Detection Efficiency Use Case

Rung 1 — Simple Filter Match(cheapest, sub-ms)
The phishing domain hits a known-bad IOC. Pure pattern matching. Every platform does this — it's table stakes. spotr.io catches it in under a second. Your SIEM catches it on the next scheduled search.

Rung 2 — Aggregation / Threshold(stateful, low cost)
500 failed logins in 10 minutes from the stolen credential. Requires real-time counting — not a batch query an hour later. spotr.io fires at attempt #51. Your SIEM won't see it until the next cron run.

Rung 3 — Statistical / Anomaly(adaptive, moderate cost)
The compromised account downloads 15x its 30-day average. There's no static rule for "more than usual." It requires a per-user baseline maintained continuously. Your SIEM can't do this without a separate UEBA product and a 90-day warm-up.

Rung 4 — Sequence / State Models(complex, high value)
The full kill chain: phish → credential dump → lateral movement → EDR disabled → cloud exfiltration. No single event is suspicious. The ordered sequence across auth, endpoint, network, and cloud is the attack. Your SIEM has no concept of cross-source sequencing.

Rung 5 — Behavioral Learning(most expensive, highest value)
The attacker accesses AWS S3 buckets the real user has never touched in 2 years. There's no rule for "things you've never done." Only continuous behavioral learning catches novel access patterns.

The Result:

Your SIEM catches 1 out of 5. spotr.io catches all 5 — each escalating in severity, each adding context the previous layer couldn't provide.

The Principle:

Always prefer the cheapest evaluation that solves the problem. The IOC match didn't need ML. The kill chain didn't need a Sigma rule. The right engine gives you every rung and picks the right one automatically.