▶ Watch the 5-minute walkthrough — every formula, every query, click by click.
Here is how NetGain UEBA actually computes a risk score. Every formula. Every query. Live, click by click, in 5 minutes.
No black box. No "trust the AI." No proprietary sauce hidden behind a marketing reel.
The dirty secret of the UEBA industry is that most "AI-powered" products are if-statements with marketing. A vendor sells you "machine learning" for $200k, deploys it, and when you ask why a user got flagged, the answer is some variant of "trust the model." No formula. No query. No way to defend the alert in front of a customer. Just a black box, a confident-looking dashboard, and an annual renewal.
I have been building security products for over 20 years and I have seen this pattern too many times.
So we built NetGain UEBA the hard way.
No rules. There is no rule that says "five failed logins is an anomaly." The detector learns each user's pattern over a 14-day rolling window, unsupervised, no labelled training data. Mark Lewis logs in 8 to 6, three known IPs, 112 events. The system was never told that is normal. It observed it.
The math is on the screen. Per-anomaly contribution equals base risk times confidence times exponential decay with a 24-hour half-life. That is the entire scoring formula. No hidden weights. Click "Explain this baseline" and you see the actual Elasticsearch query that produced the evidence. Copy it. Run it. Verify the events yourself.
The score is continuous, not a flag. A user drifts from 70 to 60 to 45 as their recent activity quiets down. We do not get stuck at "alerted forever." Acknowledged anomalies have their contribution zeroed immediately.
The baseline is frozen at detection time. Two weeks later when an auditor asks "why was this flagged," the system shows what the detector saw at that moment, not what the user looks like today. This is what makes the alert defensible.
Attack chains apply a multiplier. A real attacker does not trip one detector. They trip several in sequence. Three different MITRE techniques across three hours becomes a 2x multiplier on top of the per-anomaly score. That is how 50 becomes 88.
Rising Risk catches climbers before they spike. Sorting by score is what every vendor does. We also sort by score acceleration. A privileged service account jumping from 0 to 31 in seven days at three points per day is not yet "high risk" by score. It is pre-attack. That is the difference between a phone call and an incident response.
Here is the controversial part.
If your current UEBA vendor cannot show you the formula behind a score, you are not using AI. You are using a black box that hides hard-coded rules behind the word "AI." This is detection theatre. Good for compliance, bad for actually catching attackers.
Watch the video. Then go ask your vendor to show you the math behind one of their flags. The silence will tell you everything.
This is UEBA you can defend in front of a customer.
Watch the full walkthrough video here. Built into Cloud Vista v15. Explore Astra AI.
Top comments (0)