Matt Shea

Matt is Chief Strategy Officer for MixMode AI. With over 20 years’ experience in the technology space, Matt has concepted, architected and developed groundbreaking solutions that blend equal parts of technology, product and business.

AI is shaping nearly every corner of the technology landscape. Organizations are investing heavily in new models, new workflows, and new ways to automate and accelerate productivity. Large language models (LLMs) in particular have quickly become essential tools for coding, research, content generation, data summarization, and operational efficiency.

This momentum is real, and it is reshaping how businesses operate. But cybersecurity sits at a unique crossroads. While LLMs are powerful in many domains, they are not built to solve the specific and highly complex challenges of detecting threats inside dynamic, adversarial, real-time environments.

Cybersecurity requires a different form of insights. One that understands behavior, context, and change, not language.

This is where different approaches from Third-Wave AI become the missing piece in the modern AI strategy.

LLMs Are Transformational, but They Are Not Designed for Cybersecurity Detection

LLMs excel at understanding text, answering questions, generating documents, and automating workflows. They have become important for analysts and engineers. But as a recent Futurism article explains, LLMs “are simply tools that emulate the communicative function of language,” not systems that understand or reason about the world.

Modeling language is not the same as modeling behavior, especially from highly complex environments represented by time series data.

This distinction is vital for cybersecurity. Identifying pre-attack activity, zero-day exploits, or subtle deviations in massive time-series datasets is not a linguistic challenge. It requires understanding how systems evolve, how normal behavior shifts from moment to moment, and how unknown threats emerge in environments that change continuously.

Despite significant investment, attempts to use LLMs for this type of predictive, behavior-based detection have consistently faced structural limitations. LLMs rely on learning grammar from extremely large text based training sets. Their ability to anticipate or interpret novel, adversarial events is inherently limited, both in accuracy and in scale.

LLMs should not serve as the core detection engine, due to the difficulty of adapting and scaling to each cybersecurity environment to process time series data.

Why Cybersecurity Needs a Complementary AI Approach

Cybersecurity teams need tools that can identify activity that deviates from expected behavior, even when that activity does not match known attack patterns.

They need technology that adapts constantly to new conditions, distinguishes meaningful deviating activity from noise to ignore, and reduces the operational burden on analysts.

This is not a matter of one AI being “better” than another. It is about matching the right AI to the job.

LLMs help translate, summarize, and automate.

Third-Wave AI provides contextually understanding to detect, predict, and prioritize.

Together, they form a complete approach.

Third-Wave AI: Built for Real-Time, Real-World Cyber Defense

DARPA describes Third-Wave AI as systems that understand context and adapt on their own, without relying on human-labeled training data. This is a fundamentally different approach than how LLMs or traditional machine learning function.

MixMode’s Third-Wave AI uses a dynamical foundational model — a method designed to understand how systems behave and change over time. This approach is used in fields that must analyze constantly evolving data, such as weather systems and fluid dynamics. It is perfectly suited to today’s cybersecurity landscape.

How Third-Wave AI Complements LLMs

This is not a replacement conversation. It is a completeness conversation.

LLMs can accelerate the SOC’s written and research tasks.
Third-Wave AI strengthens the SOC’s ability to detect and prioritize threats in real time.

Together, they expand the security team’s capabilities in ways neither can accomplish alone.

What Third-Wave AI Enables in the SOC

Predictive Detection Unknown and Prioritization of Known Attacks

MixMode identifies anomalies before they escalate, even with threats that have never been seen before. It does not depend on signatures, rules, or training periods.

Real-Time Adaptation Without Human Tuning

The AI learns the environment immediately and updates its understanding continuously as conditions change.

Meaningful Alerts With Context

By understanding behavioral baselines, MixMode reduces false positives and helps prioritize alerts that truly matter.

Enterprise-Scale Performance

MixMode is designed for large, complex environments — federal agencies, critical infrastructure, and global enterprises — where data volume, diversity, and volatility far exceed what LLM-based approaches can handle.

A More Complete AI Future for Cybersecurity

AI will continue to evolve, and organizations will continue adopting LLMs and generative technologies across their operations. In cybersecurity, these tools offer value in workflows, summarization, and knowledge sharing. But they cannot serve as the engine of real-time threat detection.

That work requires an AI designed for time series data that can forecast expected behavior, dynamics, and context.

The future of cyber defense is not “LLMs vs. other advanced AI.”

It is LLMs plus the right time series focused AI for detecting and prioritizing threats.

MixMode’s Third-Wave AI fills that critical role. It gives cybersecurity teams the missing capability needed to defend complex environments, identify novel threats, and operate with greater efficiency and clarity.

This is how organizations build a modern, resilient, and intelligent security posture as AI becomes central to every part of the enterprise.

‍

Signup for the MixMode Wave Newsletter

Your Monthly Resource for the Latest News, Events and Resources

Why LLMs Alone Aren’t Enough for Cyber Defense