Abstract: Computerized methods and systems obtain a plurality of first data sets associated with a plurality enterprises. Each first data set is associated with a corresponding one of the enterprises and has data indicative of activity performed in association with the corresponding enterprise. The plurality of first data sets is processed using a first LLM to produce, from each first data set, a second data set that provides a summary of a sequence of events that occurred on the enterprise corresponding to first data set. At least some of the second data sets, which are associated with a proper subset of the enterprises, are processed using a second LLM to identify patterns. For an enterprise not in the proper subset, a current security posture of the enterprise is processed together with the identified patterns to produce a recommended security posture for the enterprise.

Abstract: Computerized methods and systems obtain threat data generated from activity data using unsupervised learning. The activity data is collected from enterprises and describes activities performed on the enterprises. The threat data indicates likelihood that sequences of activities performed on the enterprises are indicative of malicious intent. A supervised ML model that processes sequential data is trained by providing a training set of sequential data to the supervised ML model. The training set includes at least some of the obtained threat data, and data derived from activity data collected from at least some of the enterprises. The trained supervised ML receives new data that describes a sequence of activities performed on an enterprise, and processes the received new data to produce a prediction of whether the sequence of activities performed on the enterprise will lead to a malicious action on the enterprise. In some embodiments, multiple supervised ML models are used.

Abstract: Computerized methods and systems evaluate threats in a cloud environment having a plurality of assets. For each pair of one or more pairs of the assets, one or more identified paths from a first asset of the pair to a second asset of the pair is obtained. A sequence of assets that includes the first and second assets defines each path of the one or more identified paths. For each path of the one or more identified paths, a likelihood that an attacker that is at the first asset will successfully reach the second asset via the path is determined. In certain embodiments, for each pair of the one or more pairs a risk score for the pair is determined based on the determined likelihoods for the one or more identified paths. The risk score is indicative of risk the attacker will reach the second asset from the first asset.