Vector baselines: spotting when a host starts to behave differently
Most security monitoring focuses on what happened: a failed login, a new admin, a suspicious process. But some of the strongest early warnings don't come from a single event—they come from a change in how a host normally behaves. When that "normal" shifts, you want to know.
Vector baselines are a way to learn each host's usual "shape" of activity and flag when that shape changes. No fixed thresholds, no long lists of event codes to maintain. Just: this hour looks nothing like what this machine usually does.