---
title: "See entity-centric detection in action at Black Hat 2025"
page_name: "See entity-centric detection in action at Black Hat 2025"
type: "blog"
slug: "entity-centric-detection-black-hat-2025"
published_at: "2025-08-05"
modified_at: "2026-02-17"
url: "https://www.sumologic.com/blog/entity-centric-detection-black-hat-2025"
canonical: "https://www.sumologic.com/blog/entity-centric-detection-black-hat-2025"
markdown_url: "https://www.sumologic.com/blog/entity-centric-detection-black-hat-2025.md"
lang: "en"
excerpt: "Visit Sumo Logic at Black Hat 2025 to learn how we’re rethinking traditional detection with entity-centric detection."
taxonomy_blog_category:
  - "Cloud SIEM"
---

[ All blogs ](https://www.sumologic.com/blog "blog")[Cloud SIEM](https://www.sumologic.com/blog/cloud-siem)

# See entity-centric detection in action at Black Hat 2025

[Christopher Beier](#blog-author-block-66)

August 5, 2025

4 min read 

[Cloud SIEM](https://www.sumologic.com/blog/cloud-siem)

##### Table of contents

 

 

 

Security operations are full of noise. That’s not news to anyone attending Black Hat. What’s more surprising is that much of the noise is generated by the very systems meant to reduce it. Detections lack context. Alerts are piling up without explanation. Automation stalls because no one trusts the signal.

Even with all this, the goal remains the same: help defenders focus on what matters, fast.

The industry has made real efforts to complete this goal. We’ve added more logs, better rules, layered enrichment, [and machine learning](https://www.sumologic.com/blog/machine-learning-deep-learning). We’ve trained LLMs to summarize alerts. We’ve adopted detection-as-code to manage logic more reliably. But somehow, we keep circling back to the same problem: Is this alert real? Does it matter? What do I do next?

Detection logic across most modern security tools is still built around events, not entities*—*around when something happened, not who did it. That approach starts to fall apart in cloud-first, fast-moving environments where identities shift constantly.

That’s why, at Black Hat 2025, we’ll be showing the need for entity-centric detection at booth #5812.

## Why traditional detection needs a new foundation

Traditional detection logic was built for a different era, when infrastructures were static, users worked from known locations, and most threats followed recognizable signatures. In that world, event correlation worked. You could just match enough log lines across a tight time window, and you could usually figure out what was happening.

But today, infrastructures are ephemeral, access patterns are unpredictable, and attackers increasingly mimic legitimate behavior. What’s suspicious in one context might be harmless in another.

Event-centric models can’t see that nuance. They can’t remember what came before. They can’t infer intent.

And so, analysts are left to pivot between tools, correlate signals manually, and try to stitch together a narrative from a trail of disjointed logs.

The current state of security is calling for a better foundation.

## **Entity-centric detection: A smarter model**

Entity-centric detection begins with a simple premise: risk lives in the actor. That means users, hosts, service accounts, cloud workloads, and anything else that initiates behavior or carries access.

Instead of triggering on isolated events, the detection system builds and maintains a memory of each entity to detect normal patterns, risky ones, and if anything has changed. And when something deviates from that baseline, the system raises a flag and connects the dots to properly explain what happened.

Imagine this: A developer runs system info on a host for the first time. A few minutes later, they access an S3 bucket they’ve never touched. Then, the host initiates outbound communication to an unfamiliar IP range.

Traditional detection might generate three separate alerts, which, in isolation, are very low in “actionability.” Analysts would need to connect the dots to get to the bottom of the issue. Maybe they would. Maybe they wouldn’t.

In an entity-centric model, all of this activity is connected by design. The system knows it’s the same user. It sees the deviation from typical behavior. It understands the timeline. It elevates the risk score. And it delivers a single, cohesive signal, giving automation enough context to take action without hesitation.

Entity-centric detection complements and elevates the below features of other detection models.

- **Signature-based detection** is great for identifying known threats. But it’s brittle. One tweak in a payload or a shift in TTPs, and it fails. Tied to an entity, though, it gains memory and relevance.
- [**UEBA**](https://www.sumologic.com/glossary/ueba) brought behavioral context to detection, but too often in black-box implementations. Analysts couldn’t read the rules, couldn’t tune them, and couldn’t trust them. An entity model restores explainability.
- **Event correlation**, as built into most legacy SIEMs, still drives detection today, but it lacks long-term awareness. It sees patterns, but not escalation. Timelines help, but only when tied to persistent actors.

Entity-centric detection changes where the logic lives and anchors everything to the entities that actually matter.

The current operating environment has become more complex. Cloud services spin up and vanish in minutes. Identities shift across providers and geographies. And threats hide in normal behavior.

With this outdated detection logic, analysts spend too much time triaging irrelevant alerts, automation engines sit idle, and SOCs operate in reactive mode because their tools don’t understand context.

Entity-centric detection is built to close that gap.

By anchoring logic to the people, hosts, systems, and services that actually carry risk, we shift from flat, transactional detection to something that remembers and explains how and why a risk happened.

This model is necessary for modern operations, as the cost of not having it is missed threats, broken automation, and a security stack that can’t adapt to the speed of the business.

  

## What you’ll see at Black Hat

At our booth, we’re running live scenarios through [Sumo Logic Cloud SIEM’s](https://www.sumologic.com/guides/siem) entity-centric detection engine. You’ll see:

- **Entity tracking across identity providers and telemetry sources**: We map and follow users, hosts, workloads, and service accounts across your environment, regardless of where the signal originates.
- **Rolling 14-day behavior windows**: Every entity maintains its own recent activity history. You’ll see how we detect what’s typical, what’s rare, and what’s escalating.
- **Smart signal deduplication**: Instead of repeated alerts for the same behavior, we group related signals into a single, meaningful detection.
- **Automatic, explainable risk scoring**: Detections are prioritized based on severity, rarity, and behavioral context, so you can focus on what matters.
- **Behavioral detection rules analysts can tune**: See how our detections are built on clear logic, not black-box AI.
- **Timelines and relationship graphs**: Watch full attack paths unfold in real time, no pivoting between tabs.
- **Integrated automation**: High-confidence detections trigger playbooks instantly, with no enrichment step required.

Come see the actual product, responding to real-world threats in real time.

## **The future belongs to entities**

Every vendor will say their system is smarter, and every tool will claim to be faster. But at some point, we have to stop optimizing the old model and start building a better one.

Entity-centric detection offers a newer, more modern approach to detection. It reduces noise, connects the dots, and detects threats that actually matter, so analysts can spend more time responding.

Sounds interesting? [**Come see it in action at booth #5812 at Black Hat.**](https://www.sumologic.com/events/black-hat-book-meeting)

### Article Tags

- [Cloud SIEM](https://www.sumologic.com/blog/cloud-siem)

Christopher Beier

Principal Product Marketing Manager

Christopher has spent the past 25 years dedicated to work in cybersecurity. He’s a US Navy veteran who did IT work in submarines. From his home in Forest Grove, OR, he enjoys flying stunt kites, college football (Go Ducks!), and watching his kids’ swim meets.

[](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=See%20entity-centric%20detection%20in%20action%20at%20Black%20Hat%202025&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fentity-centric-detection-black-hat-2025 "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fentity-centric-detection-black-hat-2025 "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fentity-centric-detection-black-hat-2025 "Linkedin")

[Previous blog

SharePoint “ToolShell” zero day](https://www.sumologic.com/blog/investigate-sharepoint-toolshell)[Next blog

From weeks to minutes: How Sumo Logic’s historic baselining supercharges UEBA](https://www.sumologic.com/blog/sumo-logic-historic-baselining)

People who read this also enjoyed

[  

Before you replace your SIEM: AI-driven security requires operational context, not just centralized data

May 21, 2026

 

 ](https://www.sumologic.com/blog/before-you-replace-your-siem)[  

Closing the AI compliance and visibility gap: Integrate the Claude Compliance API with Sumo Logic

May 21, 2026

 

 ](https://www.sumologic.com/blog/sumo-logic-claude-compliance-api-integration)[  

How to secure cloud workloads without building a full-scale SOC

April 30, 2026

 

 ](https://www.sumologic.com/blog/secure-cloud-workloads-with-limited-resources)[  

Observability is security (We just pretended it wasn’t)

April 28, 2026

 ](https://www.sumologic.com/blog/observability-is-security)

[AI Instructions](https://www.sumologic.com/ai-instructions.md)