

How does mixmode detect insider threats? 

Insider attacks often slide under the radar of rules-based detection. MixMode’s self-learning system operates independently from rules, and functions by comparing activity to constantly evolving behavioral forecasts, giving you the visibility and confidence you need to protect your business. And with MixMode, your team won’t be forced to constantly tune rule-sets in an attempt to balance surfacing real threats with wading through overwhelming false positive alerts. 

Whatis “negative time to detection”? 

MixMode can identify anomalous staging or ‘pre-attack’ behavior and alert your SOC before an attack even gets underway. This ‘negative time to detection’ allows you to stay ahead of the adversary and mitigate business disruption. Our platform is purpose-built to generate predictive models of complex systems - allowing MixMode to quickly detect low and slow, and adversarial AI attacks. 

Staffing my security team is my biggest challenge, how can mixmode help? 

MixMode is the Cybersecurity Intelligence Layer℠ that unburdens your security team from overwhelming rules-based alerts, instead surfacing only deviations from what is normal and expected, to detect known and novel attacks in real-time. You can quickly augment your overwhelmed SOC team by deploying MixMode alongside your existing security stack, immediately reducing false alert volumes across network, cloud and hybrid environments.

Can mixmode triage cloud security alerts? 

Yes, MixMode enables clear visibility into your cloud environment, including CloudTrail, Flow Logs, and lambda functions, while also dialing down the noise of false positive alerts across all data streams. Teams using MixMode have reduced their false positives by over 96%, allowing them to focus their attention on valid threats. MixMode seamlessly integrates the huge volumes of network, endpoint, and cloud data to detect and identify trigger actions that indicate something is amiss before it amounts to an attack. 

How long does it take to train MixMode? 

Unlike other human-supervised Cybersecurity systems, MixMode’s self-learning platform requires no human training and begins to immediately create the evolving forecast of normal and expected behaviors upon deployment. Anomalous activity is surfaced within hours not months. 

How does mixmode learn? 

MixMode utilizes a generative computational model based in the dynamical systems branch of applied mathematics. The platform constructs an evolving forecast of the environment over time to develop a view of the expected, in order to detect the unexpected. This approach enables MixMode to both flag deviations within existing observed traffic, and surface predictive and pre-attack behaviors on a network. 

How does MixMode define a threat? 

MixMode surfaces threats from analyses it makes about deviations from the normal behavior of a network. The predictive capabilities are born out of the dynamical systems branch of applied mathematics, and are not reliant on rules or intel feeds. MixMode is a self-learning system that builds an understanding of complex environments to create an evolving forecast of what’s expected in a given context like time of day, day of week and how entities and users normally interact. Threats and active attacks may take the form of malware, ransomware, social engineering, man in the middle (MitM) attacks, denial of service (DoS), injection attacks, and others. 

What is the difference between machine learning and self-learning AI? 

The terms Machine Learning (ML) and Artificial intelligence (AI) are used quite liberally in the Cybersecurity industry, and many times interchangeably. In fact, Machine Learning is a subset of the broad arena of Artificial Intelligence, but there are significant differences between ML and self-learning AI, generally considered to be the Third Wave of AI (according to DARPA). 

Machine learning is dependent on data training to make algorithmic predictions. Past events or patterns direct ML’s expectation of the future, and neural networks are often integral to labeling new data based on past events. Large amounts of data are required to be fed through ML systems to allow them to establish patterns and reconcile with human-provided rules to learn and refine their algorithms. Not only do ML systems require significant ramp or learning time, but their data labeling requirements reduce their ability to respond in real-time to new events or patterns, a significant deficiency in the realm of cybersecurity where every second counts when determining an attack is underway.

Whereas truly self-supervised Artificial Intelligence is considered the Third Wave of AI, and requires no training or tuning or labeling or neural networks to make independent decisions that simulate human intelligence, with no human involvement. Third Wave AI, unlike prior waves of AI or ML, is born out of the dynamical systems branch of applied mathematics. These self-learning tools built for complex data environments detect deviations from the norm in real-time that are designed to bypass legacy AI and ML tools. The ever-evolving forecast of what’s expected allows the Third Wave AI platform from MixMode to improve both the efficiency and the effectiveness of the modern SOC team, detecting and preventing known and novel attacks. 

What is “Third-Wave AI” and what doesit mean for cybersecurity? 

“Third Wave AI” is a term coined by DARPA and means artificial intelligence which can learn and adapt on its own over time without the need for human training or tuning. Most ML and AI security tools leverage first or second wave AI technology that uses a combination of rules and thresholds or static “training” data to make decisions about your data. These legacy AI and machine learning technologies can take between 6-24 months of learning to be effective. MixMode is the first Cybersecurity platform to leverage true Third Wave AI in cybersecurity, according to Gartner. This breakthrough approach is essential to detecting novel attacks designed to bypass legacy systems. 

How is mixmode’s third wave AI“Context-Aware”? 

MixMode analyzes all available underlying network data and feeds, taking into account the totality of the events on the network. Unlike second wave AI technology, MixMode does not view events in isolation. MixMode works to constantly analyze the expected traffic of an entire network against the behaviors taking place across that network every minute of every day. MixMode automatically analyzes network behavior against its ever-evolving forecast to identify deviations from the expected, and deviations of note are assigned a risk score reflecting that full context. 

Can mixmode see encrypted traffic? 

MixMode assesses traffic volumes which include encrypted and unencrypted traffic. MixMode does not need to decrypt traffic in order to analyze it. E.g. TLS1.3 

How does the system differentiate between high risk anomalies that get a score of 10 and low risk anomalies thatget a lower risk score? 

MixMode constantly analyzes differentials between the observed behavior over specific time increments vs. the behavior it expects to see. The risk scores are based on the degree of deviation. Risk scores of 10 are indicators of severely abnormal behavior and are real-time notifications of valid threats. Since MixMode is constantly analyzing and correlating real-time network activity with expected behavior, it is able to automatically adjust and categorize normal business spikes (e.g., spike in user volume associated with events like sales or seasonal behavior) as lower risk anomalies.

Why don’t you use clustering technology? 

MixMode does not use clustering technology because networks are dynamic and utilizing clustering (as most vendors who claim to use unsupervised learning do) for detection and classification of anomalies is an inherently flawed approach. Cybersecurity competitors utilizing clustering algorithms are unable to identify previously unknown attack methods or to effectively analyze constantly changing network traffic patterns. These legacy approaches only allow for the discovery of structures within the dataset, while not automatically labeling them. This means an analyst must still manually label those structures in order to ensure they are understood as abnormalities. Our customers tell us that this constant updating, labeling, and tuning of ineffective legacy cybersecurity platforms is one of the biggest problems plaguing SOC teams today. 

Your algorithm is unsupervised, so you’re just doing clustering? 

No. We build a generative model. This model can actually predict what the traffic will be in the next 5 minutes. The MixMode platform is adaptable and self-learning and can react to changing network conditions/topology, whereas clustering techniques are static and can’t adapt to these changes. Additionally, the clustering algorithms such as K-means would still need an analyst to go in and label which clusters represented normal traffic vs. attacks. MixMode unburdens your security team from overwhelming rules-based alerts and labeling, surfacing and scoring real-time deviations from the evolving forecast without human involvement to effectively predict known and novel attacks and to speed detection. 

What support does MixMode provide for backward-looking forensic investigations? 

MixMode's platform provides top of the line forensic investigation capabilities, with full packet capture with file extraction, deep packet inspection, and the ability to query metadata or full packets via the MixMode Network Data Recorder. MixMode’s powerful API gives users the ability to push, pull, and query data from any source like SIEM, Firewall, Endpoint. You can rest assured a forensic copy of all network metadata can be retained for as long as your enterprise needs to support root cause analysis. 

What if my environment is already compromised when mixmode is deployed? 

Exploits are rarely static, and since MixMode’s evolving forecast is constantly changing in response to current activity, MixMode has the ability to detect unexpected behaviors that are incoherent with the rest of the network where other systems cannot. 


More questions? Contact us 

Email or Call (858) 225-2352. 

You can also send us a message at

Ready to join the next wave of Cybersecurity?

Stop wasting time and money with outdated threat detection solutions, get a demo of MixMode today and learn how you can improve your security capabilities.