Last 24 hours · Jul 07, 2026 00:09 – Jul 08, 2026 00:09 UTC
Demonstration Mode (synthetic data)
Generated: 2026-07-08 00:09:10 UTC
OCCAM Detection Overview
OCCAM has two stages. The classifier scores each 15-minute asset window into one of 13 ATT&CK tactics (Benign + 12 attack stages). The predictor runs a Hidden Markov Model over the resulting token sequence, predicts Benign by default, and treats prediction failure as the pre-intrusion signal.
Avg Surprisal (bits)
1.42
Max Surprisal (bits)
8.73
Predictor Status
Self-commissioning state machine: Accumulating → Activating → Active. The predictor self-deactivates to Degraded if its confirmation rate drops below threshold.
| Status |
Windows |
Confirmation Rate |
Avg Surprisal |
| Predicting |
4,287 |
0.847 |
1.42 |
| Accumulating |
534 |
0.000 |
0.89 |
Viterbi symbolsB BenignR ReconnaissanceS StagingL Lateral MovementC CollectionE ExfiltrationI Impact
Pre-Intrusion Alerts
High-surprisal observations in progressive attack sequences. Each row is an assessed-probable intrusion in progress — acted on before the attacker achieves objective.
−
Pre-Intrusion Alerts
8 rows
Viterbi State Paths
The most-likely hidden-state paths decoded from observed token sequences. This is the explainable-AI output that satisfies DoD XAI requirements — every prediction can be traced back to the specific ATT&CK tactic progression that drove it.
| Decoded Path |
Occurrences |
Avg Surprisal |
Elevated |
| B→R→S→L→C→E |
12 |
6.84 |
8 |
| B→R→S→L |
8 |
5.92 |
5 |
| B→S→C→E |
6 |
6.21 |
4 |
| B→S→L |
4 |
4.87 |
2 |
| B→R→S→I |
3 |
5.12 |
2 |
| B→R→I |
2 |
4.42 |
2 |
Detection Timeline
Detections by ATT&CK Tactic
| Tactic |
Detections |
Avg Surprisal |
Avg Anomaly Score |
Elevated |
| Benign |
3,284 |
0.38 |
0.02 |
0 |
| Reconnaissance |
487 |
2.84 |
0.31 |
3 |
| LateralMovement |
312 |
3.17 |
0.42 |
5 |
| CommandAndControl |
198 |
4.92 |
0.67 |
8 |
| DataExfiltration |
147 |
5.31 |
0.71 |
4 |
| PrivilegeEscalation |
89 |
3.84 |
0.48 |
2 |
| Persistence |
67 |
4.12 |
0.53 |
1 |
| InitialAccess |
42 |
5.87 |
0.78 |
0 |
| Collection |
38 |
3.41 |
0.39 |
0 |
| Impact |
157 |
2.18 |
0.22 |
0 |
Dispositions Breakdown
Each token observation is classified into one of four dispositions based on the surprisal score and the surrounding sequence context.
| Disposition |
Count |
% |
| suppress |
3,947 |
81.9 |
| investigate |
412 |
8.5 |
| present |
284 |
5.9 |
| downgrade_infrastructure_change |
155 |
3.2 |
| elevate_to_preintrusion |
23 |
0.5 |
Detections by Segment
| Segment |
Detections |
Assets |
Elevated |
| corporate |
2,847 |
512 |
8 |
| datacenter |
1,284 |
187 |
11 |
| dmz |
421 |
34 |
3 |
| iot |
189 |
78 |
1 |
| guest |
80 |
36 |
0 |
Most Anomalous Assets
−
Most Anomalous Assets
8 rows
False Positive Suppression
Recurring patterns the predictor has classified as legitimate. If a suppressed pattern deviates from expected resolution, it escalates to a high-priority alert.
| Tactic |
Disposition |
Count |
Avg Surprisal |
First Seen |
Last Seen |
| Benign |
suppress |
3,142 |
0.31 |
2026-07-07T01:09:10 |
2026-07-08T00:09:10 |
| Impact |
suppress |
312 |
1.84 |
2026-07-07T02:09:10 |
2026-07-07T23:09:10 |
| Reconnaissance |
suppress |
287 |
1.92 |
2026-07-07T04:09:10 |
2026-07-08T00:09:10 |
| Collection |
suppress |
124 |
2.14 |
2026-07-07T06:09:10 |
2026-07-07T22:09:10 |
| LateralMovement |
suppress |
82 |
2.47 |
2026-07-07T08:09:10 |
2026-07-07T23:09:10 |