AI-driven detection catches threats that traditional tools miss, adapts faster than manual workflows, and operates at a scale no human team can replicate. But the more autonomous these systems become, the harder it is for security teams to answer a basic question: what actually happens after they act?

When a security team reports a threat, they expect protection to improve. What they rarely get is evidence that it did, let alone clarity into what changed and what it caught. The more automated the system, the wider this visibility gap becomes. It's not a failure of the technology. It's the next problem that advanced automation needs to solve.

At RSAC 2026, Abnormal introduced Detection 360 Insights, AI-generated explanations that surface the behavioral and contextual signals behind every verdict, and Custom AI Models, giving security teams control over how detection adapts to their environment. Today, we're extending that visibility to the full detection improvement loop.

Attune 1.0, Abnormal's behavioral foundation model, handles the vast majority of detections autonomously, learning how organizations communicate and evaluating incoming messages against those behavioral patterns. It builds an understanding of normal behavior across identities, vendors, and workflows, then evaluates every incoming message against those baselines. Today, Attune powers 85% of detections across the Abnormal platform.

Detection 360 has always acted on submissions—when a security team reports a missed threat, Abnormal investigates and deploys targeted improvements. What’s changed is visibility into how protection is built, deployed, and scaled across your environment.

Now, a new class of AI detection agents takes reported threats further—investigating the attack, generating a targeted detection, validating it against real traffic, and deploying it automatically. Built on behavioral signals and dynamic model scores rather than static attributes, these detectors maintain precision as threats evolve—without the rule sprawl and constant deprecation that characterize rules-based approaches. Each rule is a response to a threat that already landed; these detectors catch what rules haven't been written for yet. For a deeper look at the technology behind them, see our latest engineering blog.

Where the attack pattern supports it, dynamic text detection now extends coverage further, catching variants that share underlying patterns with the reported threat, even when the wording and infrastructure have changed. An analyst reports a vendor impersonation attack; D360 catches variants that would otherwise require separate reports. One submission strengthens protection across the attack pattern, not just the individual message.

Detection 360 has always turned reports into protection. Now it makes the full loop visible, showing security teams exactly how their input shapes detection, with evidence that it's working.

For every submission, analysts can now follow a complete case history: from initial classification through investigation, remediation, and deployed detections. Each deployed detection includes a running count of the messages it has caught, so analysts can see exactly how their report translated into ongoing protection. Every step is accounted for, and every outcome is tied to the signal that triggered it.

At the program level, security leaders gain aggregate visibility into every detection driven by customer feedback: detections deployed, messages caught, trends by submission type, and impact by attack type. This gives security leaders clear, attributable evidence of program impact from the feedback loop their analysts are already running, with no additional effort required from the team.

Together, these surfaces answer the question every security team asks: what is actually happening with the reports we submit? Most importantly, they give security teams something rare in AI-driven detection: real influence over how the system improves, with proof that their input materially shaped protection.

The more capable an AI detection engine becomes, the more important it is for security teams to see inside it. Detection 360 makes that possible. Every improvement is transparent, every detection attributable, and every outcome traceable to the signal that triggered it.

For security teams, this changes the relationship with AI-driven detection: from trusting a system to verifying it, seeing exactly how each report strengthens protection across the environment.

Abnormal's approach has always been that detection accuracy and explainability are not mutually exclusive, and that security teams should expect both. Detection 360 is how we deliver on that commitment, giving security teams the clarity to understand how protection works, the confidence to trust it, and the ability to influence how it improves.

These enhancements are now live for all customers.
To see these capabilities in action, schedule a demo or reach out to your CSM.