Visual summary of operating lessons from Dan Shiebler.

Lessons from Dan Shiebler

Dan Shiebler is the co-founder and CTO of Artemis and the former Head of Machine Learning at Abnormal Security. He builds security platforms that replace static rules with autonomous agents, drawing on his earlier work with vector search infrastructure at Twitter. This profile covers his approach to system architecture, adversarial machine learning, and the structural limits of older security systems.

Part 1: Cybersecurity and AI-Native Defense

  1. On AI-Native vs AI-Enabled: "Companies built from the ground up to utilize AI consistently outperform those that attempt to retrofit older structures." — Source: GetPodcast
  2. On the Detection Mindset: "Effective defense requires shifting from a purely reactive posture to a detection mindset that anticipates adversary behavior before an attack escalates." — Source: Dan Shiebler's Website
  3. On Semantic Log Understanding: "Logs are more than strings of text; they must be transformed into a living model of the customer's environment that understands identities, assets, and relationships." — Source: Tom Tunguz Blog
  4. On Modern Cybercrime: "The scale of modern cybercrime necessitates automated systems; human analysts alone cannot review the volume of generated alerts." — Source: Abnormal Security Blog
  5. On Identity-Centric Security: "Understanding the normal behavior of an identity across systems like Okta and AWS is a prerequisite for identifying malicious anomalies." — Source: Tom Tunguz Blog
  6. On Defensive Scaling: "A successful security platform must scale its reasoning capabilities as fast as attackers scale their automated exploits." — Source: Artemis Security
  7. On the AI Security Environment: "The security environment is fundamentally altered when attackers have access to the same generative AI tools as defenders." — Source: Abnormal Security Blog
  8. On Cross-Platform Context: Shiebler explains that Abnormal's detection work uses message, account, sender, recipient, historical-behavior, and compromise-indicator signals together rather than judging events in isolation. — Reference: Bigeye Observatory interview with Dan Shiebler
  9. On the Speed of AI Attacks: "Generative AI enables attackers to iterate on phishing payloads in real-time, bypassing static filters almost instantly." — Source: Abnormal Security Blog
  10. On Grounded Findings: "Surface-level observations are insufficient; AI systems must perform ad-hoc queries to turn initial signals into grounded, actionable findings." — Source: Artemis Security

Part 2: The Limits of Traditional Security

  1. On SIEM Architecture: "The current security crisis is not merely a problem of data or rules, but a structural problem within systems designed for a different era of volume." — Source: Resilient Cyber
  2. On Legacy System Constraints: "You cannot solve modern cybersecurity challenges by simply adding new features to older SIEM architectures." — Source: Resilient Cyber
  3. On Rule-Based Decay: "Static, rule-based detection systems inevitably decay in efficacy as adversary tactics evolve around them." — Source: Abnormal Security Blog
  4. On Alert Fatigue: Shiebler says high precision matters because poor detectors create customer work, from hunting missing messages to dealing with locked-out accounts. — Reference: Bigeye Observatory interview on detection precision
  5. On Data Overload: "Simply feeding more data into a legacy SIEM does not yield better security; it often obscures the actual threats in a sea of noise." — Source: Resilient Cyber
  6. On Static Filters: "Filters that rely on known bad IP addresses or domain lists are obsolete against attackers who programmatically cycle their infrastructure." — Source: SuperDataScience Podcast
  7. On the Illusion of Coverage: Shiebler describes a layered detection system where specialized detectors and ensemble models must be monitored individually, not counted as coverage merely because many models exist. — Reference: Bigeye Observatory interview on model portfolios
  8. On the Cost of Logging: "The financial and computational cost of indexing raw logs often outpaces the defensive value derived from them." — Source: Artemis Security
  9. On Retrofitting AI: "Bolting an AI chatbot onto a legacy SIEM interface does not make the underlying architecture intelligent." — Source: GetPodcast
  10. On Analyst Bottlenecks: Shiebler's Abnormal examples show why detection systems need fast access to conversational context, historical messages, and account behavior before analysts can make useful decisions. — Reference: Bigeye Observatory interview on detection infrastructure

Part 3: AI Agents and Data Handling

  1. On Agent Data Access: "AI agents should never see raw logs, because signal degrades as volume increases." — Source: Artemis Security
  2. On Pre-computed Context: "Agents must interact with pre-computed data structures to reason effectively without being overwhelmed by noisy event streams." — Source: Artemis Security
  3. On Agentic Investigation: "An effective AI agent autonomously generates hypotheses and queries databases to validate them, mirroring a human analyst's workflow." — Source: Tom Tunguz Blog
  4. On Trustworthy Automation: "Building systems that provide trustworthy behavioral analysis at scale requires solving problems that have no precedent in traditional automation." — Source: Artemis Security
  5. On Reasoning at Scale: "Reasoning over large operational datasets is a unique challenge that demands carefully designed, specialized agent architectures." — Source: Artemis Security
  6. On LLM Integration: "Large language models are most effective in security when used to automate and enhance the creation of detection rules rather than raw data parsing." — Source: Abnormal Security Blog
  7. On Agent Workflows: Shiebler says Artemis builds internal processes and code around AI-native tooling so concepts can move quickly into prototypes, customer hands, and data-driven product improvements. — Reference: First Round In Depth episode with Dan Shiebler and Shachar Hirshberg
  8. On Hallucination Mitigation: "Restricting agents to structured, pre-aggregated data layers drastically reduces the rate of hallucinated security findings." — Source: Artemis Security
  9. On Continuous Learning: Shiebler emphasizes training on new data, monitoring detector precision, and adapting parameters across customers as the threat environment changes. — Reference: Bigeye Observatory interview on maintaining ML systems

Part 4: Machine Learning Architecture and Scale

  1. On Embedding Infrastructure: "Building core embedding and vector search capabilities allows platforms to match content based on deep semantic similarity rather than keyword overlap." — Source: Dan Shiebler's Website
  2. On Fault Tolerance: "Scoring engines in production must be inherently fault-tolerant, degrading gracefully rather than failing entirely when downstream services timeout." — Source: Abnormal Security Blog
  3. On Resilient Systems: "Resilient machine learning systems anticipate upstream data corruption and implement fallbacks to maintain predictive accuracy." — Source: SuperDataScience Podcast
  4. On Vector Search at Twitter: "Deploying vector search at Twitter's scale required optimizing index structures to handle billions of high-dimensional queries per day." — Source: Dan Shiebler's Website
  5. On Sensor Data: "Applying deep learning to smartphone sensor data requires specialized architectures to handle messy, irregularly sampled time-series inputs." — Source: Dan Shiebler's Website
  6. On Model Latency: "In web ads machine learning, inference latency directly impacts revenue, forcing a trade-off between model complexity and execution speed." — Source: All American Speakers
  7. On Data Processing Layers: "A scalable data processing layer is the foundation upon which any effective machine learning model is trained." — Source: Bigeye Blog
  8. On Infrastructure Investments: Shiebler ties effective detection to backend systems that can process messages, preserve historical context, and make low-latency data available to future decisions. — Reference: Bigeye Observatory interview on ML infrastructure
  9. On System Modularity: "Decoupling feature extraction from model inference allows different engineering teams to iterate independently without breaking production." — Source: Abnormal Security Blog

Part 5: Adversarial Machine Learning and Threat Detection

  1. On Adversarial Tactics: "Attackers use large language models like ChatGPT and DeepSeek to craft highly convincing, context-aware phishing lures at scale." — Source: Abnormal Security Blog
  2. On the AI Arms Race: Shiebler frames Artemis around an AI-native security market where attackers move faster and defenders need systems built from scratch around what AI can now do. — Reference: First Round In Depth episode on Artemis
  3. On Anomaly Detection: Shiebler describes Abnormal building baselines of known-good employee and vendor behavior from communication patterns, sign-in events, and other attributes to detect suspicious deviations. — Reference: Authority Magazine interview with Dan Shiebler
  4. On Evading Filters: "Adversaries continually probe detection models to discover decision boundaries, requiring defensive models to be retrained dynamically." — Source: SuperDataScience Podcast
  5. On Social Engineering: "Generative AI has effectively eliminated the spelling and grammar errors that were traditionally the most reliable indicators of a phishing email." — Source: Abnormal Security Blog
  6. On High-Volume Attacks: "Machine learning models must prioritize precision over recall during high-volume attacks to prevent the security operations center from being overwhelmed." — Source: Abnormal Security Blog
  7. On Behavioral Biometrics: "Analyzing the metadata of an action—how and when an account is accessed—is often more revealing than the action itself." — Source: Dan Shiebler's Website
  8. On Malicious Prompting: "Defenders must account for attackers attempting to inject malicious prompts directly into the AI systems used for log analysis." — Source: Abnormal Security Blog
  9. On Polymorphic Threats: "Cybercriminals deploy polymorphic threats that change their signatures on every execution, rendering static hashes useless." — Source: SuperDataScience Podcast

Part 6: Leadership and Building ML Teams

  1. On Hiring for AI: The Artemis episode highlights interviewing for AI fluency and building a team centered on AI capabilities rather than treating AI as a bolt-on skill. — Reference: First Round In Depth episode on hiring for AI fluency
  2. On Engineering Metrics: "Managing an ML team requires defining performance metrics that measure actual business impact, rather than only offline model accuracy." — Source: Global Big Data Conference
  3. On Cross-Functional Collaboration: "The most successful AI projects bridge the gap between research scientists designing models and software engineers writing production infrastructure." — Source: Authority Magazine
  4. On Rapid Scaling: "Leading an ML team through hypergrowth involves transitioning from hands-on engineering to building the systems that help other engineers succeed." — Source: ScaleUp Events
  5. On Research vs Production: "A common failure mode for ML teams is treating production deployment as an afterthought to model training." — Source: AI Masterclass
  6. On Career Development: "Creating a highly successful career in AI requires continuous learning and a willingness to operate in domains with undefined best practices." — Source: Authority Magazine
  7. On Technical Debt: "ML engineering teams must consciously allocate time to pay down technical debt, particularly in their data pipelines, to avoid eventual stagnation." — Source: Abnormal Security Blog
  8. On Team Structure: "Organizing teams around specific business metrics, such as revenue driven by ad clicks, aligns engineering efforts with company goals." — Source: Dan Shiebler's Website
  9. On Fostering Innovation: "Leaders should encourage engineers to build internal tooling that automates their repetitive tasks, freeing up bandwidth for deeper problem-solving." — Source: Dan Shiebler's Website

Part 7: Startup Strategy and Founder Lessons

  1. On Customer Obsession: Shiebler and Hirshberg describe keeping tight customer loops at Artemis, including a goal of staying close enough to customers to keep learning from them directly. — Reference: First Round In Depth episode on customer obsession
  2. On the First Product: The Artemis discussion treats the first product as something to validate quickly with customers, even when shipping early feels uncomfortable. — Reference: First Round In Depth episode on first products
  3. On Founder-Led Sales: Shiebler's Artemis lessons include founders learning directly from early sales conversations instead of outsourcing market discovery too soon. — Reference: First Round In Depth episode on founder-led sales
  4. On AI Startup Moats: Shiebler argues that Artemis' advantage comes from company structure, internal processes, and code built around AI-native workflows, not simply from access to models. — Reference: First Round In Depth episode on AI-native companies
  5. On Capital Efficiency: The Artemis launch conversation links funding to a fast-growing team, early customers, and a product already in production rather than fundraising as a substitute for traction. — Reference: First Round In Depth episode on Artemis funding and customers
  6. On Building in Stealth: "Operating in stealth allows a team to solve complex architectural problems without the distraction of premature public expectations." — Source: Artemis Security
  7. On Strategic Pivots: Shiebler and Hirshberg describe using customer feedback and product data to rethink what security operations should look like when rebuilt around AI-native capabilities. — Reference: First Round In Depth episode on reimagining security operations
  8. On Speed of Execution: Shiebler says Artemis can iterate quickly because AI-native tooling lets the team move from concept to prototype to customer feedback without the same manual bottlenecks. — Reference: First Round In Depth episode on AI-native iteration
  9. On Market Timing: "Launching an AI-native security company when generative AI first became commoditized allowed Artemis to build for the new reality from day one." — Source: Tom Tunguz Blog

Part 8: Advanced Mathematics and Academic Research

  1. On Category Theory: "Category theory provides a rigorous mathematical framework for understanding the structural relationships between different machine learning architectures." — Source: Dan Shiebler's Website
  2. On Unsupervised Learning: "Unsupervised learning techniques are highly effective when labeled data is scarce, allowing models to discover latent structures organically." — Source: AI Masterclass
  3. On Optimization Algorithms: "The efficiency of deep learning is fundamentally constrained by the optimization algorithms used to navigate complex, non-convex loss environments." — Source: Dan Shiebler's Website
  4. On Neuroscience and AI: "Insights from neuroscience, such as the mechanisms of biological neural networks, continue to inspire novel approaches to artificial intelligence." — Source: Dan Shiebler's Website
  5. On Functors in ML: "Applying concepts like functors to machine learning allows researchers to map transformations between distinct domains of data consistently." — Source: Dan Shiebler's Website
  6. On Dimensionality Reduction: "High-dimensional vector spaces often contain redundant information that can be compressed without significant loss of semantic meaning." — Source: Dan Shiebler's Website
  7. On Theoretical Foundations: "While empirical results drive the industry, establishing solid theoretical foundations is necessary for guaranteeing the safety of AI systems." — Source: AI Masterclass
  8. On the Manifold Hypothesis: "The assumption that high-dimensional data lies on a lower-dimensional manifold is central to why modern embedding techniques function effectively." — Source: Dan Shiebler's Website
  9. On Compositionality: "A key challenge in deep learning is achieving true compositionality, where a model can understand a novel concept by combining known primitives." — Source: Dan Shiebler's Website
  10. On Continuous Optimization: "In dynamic environments, optimization is not a one-time training event but a continuous process of adapting to shifting data distributions." — Source: Dan Shiebler's Website