Blog

We Spent Years Convincing People That Sequences Matter. Agents Ended the Argument for Us.

The short version: Event-based security looks at one action at a time and asks whether that single action is good or bad, which is the wrong question for AI agents that authenticate as real human employees and act at machine speed. The accurate way to catch a rogue agent is sequence-based anomaly detection, which learns the many different ‘normal’ behavior sequences for each identity and flags the runs that fit none of them. The market spent years debating whether sequences matter, but the agentic shift settled it. Everyone monitoring agents already works in traces and runs, which are sequences by another name. The remaining hard problem, and the one Reveal Security was built to solve, is learning all of those ‘normal’ behavioral sequences automatically.

For most of the history of security monitoring, detection has been event based. Something happens, a tool sees it, and it decides whether that one thing is good or bad. Correlation came later and stitched a few events together, but almost no one was looking at sequences, because the classical view held that you think in terms of events. 

Reveal never agreed with that view. When we started the company six, seven years ago, no one was talking about AI agents, and the easy story now would be that we saw them coming, but we did not. What we believed was narrower and, I think, more durable.
We’re just lucky that it applies so perfectly to the AI boom. We believed that accurate detection for any application had to be based on sequences rather than events, because a single event tells you almost nothing, while the sequence around it carries the context, and context is what lets you detect accurately without drowning the analyst in noise.

For years that was a hard argument to make, because people would tell us they did not think in sequences. They thought in events, and they wanted to keep thinking in events. The industry can be resistant to change.

That argument is now over, not because we won it but because agents ended it.

Agentic monitoring already runs on sequences

Look at how anyone serious talks about monitoring AI agents today, and you will hear them talk about traces and runs. The observability frameworks the whole industry is adopting, like LangSmith and Langfuse, are built on exactly this idea, because a trace is a sequence and a run is a sequence. Nobody monitoring an agent believes you can learn anything useful from one tool call or one API in isolation. Instead you have to look at the sequence of tools the agent activated, the sequence of APIs it called, and the sequence of agents it handed off to.

The thing we used to have to convince people of is now the default assumption. If you build agents, you already think in sequences, you just call them traces.

That is good news, and it hides a trap, because agreeing that sequences matter is the easy part, while the hard part, the part almost no one has solved, is learning all of them.

Why you can’t write rules for AI agents

Here is the problem with an agent. You do not know what it is supposed to do, and even the person who built it does not fully know, because it is non-deterministic by design and can do things it was never meant to do for reasons that range from a hallucination to a prompt injection to poisoned memory. So you cannot sit down and write the rules for what good looks like, because you cannot enumerate good. There is no fixed list.

This is why prevention alone will never be enough here. You can set some guardrails, but they will be coarse, and coarse constraints do not catch an agent operating just slightly outside its lane. Prevention has to be augmented by detection, and that detection cannot be a set of signatures for known-bad behavior, because it has to learn what normal looks like and notice when the behavior drifts.

That is what anomaly detection actually means. It is not a rule that fires on a known-bad event, but a model that has learned what is typical for an identity and can tell you when something no longer fits.

The supermarket test

Let me give you a simple example I always come back to.

Imagine someone steals my credit card and walks into my supermarket to impersonate me. If they are smart they know that buying something I would never buy is an easy catch, so the thief studies me and fills the cart with the things I usually buy. At the end the receipt looks like it could be me on paper.

There is one thing they cannot fake; they will not walk my route through the store. Every person has their own path through a supermarket, their own order of aisles, their own way of collecting what they need, so if I have learned all of David’s typical routes, I can look at this trip and ask one simple question. Does this match one of his routes? If it does, it is David, and if it does not, it is not David, even though the basket looks right.

That is the difference between an event and a sequence, where the basket is the event and the route is the sequence. And notice the real difficulty in that story, which is that there is not one correct route. I have my own and my wife has hers, and each identity has many typical sequences rather than one. You can only call something an anomaly accurately if you have already learned all of the normal sequences for that identity.

Behavior-based detection is not anomaly-based detection

People sometimes hear this and say they already do it, that they write multi-stage detections where if A then B then C then D, you fire an alert. That is a familiar approach, and it is worth being precise about why it is not the same thing.

When you write that detection, you already know the sequence you are looking for, because behavior-based detection requires you to have that knowledge in advance. That is something you simply cannot have with an agent.

You cannot describe the bad path, because you do not know what the agent does in the first place, so you cannot tell the system what to look for. Instead you have to tell it to learn every typical sequence by itself and then surface the ones that fit none of them, and that is anomaly-based detection. It is harder, but for non-deterministic agents it is the only thing that works.

The breakthrough was never the claim that sequences matter, because plenty of people will agree with that over coffee. The breakthrough we’ve made is learning all the typical sequences for every identity, automatically, with no one telling the system what normal is.

What detecting rogue AI agents actually requires

So here is the whole argument in one place. You cannot write rules for an agent you do not understand, and you cannot catch it by watching single events, because the single events look legitimate. This is the world CrowdStrike keeps describing, where 82% of detections are now malware-free and intrusions move through authorized pathways and trusted systems, which is exactly why identity has become the primary attack surface. You catch it by learning every normal sequence for every identity in the chain, human and agent, and then noticing when a new sequence fits none of them and reaches for something risky. And because AI tools and agents move at machine speed, the response has to move with them, in near real time, stepping in while the chain is still forming rather than reporting on it after the fact.

Most of the tooling being sold into this space stops short of that. The observability platforms are genuinely good at collecting the telemetry, normalizing it, storing it, and drawing you a clean picture of a hundred tool calls, but a clean picture of a hundred calls is still a hundred calls for a human to read. They show you the trace, but they cannot tell you the trace is wrong, and that last step, the analysis, is the part missing almost everywhere, even though it is the only part that matters once the agent is already inside.

We did not build this for agents. We built it because we were convinced, years before any of this, that sequence-based anomaly detection was the only accurate way to do detection at all, and agentic monitoring turned out to be the same problem, only faster and with higher stakes. The argument we used to have to make is settled, and the work now is doing the part everyone else skips.

About Reveal Security

Reveal Security detects and stops threats across the human-to-agent behavioral journey. The platform learns what normal looks like for every identity in your environment, human, non-human, and AI agent, and identifies when post-authentication activity drifts into a high-risk anomaly sequence that rule-based tools cannot see. Reveal aligns to the behavioral anomaly detection and agent activity traceability layers that analysts identify as the core of the emerging agent security market, and operates as an identity threat detection platform built for the agentic enterprise.