Security Bloggers Network 
SBN

Cyber! Take your dadgum Medicine!

by Evan Powell on May 17, 2025

Learn the Bitter Lesson

Bitter Lesson, an essay by one of the creators of reinforcement learning, first published back in 2019, recently made the rounds again now that its author, Professor Richard Sutton, was named a winner of this year’s ACM Turing Award. In it, he points out that general methods have won, again and again, beating out domain-specific human expertise.

As pointed out in the essay, available on his blog here: http://www.incompleteideas.net/IncIdeas/BitterLesson.html, experts with deep domain understanding have had to learn that their expertise can become an impediment to progress.

This is a bitter lesson indeed.

He walks through well-known examples. In chess, Go, and natural language, raw compute plus a flexible learning architecture has far surpassed hand-crafted heuristics and feature engineering.

I highly recommend the original essay. It had a similar impact on me as when I read Kuhn’s Theory of Scientific Knowledge, a book whose perspective was applied and popularized by Christensen’s The Innovator’s Dilemma years later. And Kuhn’s work of course, was itself a popularization of Hegel, who spawned a number of other impactful thinkers, but I definitely digress.

In this short blog I consider why cybersecurity has been slow to learn the bitter lesson. I am fairly well placed to answer this, as a founder of one of the few cybersecurity companies building and applying deep learning foundation models in cybersecurity.

Here are a few theories:

1. the Human Log Readers that Founded Cyber

Cybersecurity’s founders have spent decades learning every nuance of protocol quirks and attacker TTPs (tactics, techniques, and procedures). Their understanding of indicators and signature patterns is unmatched and has delivered enormous ROI. Asking them to take a back seat to deep learning models is understandably asking a lot.

2. ML in Security earned a Bad Rap

Early machine learning models would perform spectacularly in the lab, only to crumble over time as their environments changed. Maintenance overheads ballooned, and false positives flooded SOC teams. As a result, many organizations concluded that “ML” was too brittle for their ever-changing environments.

3. Exponentials are Unnatural

Humans don’t internalize exponentials well.

And today we face at least four simultaneous exponentials that have rapidly changed what is possible; it is extremely probable and completely understandable that long-time builders in cybersecurity would be behind in their understanding of what is possible.

  • Compute: GPUs are improving exponentially — even faster than Moore’s Law — doubling their performance every several months instead of 18–24 months.
  • CVEs and attack surface areas: Both CVEs and other measures of attack surface areas appear to be increasing at an exponential rate. CVEs for example appear to be compounding exponentially and the rate of increase is increasing as well:
  • From 2017: 15% CAGR
  • From 2019: 18.2% CAGR
  • From 2021: 22.6% CAGR
  • Data: As attack surfaces explode, so does the volume of logs. We are seeing an exponential increase in systems, and hence in potential logs.
  • Attack Diversity: Adversaries are increasing at an exponential rate — and increasing the sophistication of their attacks. They can spawn novel, polymorphic payloads by the hour. This is playing out in front of us as well.

Other arguments for why the bitter lesson has not been learned in cybersecurity include:

  • Human on the other side: We all understand that cybersecurity is different from other domains since humans are attacking human-operated systems. We are not predicting hours between failures of jet engines, for example. While that’s true, chess and Go are similar, although much more bounded domains. Brute force search approaches that Sutton explains in Bitter Lesson led to success in Chess, for example, seem unlikely to succeed at least in the near term in defensive cybersecurity.
  • Industry structure: Hegel / Kuhn / Christianson would probably look at the incentives of the leading providers of cybersecurity, who have built enormous franchises based in part on their expertise and their use of rules that directly translate this expertise into human-readable heuristics. This is similar to the argument that our founding stories in cybersecurity rightly lionize security expertise; innovator’s dilemma, public market pressures, and successful lock-in based business models are definitely hampering innovation in cybersecurity. That said, this blog is more about why the thinking in cyber has not embraced the Bitter Lesson rather than why particular companies are unable or unwilling to innovate.

Learning the Bitter Lesson with a “LogLM”

Does learning the Bitter Lesson mean tossing everything into a black-box LLM? No, or at least not yet. LLMs remain horrible at dealing with streams of logs. They offer promise in reading samples of logs and authoring explanations once an incident has been identified, but finding that incident from enormous streams of telemetry is well beyond their capabilities today.

But — purpose-built vertical foundation models are working across many domains. Netflix has published on their usage, as has Stripe, for example.

At DeepTempo, we have built an extremely accurate and adaptable LogLM, a foundation model pre-trained on massive volumes of logs. It doesn’t rely on handcrafted rules; instead, it learns normal behavior as a high-dimensional manifold, detecting deviations no human could foresee. When an attacker spins up a stealthy living-off-the-land C2 channel or deploys polymorphic malware, the LogLM flags subtle shifts in patterns, long before a signature, if one could be written, arrives. The model and our software then add quite a bit of context to that information. Leveraging the ground truth of flow logs, which are much harder to avoid than EDR, for example, our LogLM is adapting in minutes to new domains and showing 1% or lower false positive rates. Our foundation model LogLM powers our Tempo incident identification, available today for free for trial users on Snowflake as a NativeApp.

Snowflake

Conclusion

Resistance is futile. The Bitter Lesson will eventually solidify the failing foundation of cybersecurity. I believe that time is now, and our results with some of the largest cybersecurity users bear that out, while also keeping us humble and hungry. The adversary is innovating, and we must all up our game to catch up.

I would appreciate any conversation around the topic of why and when the bitter lesson will be learned in cybersecurity.

Cyber! Take your dadgum Medicine! was originally published in DeepTempo on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Evan Powell on Medium authored by Evan Powell. Read the original post at: https://medium.com/deeptempo/cyber-take-your-dadgum-medicine-c55f5c3856c1?source=rss-36584a5b84a------2

Evan Powell 0 Comments , ,