Mayank Kumar, Founding AI Engineer at DeepTempo – Interview Series

Mayank Kumar is the Founding AI Engineer at DeepTempo, where he leads the design and development of the company’s foundational Log Language Model (LogLM). With a strong academic and research background in generative and multimodal AI, he brings specialized expertise to building domain-specific models that enhance threat detection and response in cybersecurity environments.

DeepTempo is a cybersecurity company built around LogLM, an AI-native foundation model trained on large-scale security log data. The platform excels at identifying advanced, previously unseen threats while minimizing false positives. Designed for seamless integration into existing security workflows, DeepTempo supports deployments across datalakes, Kubernetes, and Snowflake, enabling faster forensics, reduced data ingestion costs, and scalable, automated defense for modern enterprises.

What led you to co-found DeepTempo, and how did your background in academic research and open-source AI contribute to the company’s direction?

I grew up in a close-knit community where relationships were built face-to-face, not through screens. My father, a teacher, instilled in me the importance of giving back. While we weren’t wealthy in material terms, we were rich in connection and purpose. In that kind of environment, you quickly learn that solving problems isn’t just about individual talent – it’s about collective strength. That mindset stayed with me and ultimately led to my interest in social entrepreneurship while studying engineering at IIT Ropar.

The turning point came when my father’s browser was hit by a ransomware attack. It wasn’t just a technical glitch, it introduced fear, confusion, and vulnerability into our home. That experience opened my eyes to how fragile the digital world is, not just for individuals, but for organizations constantly under threat. Around that time, I met Evan, whose vision for building collective defense at internet scale deeply resonated with me. That shared mission—and my drive to apply technology in service of people—is what drew me to DeepTempo.

At the University of Washington, my research focused on two core areas: multimodal representation learning and data-centric AI. Both proved critical as we built our vertical foundation model, LogLM. Unlike natural language, cybersecurity logs are messy, structured, and fragmented. Our first challenge was to construct a new “language” to interpret this data, enabling LogLM to learn meaningful representations from these sequences. We've also invested heavily in how we evaluate performance because in security, accuracy isn’t optional, and hallucinations aren’t acceptable.

But beyond the technology, our north star has always been collective defense. That’s why open-source collaboration will be essential to making this mission successful at scale.

The concept of “collective defense” is central to DeepTempo. What does that mean in practice, and how is it different from traditional approaches to cybersecurity?

In practice, collective defense means that when one customer’s instance of LogLM identifies a novel attack behavior, say, a staged C2 and exfiltration campaign involving beaconing behavior followed by abnormal outbound data transfer, that insight can be distilled into a generalized behavioral signature and shared across the ecosystem. Crucially, this doesn’t involve sending raw logs or customer data. Instead, we abstract high-confidence behavioral patterns and incorporate them into model weights through federated learning techniques.

This is a stark contrast to legacy systems that rely on either one-size-fits-all rules or static threat intel feeds. Those systems don’t evolve until multiple victims are impacted. With collective defense, the detection system evolves with every high-quality signal, even if the threat is hyper-specific to one environment. This allows us to catch polymorphic threats and LLM-augmented agentic attack flows before they become widespread.

What specific gaps in enterprise security prompted the development of LogLM, and how does it fundamentally differ from older detection systems?

Enterprise security teams face three major problems: high noise-to-signal ratios, brittle detections that don't transfer between environments, and slow adaptation to emerging threats. LogLM was created to address all three.

Most existing systems rely on rule-based or narrow ML approaches that require weeks or months of tuning to understand a new environment. These approaches fail when attackers slightly change tactics, as we’ve seen with groups like Scattered Spider or Volt Typhoon. LogLM is trained on large volumes of security telemetry, treating it as a kind of structured language. That allows it to recognize complex sequences, such as a spike in outbound DNS requests followed by unusual Okta activity, not as isolated anomalies but as part of a threat narrative.

Unlike legacy tools that produce disconnected alerts, LogLM produces interpretable, tactic-level detections. And because it's built entirely from scratch, instead of repurposed or adapted, it's designed for security from the ground up, enabling fast adaptation with just a few days of unlabeled logs. That makes onboarding fast and detection far more resilient.

What are shadow agents, and how do they pose a risk to organizations operating without centralized oversight?

Shadow agents are autonomous AI tools, often built on top of LLMs, that operate within an enterprise without explicit authorization or visibility from the security team. A recent example is MITRE’s CVE‑2025‑32711 (“EchoLeak”), a zero-click vulnerability in Microsoft 365 Copilot triggered by simply asking it to summarize emails. The flaw allows attackers to exfiltrate internal data via the agent’s RAG context, with no user interaction required. While these agents can boost productivity, they often bypass security review and expose sensitive data to uncontrolled inference layers.

We've seen cases where a shadow agent built with a public LLM was exposed to system logs and began leaking stack traces containing hardcoded credentials. These agents typically aren’t instrumented with DLP controls, don’t follow access policies, and aren’t audited. Worse, because they can make decisions, like forwarding output to external systems, they become attack surfaces themselves. In the context of prompt injection or adversarial chaining, a single agent can be coerced into triggering downstream actions with real impact.

Why are prompt injection and model manipulation becoming serious threats, and why don’t most current systems catch them?

Prompt injection is dangerous because it exploits the model’s core functionality: interpreting natural language. Most enterprise systems treat model outputs as trustworthy, but if the model receives hidden instructions, embedded in a user comment, API call, or even a filename, it can be tricked into performing unintended actions. We’ve seen adversaries use this to pull credentials from chat histories, impersonate users, or bypass input validation.

The deeper issue is that LLMs are optimized for coherence, not security. As we explored in our recent response to the Royal Society’s study, models tend to prioritize fluency and generality over caution and precision. Even prompting them to “be more accurate” can backfire, leading to more confident, but still incorrect, responses. And adversarial model manipulation is a long-term concern. Attackers can poison datasets or subtly shape output by repeating structured queries over time, gradually nudging the model into a more permissive behavioral space. Detection here requires full-chain logging, continuous evaluation, and model-layer sandboxing, techniques that most enterprise systems haven’t yet adopted.

How does Tempo use MITRE ATT&CK mappings to provide actionable intelligence rather than just raw alerts?

Tempo maps its detections to ATT&CK tactics and techniques using both supervised classifiers and unsupervised behavior chaining. When the system sees a sequence like suspicious PowerShell execution, registry key modification, and unusual outbound traffic, it doesn’t just alert on each step, it tags the sequence as Execution > Defense Evasion > Exfiltration, matching known ATT&CK IDs.

This allows defenders to immediately understand the adversary's objective and where they are in the kill chain. We also provide enrichment: affected entities, related logs, and confidence scores. This structured approach reduces cognitive load for SOC analysts and accelerates response workflows, teams know what tactic was used, what led to it, and what the next step likely is. That’s a major leap from alert fatigue systems that fire on every anomaly without narrative context.

Why does DeepTempo operate upstream of SIEM (Security Information and Event Management) systems, and how does this positioning enhance threat detection and streamline operations for security teams?

SIEMs tend to normalize and filter logs to reduce ingestion costs. But in doing so, they often lose valuable context, such as precise timestamps, latency spikes, or ephemeral session behaviors. DeepTempo operates upstream, ingesting raw telemetry before this transformation. This allows us to model richer behavioral patterns, like service token reuse with slight timing variations or rare API call sequences that would never make it through SIEM thresholds.

Working upstream also means we can reduce noise before it ever hits the SIEM. Instead of pushing petabytes of  log lines a day, we pass along 50–100 high-context events with full ATT&CK enrichment and model-based scoring. Teams spend less time triaging and more time investigating threats that matter. This also lowers SIEM storage and compute costs, which can be significant in large environments.

What enables Tempo to fine-tune models to new environments so quickly, and how does this compare to traditional machine learning workflows?

Traditional ML systems often require weeks of labeled data and retraining to adapt to a new environment. Tempo takes a fundamentally different approach. Instead of starting from scratch, it leverages a pre-trained model built on large-scale, real-world network telemetry, like NetFlow and VPC flow data. This gives it a strong understanding of how traffic flows and behaviors typically look across diverse environments.

When Tempo is deployed into a new setting, it doesn’t need labeled data or long learning cycles. It uses just a few days of local network activity to establish a baseline and fine-tune itself to detect patterns specific to that environment, such as unusual off-hours access, service-to-service communication anomalies, or unexpected data movement. This happens in hours, not weeks.

Because the process is self-supervised, there’s no need for security teams to manually flag or label events. And to stay current as environments evolve, we’ve built in snapshotting mechanisms that allow the model to “forget” outdated behaviors when infrastructure or policies change. Operating at the network layer allows us to detect threats earlier and more broadly, something that sets Tempo apart from traditional endpoint- or log-centric security tools.

How does DeepTempo maintain high accuracy while also minimizing false positives, especially in dynamic cloud environments?

We combine temporal modelling with context-aware network behavior analysis, built directly on NetFlow and VPC flow logs. Our noble sequence generation approach combined with large-scale pretraining of transformer-based deep learning algorithms, help in understanding how network events unfold over time. We don’t flag a single failed login, but we do flag a failed login followed by a successful login from a new device, lateral movement, and unusual data access. This layered temporal context filters out the noise and highlights real and new threats.

Second, we profile user and service behaviors in context. A Kubernetes node restarting 12 times is normal during updates, but suspicious at 2 am if it's followed by a new container deployment from an unknown registry. Tempo recognizes this because it looks at sequence, timing, and context simultaneously. Also, our active learning pipeline actively monitors and collects info on specific detection styles. If the pipeline detects drift in performance or data, it will utilize the snapshots and feedback from analysts to fine-tune a small number of parameters of the model.

We build our detection on raw, high-fidelity network metadata, combining temporal intelligence with behavioral baselining to deliver high-confidence alerts—even in cloud environments that change in the blink of an eye.

What’s the role of explainability in your system, and how do you ensure that alerts come with usable, interpretable context?

Every detection in Tempo includes a summary, the underlying log evidence, and the inferred tactic (e.g., Credential Access via Brute Force). We also provide a graph of related entities, users, endpoints, cloud resources, so SOC teams can visualize the incident. The goal is to eliminate the “black box” effect that plagues many AI systems.

We borrowed from academic explainability tools like LIME and SHAP in early prototypes, but found they weren’t intuitive for analysts. So instead, we generate a plain-language narrative: what happened, when, why it’s suspicious, and how confident we are. This isn’t just about clarity, it’s about enabling tier-one analysts to act without escalating every alert.

What are the long-term risks of attackers using AI and foundation models themselves, and how does DeepTempo plan to stay ahead?

The threat landscape is entering a phase where attackers can deploy AI agents that self-learn, mutate payloads on the fly, and simulate legitimate user behavior. These agents can run 24/7, probing for weak spots, adapting with each failed attempt. That’s a fundamental shift, it’s no longer about zero-days, but about speed, iteration, and obfuscation.

We’re preparing by investing in adversarial training, upstream detection, and behavioral modeling that doesn’t rely on known indicators. Our goal is to identify the structure of malicious behavior before it escalates. We're also exploring ways to fingerprint AI-generated attacker traffic, just as we once fingerprinted botnets, so defenders can flag activity even when payloads change constantly.

 Thank you for the great interview, readers who wish to learn more should visit DeepTempo.