Introducing Todyl's Detection & Analysis Engine
In our last post, we laid out why traditional detection is losing ground to modern attacks. Identity and endpoint-based attacks are growing faster and smarter, leveraging AI to rapidly evade detection by traditional MDR solutions. At the same time, analysts are overwhelmed by noise, causing critical low-level threat signals to be missed or ignored.
This post is about how Todyl addresses those challenges directly through our new Detection & Analysis Engine.
What the Detection & Analysis Engine is
Todyl's Detection & Analysis Engine is a multi-tier, AI-powered threat detection and investigation system that automatically surfaces, enriches, classifies, triages, and escalates advanced attacks like BECs, SSL-VPN compromises, and ransomware that evade traditional detection. It is designed to increase investigation accuracy and accelerate analyst response times.
The engine addresses two core challenges:
- Identity and endpoint-based attacks leveraging automation, MSP tooling, and AI to evade detection by traditional MDR solutions.
- Alert fatigue causing analysts to miss or ignore critical low-level threat signals.
How the engine works
The Detection & Analysis Engine is built around six coordinated capabilities.
AI-Powered, Multi-Tier Detection
Automatically surfaces, enriches, classifies, and triages advanced identity and endpoint attacks, including BECs, SSL-VPN compromises, ransomware staging, and fileless malware on hosts that slip past traditional tools.
Continuous Signal Detection
Identifies low-level indicators that a typical SOC would overlook, performing rapid threat hunts before damage is done.
Pivot-Driven Investigation
Treats every alert as the anchor for a full threat hunt that follows the chain across user, host, and cloud. This surfaces novel TTPs and related compromises even when no single rule covers each step.
Full Context Aggregation
Pulls relevant event data across the entire IT environment (identity, endpoint, network, and more) for a complete threat picture.
24x7 MXDR Escalation
Immediately routes confirmed threats to Todyl's expert security analyst team for rapid response and containment.
Noise Reduction
Establishes intelligent "normal activity" baselines per user and host, including email activity, file access, Microsoft Teams actions, typical process execution, and admin tooling. The engine then hunts low-fidelity alerts (such as impossible travel) against those baselines to cut false positives and focus only on real threats.
What this means for partners
The Detection & Analysis Engine is designed to deliver three outcomes for partners and their clients:
- Fewer missed threats with higher detection accuracy and false positive reduction
- Faster response and containment when it matters most
- Operational transparency to deliver partners the insights and reporting needed to demonstrate clear value to end clients
What's next
In the next post in this series, we will move from architecture to application, walking through the specific attack types the engine is built to catch, including BECs, SSL-VPN compromises, and ransomware.
Up next in the series: How Todyl's Detection & Analysis Engine catches what traditional detection misses.
About Zach DeMeyer
Zach DeMeyer is Todyl's Product Marketing Specialist, sharing the story of how businesses can use the Todyl platform to consolidate their security operations with SASE, SIEM, MXDR, Endpoint, SOAR, and more. He loves being on the forefront of new and exciting technologies, spending the past 8 years working in identity, UCaaS, and other SaaS products in the cybersecurity and IT software space. When he's not working, Zach enjoys camping and hiking with his wife, dog, and friends, playing music, sewing, and eating tasty food.
Security Readiness Checkup
Analyze your operational readiness and get instant assessment-driven insights to strengthen your security posture.
Stay on the Cutting Edge of Security
Subscribe to our newsletter to get our latest insights.
.png){kind=avatar}
