Business Context

Vectra AI wants to improve triage in the Vectra AI Platform by both classifying known attack behaviors and surfacing novel patterns in detections that do not yet have reliable labels. You need to show the practical difference between supervised and unsupervised learning using the same security dataset.

Dataset

You are given historical detection-level telemetry exported from the Vectra AI Platform.

• Rows: 240K detections collected over 9 months
• Target available for subset: analyst_validated_label = malicious (1) / benign (0)
• Labeled subset: 72K rows; remaining 168K rows are unlabeled
• Class balance in labeled data: 11% malicious, 89% benign
• Missing data: 8% missing in asset context, 3% missing in network features, higher missingness for newly observed hosts

Success Criteria

A strong solution should:

• Achieve AUC-ROC >= 0.88 and recall >= 0.75 at precision >= 0.50 on the labeled test set for the supervised model
• Produce unsupervised clusters with silhouette score >= 0.20 and a clear interpretation of at least 3 cluster types
• Clearly explain when Vectra AI should use supervised classification vs unsupervised clustering in production

Constraints

• Batch scoring must complete within 15 minutes for 300K daily detections
• Security analysts need interpretable outputs, not just raw scores
• Labels are incomplete and may lag by days or weeks

Deliverables

1. Train a supervised model to classify malicious vs benign detections
2. Train an unsupervised model to group detections without labels
3. Compare the two approaches, including data requirements, outputs, and failure modes
4. Recommend how both models should be used together in the Vectra AI Platform
5. Report evaluation metrics and key feature or cluster insights