Reading the noise
Every anomaly detector is a bet about the past. You point it at a stream — network traffic, system logs, vehicle telemetry — and you ask it to remember what calm looked like. Everything after that is just measuring distance from a memory.
The hard part is never the model. It's the quiet decision, made early and rarely revisited, about what "normal" was allowed to mean. Draw that line generously and the attacker walks through it. Draw it tightly and the system spends its life crying about Tuesdays.
A false positive is a detector telling you the truth about a world you described badly.
So the work shifts. Less time tuning thresholds, more time describing behavior precisely enough that the irregular has somewhere to stand out against. Useful intelligence is mostly good bookkeeping about what should be boring.