The scariest signal in incident response is not automated malware — it is a human. “Hands-on-keyboard” activity means a live attacker has gained access and is manually running commands, exploring, and escalating. It is the phase where ransomware crews decide what to encrypt and exfiltrate, and it looks different from any script.
Secureworks Corp.'s US12034751B2, “Systems and methods for detecting malicious hands-on-keyboard activity via machine learning” (issued July 9, 2024; CPC H04L 63/1425 — anomaly monitoring, and G06N 20/20 — ensemble machine learning), describes detecting that live-attacker activity with ML. Read it at US12034751B2.
Mechanically, the system models the rhythm and pattern of human interactive command activity — distinguishing the cadence of a live operator from both legitimate admins and automated tooling — using ensemble machine learning to flag the manual-intrusion phase. Catching this phase early is the difference between an alert and a ransom note.
Why this is a business story: this is exactly the kind of high-value detection IP that made Secureworks an acquisition target — Sophos agreed to acquire Secureworks for about $859 million in a deal announced in late 2024. Detection capability aimed at the human-operated intrusion phase is core to managed-detection-and-response (MDR), the highest-growth, highest-margin slice of the services market. The patent marks the kind of asset that anchors that deal value.
The grounded read: hands-on-keyboard detection targets the most dangerous phase of an intrusion — a live human operator — by modeling interactive activity with ML. Secureworks' 2024 grant names that capability, the sort of MDR IP that underpinned its ~$859 million acquisition by Sophos.