Teaching AI to Hunt APTs by Feeding It Fake Ones

A new class of AI frameworks is attacking the hardest problem in threat detection: how do you train a machine to recognize an attack type so rare that most organizations will never see enough real samples to build a useful dataset? The answer, increasingly, is to fabricate the evidence.

Advanced Persistent Threats are, by design, rare. A well-funded nation-state actor or organized criminal group may spend months inside a compromised network, generating only a thin trickle of anomalous traffic against a massive river of normal activity. That rarity is precisely what makes APTs so dangerous, and it is exactly what breaks conventional machine learning models. You cannot train a classifier to identify something it has barely seen. So researchers have started building the evidence themselves, using AI to generate synthetic APT traffic samples that can fill out an otherwise lopsided dataset. A paper published in Nature's Scientific Reports on March 2, 2026 represents one of the most complete implementations of this idea yet, and it is worth understanding both what it gets right and where its assumptions run thin. Authored by Le Tran Kim Danh, Cho Do Xuan, and Nhan Nguyen Van of Vietnamese research institutions, the paper frames its dual challenge in its abstract: how to extract discriminative features from complex network traffic flows, and how to address the severe class imbalance caused by the rarity of APT attacks. [1]

The Data Starvation Problem

Before getting into the technical architecture, it is worth sitting with the core problem this research is trying to solve, because it is messier than the papers tend to acknowledge upfront.

The imbalance between normal and malicious traffic in real enterprise datasets is not a modest ratio — it is extreme. In the DARPA Operationally Transparent Cyber (OpTC) dataset, which spans over 17 billion events collected from 1,000 enterprise Windows hosts, malicious events constitute approximately 0.0016% of the total — less than 0.3 million events out of more than 17 billion. That is not a 16-to-1 skew. It is closer to 60,000-to-1. That kind of imbalance does not just make models less accurate; it actively misleads them. A classifier trained on heavily skewed data can achieve impressive accuracy numbers simply by predicting "normal" for every single input. It never learns what APT traffic actually looks like, but the metrics look fine on paper because the majority class dominates the evaluation.

A survey in the Journal of Big Data (Springer Nature, 2022) notes that class imbalance in training data systematically skews classifiers toward the majority class — a problem compounded for deep learning systems that rely on large, varied datasets to extract meaningful patterns. [4] The DARPA OpTC dataset, analyzed by Anjum et al. (ACM SACMAT, 2021), makes this concrete: with only 0.0016% of over 17 billion events labeled malicious, the imbalance in real enterprise network data is far more severe than benchmark datasets typically reflect. [14]

The traditional fix has been SMOTE, the Synthetic Minority Over-Sampling Technique, originally proposed by Chawla et al. in 2002. SMOTE works by generating new minority-class samples through linear interpolation between existing samples and their nearest neighbors. It is simple, well-understood, and widely used. It is also increasingly inadequate for APT traffic specifically, because APT flows are not just statistically rare. They are structurally complex, temporally distributed across multiple sessions, and deliberately designed to blend in. Interpolating between two known APT samples does not necessarily produce something that looks like a real APT operation. It produces something that looks like a blend of two captured incidents, which may share little in common with whatever an adversary is doing right now.

This is the gap that the new generation of GAN-based augmentation is trying to close.

How ET-SDG Actually Works

The framework described in the Scientific Reports paper is called ET-SDG, which stands for ExtraTrees and Synthetic Data Generation. It combines two distinct components into a single pipeline, and understanding each one separately is the key to evaluating the system as a whole.

The authors describe ET-SDG as integrating "Transformer-based Feature Learning with a Conditional Generative Model for Synthesis (CGMS)" — combining the ExtraTrees algorithm with a Transformer architecture to "select, aggregate, and encode informative flow-level features," then using a cGAN-based module to synthesize minority-class APT traffic "by conditioning the generation process on class labels." [1]

The first component handles feature learning. Raw network traffic is complex and high-dimensional. A single flow record might carry dozens of attributes: packet sizes, inter-arrival times, flow duration, byte ratios, flag counts, and more. Not all of these are equally informative for APT detection. Some are noise. Some are highly correlated with each other. Feeding all of them into a deep learning model uncritically is inefficient and can actually hurt performance.

ET-SDG addresses this with a two-step approach. First, it uses the ExtraTrees algorithm, an ensemble method based on randomized decision trees, to rank and select the most discriminative features from the raw traffic data. ExtraTrees is well-suited for this task because it handles mixed feature types gracefully and is resistant to overfitting on small samples. Once the relevant features are selected, they are passed to a Transformer architecture for encoding.

The Transformer's role here is fundamentally different from its role in language models. Rather than predicting the next token in a sequence, it is learning to encode the relationships between network flow features in a way that captures temporal dependencies and subtle correlations that earlier models based on convolutional or recurrent networks tend to miss.

Research published in the International Journal of Latest Research in Engineering and Technology (2023) describes how the Transformer's multi-head self-attention mechanism captures APT traffic by learning from multiple feature dimensions at once, then recombining those representations to preserve the original feature structure. [7]

Self-attention is the right tool for this job because APT traffic does not announce itself in a single packet or a single flow. The signature of an APT is distributed across time, across sessions, and sometimes across multiple protocols. A model that can weigh the relationship between a DNS lookup from three hours ago and a low-volume outbound connection happening now is doing something fundamentally more useful than a model that looks at each flow in isolation.

The GAN at the Heart of It

The second major component of ET-SDG is CGMS, the Conditional Generative Model for Synthesis. This is where the fabrication happens.

A standard Generative Adversarial Network consists of two neural networks locked in competition. A generator tries to produce synthetic data that looks real. A discriminator tries to tell the difference between real and generated samples. Through adversarial training, the generator is forced to get progressively better at producing realistic outputs, while the discriminator gets better at catching fakes. The equilibrium, when training works well, is a generator that can produce convincing samples from the same distribution as the training data.

A conditional GAN adds a critical control mechanism to this process. Rather than generating samples from the overall data distribution, a cGAN conditions its output on a class label. You tell it specifically: generate an APT traffic sample, not just any traffic sample. This matters enormously in the APT detection context, because generating generic network traffic is useless. The whole point is to generate more samples that belong specifically to the minority APT class, with the right statistical properties to train a downstream classifier.

Zhao et al. (PLOS ONE, 2023) found that conditional GAN-generated attack samples approximate the statistical distribution of real input data while introducing controlled variation, avoiding the redundancy that comes from simple mechanical data expansion. [3]

In ET-SDG's implementation, the CGMS module takes the encoded feature representations from the Transformer component and uses them as the conditioning input to the generator. The result is synthetic APT flows that are grounded in the actual feature structure of real APT traffic, rather than being generated from scratch. The discriminator, during training, evaluates whether a given sample is real or synthetic based on those same features, creating a feedback loop that sharpens the quality of the generated data over successive training iterations.

After augmentation, the dataset is rebalanced and passed to the final detection classifier. The pipeline is end-to-end: feature selection, Transformer encoding, synthetic augmentation, and classification happen as a coherent sequence rather than as disconnected preprocessing steps bolted together.

The Honest Numbers

The ET-SDG paper reports competitive results across benchmark datasets, with improvements in the range of 1 to 4 percentage points relative to baseline methods, depending on the dataset and the specific metric being measured. That is a real improvement, but it is worth putting in context.

A 1 to 4 percentage point gain in F1 score or detection rate sounds modest, but in the high-stakes context of APT detection, it translates directly to the difference between catching an intrusion early and discovering it six months later during a breach investigation. The marginal value of each percentage point of recall is extremely high when the thing you are trying to detect is a nation-state actor exfiltrating intellectual property.

At the same time, the honest reading of these numbers is that ET-SDG does not represent a step-change breakthrough. It is an incremental improvement over existing methods that combines several established techniques, ExtraTrees, Transformers, and conditional GANs, in a well-engineered pipeline. The research community is converging on similar architectures from multiple directions. A separate 2025 paper published in Symmetry (MDPI) proposed the MF-CGAN and MC-GCN framework, which takes a similar approach using multi-feature-conditioned GAN augmentation paired with graph convolutional networks for relationship modeling. Both frameworks are moving in the same direction: augment the minority class with conditional generative models, then apply sophisticated sequence or graph models for final classification.

The Symmetry paper (MDPI, June 2025) describes the dual-phase architecture as using MF-CGAN to resolve class imbalance through minority-class synthesis, while MC-GCN handles sophisticated feature extraction and graph-based modeling of the complex relationships within APT attack data. [2]

The convergence of these independent research threads is meaningful. When multiple teams working separately arrive at similar architectures, it suggests the approach has genuine merit rather than being an artifact of one group's particular dataset or experimental design.

The Gap Between Lab and Production

Here is where the CyberSpit read gets uncomfortable for the researchers involved, because the gap between benchmark performance and real-world deployment is genuinely wide, and the literature tends to treat it as a footnote rather than a primary concern.

The datasets used in most APT detection research, including the work described here, are benchmark datasets captured from controlled or semi-controlled environments. They are not live enterprise traffic. They do not include the noise, the seasonal variation, the application diversity, or the adversarial adaptation that characterize real production networks. A 2010 paper by Sommer and Paxson, recognized with the IEEE Security and Privacy Test of Time Award in 2020, argued that finding attacks in real networks is fundamentally different from the closed-world classification problems where machine learning otherwise thrives — and that the security research community systematically underestimates how hard that gap is to bridge. Sixteen years after it was written, Paxson's own assessment from the award announcement is still apt: the challenges to defenders attempting to leverage machine learning for anomaly detection "remain largely the same today." [11]

The SHIELD paper (arXiv, February 2025) acknowledges a persistent problem across the field: training data used in published evaluations frequently fails to reflect real-world conditions, producing accuracy numbers that overstate what deployed systems actually achieve. [5]

False positives are the operational killer. A model that flags APT activity with high precision on a benchmark dataset may generate enormous volumes of false alerts in production, where traffic patterns are different and the base rate of APT activity is even lower than in the training data. Alert fatigue is a documented and serious problem in security operations centers. When analysts are drowning in false positives, the genuine signals get lost. The adversary wins not because the model missed them, but because the model cried wolf so many times that no one was paying attention.

There is also the adversarial adaptation problem that benchmark research structurally cannot address. The attackers know that defenders are using machine learning. Nation-state APT operators, in particular, have demonstrated the sophistication and patience to modify their tooling specifically to evade detection. A model trained to recognize the statistical signature of known APT traffic can be defeated by an adversary who simply changes the timing, packet sizing, or encryption patterns of their exfiltration channels. The synthetic data generated by a cGAN reflects the distribution of past attacks. It says nothing about the attacks that have been specifically engineered to look different.

What Happens When the Attacker Knows About the Model

There is a question the ET-SDG paper does not ask, and it is the one a nation-state adversary would ask first: what happens when the attacker knows you are using a GAN-based detection system?

The field of adversarial machine learning distinguishes between two categories of attack. Evasion attacks operate at inference time, crafting traffic that looks normal enough to slip past the trained classifier. Poisoning attacks are more insidious: they corrupt the training data itself, steering the model's learned decision boundaries away from where they need to be. Both are directly applicable to GAN-augmented APT detection systems — and the GAN component is not exempt from either threat.

A poisoning attack against a cGAN-based pipeline could work by ensuring that the real APT samples feeding into the training process are selectively chosen or subtly manipulated, so that the synthetic data the GAN generates over-represents certain benign patterns as malicious, or normalizes actual attack behaviors into the distribution of "normal" traffic. Research on GAN-based adversarial attacks against intrusion detection systems has shown that adversarially crafted traffic can reduce IDS detection rates to near zero when attackers can influence what the model treats as the ground truth for its minority class. [12]

Evasion attacks against models trained on GAN-augmented data face a specific structural weakness: the synthetic samples in the training set are generated from the distribution of known APT traffic. An adversary who modifies their C2 timing, packet sizing, or protocol mixture to fall outside that distribution evades detection not by defeating the classifier but by defeating the generator's mental model of what APT traffic looks like. The synthetic data augmentation that makes ET-SDG powerful against known APT patterns simultaneously defines the boundary of its blindness to novel ones.

This is not an argument against GAN-based augmentation. It is an argument that GAN-augmented models need adversarial robustness testing as a mandatory part of their evaluation, and that the current research literature has not made this a standard requirement.

The Model Drift Problem Nobody Talks About

Even a well-deployed APT detection model that performs well at launch will degrade. Network environments change. Enterprise software stacks evolve. New protocols get adopted. Old ones get deprecated. The statistical distribution of normal traffic shifts continuously, and the APT actors being hunted adapt their techniques year over year.

Machine learning practitioners call this concept drift: the phenomenon where the relationship between the input features and the correct output label changes over time, eroding a model's accuracy even when nothing has been deliberately done to attack it. For APT detection specifically, drift is not a slow erosion but an active adversarial process. The attackers are deliberately moving the distribution. Their goal is precisely to make their traffic look indistinguishable from the normal activity the model learned to pass through without flagging.

The ET-SDG paper, like most APT detection research, evaluates performance on a fixed dataset at a single point in time. There is no discussion of how the framework would be updated as network baselines shift, how frequently retraining would be required, or what a continuous learning pipeline for a production deployment would look like. For an enterprise security team considering whether to deploy a system like this, these are not secondary concerns. They are the operational questions that determine whether the system is maintainable over a two-year horizon or whether it is a research proof of concept that requires constant babysitting by a data science team most security operations centers do not have.

The most forward-looking architectures in the field are beginning to address this through online learning mechanisms and active learning loops that request human analyst input on the most ambiguous or uncertain samples, using that feedback to continuously tighten the model's decision boundaries. The ALADAEN framework, published in Nature Scientific Reports in November 2025 and evaluated on DARPA Transparent Computing provenance data where APT-like attacks constitute as little as 0.004% of the data, represents one such approach — combining active learning, GAN-based augmentation, and adversarial autoencoders specifically to reduce the labeled-data dependency that makes retraining so expensive in practice. [13] But this is still an open research problem, and it is one the current generation of GAN-augmented detection frameworks has not solved.

The Federated Data Problem: Can Organizations Share Without Exposing?

The data starvation problem has a collective dimension that the research literature barely touches. No single organization has enough real APT traffic to build a robust training corpus. But the obvious fix — pooling data across organizations, sectors, or national CERTs — runs directly into the legal, competitive, and intelligence concerns that make this kind of sharing nearly impossible in practice. An enterprise sharing its real attack logs is disclosing its network architecture, its software stack, its security posture, and its past failures. Regulatory regimes in many jurisdictions — GDPR in Europe, HIPAA in healthcare, and sector-specific financial regulations in the United States — add compliance exposure to the very kind of data sharing that APT detection research most urgently needs.

This is a problem that synthetic data generation could in theory solve — but only if the synthetic data is good enough to convey meaningful signal while stripping the identifiable attributes that create disclosure risk. That constraint is harder to satisfy than it appears. Synthetic APT flows that preserve the statistical properties useful for training a classifier tend to also preserve enough structural characteristics of the underlying network that a sophisticated analyst could infer something meaningful about the organization that generated them. Differential privacy offers a formal mathematical framework for quantifying and bounding this leakage, and there is early-stage research applying differentially private GAN training to network security data. But the privacy-utility tradeoff in this domain is steep: the perturbations required to achieve meaningful privacy guarantees often degrade the statistical fidelity of the synthetic traffic enough to reduce downstream classifier performance on real attacks.

The more promising near-term direction may be federated learning architectures, where multiple organizations each train local models on their own data without that data ever leaving their environment. A central coordinator aggregates model updates — gradients, not raw samples — to produce a shared global model. This sidesteps the data sharing problem at the cost of substantial engineering complexity and a new set of attack surfaces: gradient inversion attacks can sometimes reconstruct training data from aggregated updates, and Byzantine-fault-tolerant federated aggregation remains an active research problem. Still, federated learning applied to APT detection is underexplored relative to its potential, and it represents one of the few paths toward collectively better models that does not require organizations to trust each other with their most sensitive operational data.

A complementary approach is using structured threat intelligence as a conditioning input to the GAN itself. Rather than conditioning the generator purely on statistical properties of captured flows, a generator conditioned on MITRE ATT&CK technique identifiers could in principle produce synthetic traffic reflecting specific known adversary behaviors without requiring any real organizational traffic at all. The generator would be learning to simulate techniques, not incidents. This has not been systematically explored in published literature, and it represents a meaningful gap — one where the combination of structured threat intelligence and conditional generative models could produce training data that is both legally shareable and tactically relevant.

When the Attacker Has an LLM Too

There is an asymmetry in how the field thinks about LLMs and APT detection that deserves direct attention. The SHIELD work and related research focus on LLMs as explanation and reasoning engines on the defender's side. They are used to interpret anomaly signals, construct attack narratives, and reduce analyst fatigue. That is valuable. But it sidesteps a question the defender community has been slow to confront: the same generative capabilities that allow a model to produce realistic synthetic APT traffic for training purposes can be applied by a well-resourced attacker to generate APT traffic specifically optimized to evade a known detection architecture.

This is not a speculative concern. Adversarial machine learning research has demonstrated that given partial knowledge of a classifier's decision boundary, it is possible to craft inputs that reliably evade detection. What LLMs bring to this threat is not the evasion capability itself — that existed before — but the reduction in the skill and time required to exercise it. A nation-state APT operator with access to a capable language model and some knowledge of what detection architectures their target organization is running can iterate on evasion strategies at a pace that no current retraining pipeline can match.

The implication for GAN-augmented detection systems is specific and uncomfortable. The cGAN at the heart of ET-SDG is trained to produce synthetic traffic that mimics the distribution of known APT flows. An attacker using an LLM to generate novel attack traffic is operating precisely in the space that lies outside the generator's learned distribution — the space of attacks that do not look like any attack the GAN has ever seen. The better the GAN gets at learning the distribution of known attacks, the more precisely it defines the boundary of what the detector cannot see.

No current evaluation framework in the APT detection literature systematically tests for this. Red-teaming a GAN-augmented detection system with adversarially generated evasion traffic — using the same class of model that produces the defensive synthetic data — would be a more honest assessment of operational robustness than any benchmark dataset comparison. It also needs to be a continuous adversarial evaluation process, not a one-time certification exercise, because the attacker's generative capabilities will improve alongside the defender's detection capabilities.

Organizational Readiness: The Human Side of the Stack

The research literature treats APT detection as a machine learning problem. In production, it is equally an organizational problem, and the gap between the two is where many well-designed systems fail quietly.

A GAN-augmented Transformer detection system produces output — an alert, a confidence score, an anomaly flag, an attack narrative. Something has to happen with that output. In a well-resourced security operations center, it reaches a trained analyst who can evaluate it against contextual knowledge of the network, the organization's risk posture, and the current threat landscape. In many real organizations, it goes into a SIEM queue that is already overwhelmed, reviewed by a Tier 1 analyst who may or may not have the background to distinguish a genuine APT signal from a complex false positive, and actioned incorrectly — or not actioned at all.

Alert fatigue is not just an inconvenience. It is an adversarial condition. Some advanced APT actors deliberately generate low-level noise — indicators that look like they might matter — specifically to occupy analyst bandwidth while the actual intrusion proceeds on a slower, quieter timeline. A detection system that produces more alerts, even more accurate alerts, can paradoxically make this worse if the organization does not have the staffing and workflow infrastructure to process them effectively.

The harder organizational questions are upstream of the technology. What is the escalation path for a confirmed APT signal? What authority does the SOC have to isolate a compromised segment in real time? What is the legal and regulatory framework governing the organization's response if the adversary is a foreign nation-state? Does the team have established relationships with law enforcement and relevant intelligence contacts? These questions are not answered by the detection model, and organizations that deploy these systems without working through them in advance will find that detection without response capacity is an expensive incomplete solution.

There is also the question of who maintains the model after deployment. Continuous retraining, feedback loop management, and adversarial evaluation is not standard SOC work. It is data science work with cybersecurity domain expertise. Organizations without that combination in-house — which is most organizations — need to think carefully about what deploying a GAN-augmented detection model actually commits them to operationally, and whether they have the institutional capacity to fulfill that commitment over a realistic multi-year horizon.

Despite the operational caveats, the trajectory of this research is clearly valuable, and some of the most interesting developments are happening at the edges of what ET-SDG represents.

The integration of Large Language Models into APT detection pipelines is one of the more compelling near-term directions. A 2025 framework called SHIELD demonstrated that combining statistical anomaly detection, graph-based provenance analysis, and LLM contextual reasoning into a single pipeline could achieve high recall while dramatically reducing false positives compared to anomaly-based baselines. On the DARPA CADETS dataset, SHIELD identified 25 true positive events with zero false positives, while baseline methods produced over 4,000 false events requiring analyst investigation. The research team used roughly 28 to 35 percent of each dataset for training — varying by dataset — and SHIELD maintained recall between 0.93 and 1.00 across all four evaluated datasets. The key innovation was not the detection itself but the explanation: LLMs generating natural-language attack narratives that map detected events to specific APT stages, giving analysts something actionable rather than a raw alert score. [5]

Graph-based approaches are gaining ground as well. APT attacks are not sequences of isolated events; they are campaigns with causal structure. Researchers working on power grid security are building provenance graphs from system logs using the W3C PROV-DM standard, then applying graph attention autoencoders to model the structural relationships between attack stages. This captures something that flow-level traffic analysis misses entirely: the chain of causality that connects an initial phishing email to a lateral movement event three weeks later to an exfiltration event three weeks after that.

The synthetic data generation approach pioneered by ET-SDG and similar frameworks will likely become a standard preprocessing step in this broader ecosystem rather than a standalone detection mechanism. The GAN-augmented training pipeline solves the data starvation problem well enough to enable more sophisticated downstream models. The real value is not that the cGAN catches APTs. It is that the cGAN gives other models enough data to learn from.

A 2025 survey published via Preprints.org identifies a convergence in the field: the frameworks showing the strongest results against APTs are those combining robust statistics, deep learning, graph methods, adversarial ML, calibration, and threat intelligence into adaptive hybrid architectures — particularly where early detection of faint signals is required without overwhelming operations with false positives. [6]

The broader takeaway for security practitioners is that no single technique, whether it is Transformers, GANs, graph networks, or LLMs, is sufficient on its own. The architecture that actually works in production will be a layered hybrid: synthetic augmentation to address data scarcity, attention-based models to capture temporal dependencies, graph methods to model campaign structure, and explainability layers to make the output useful to human analysts under real operational conditions.

Key Takeaways

1. Data scarcity is the root problem: APT traffic is so rare in real networks that conventional ML models cannot learn from it. GAN-based synthetic augmentation is the most promising current approach to filling that gap, and frameworks like ET-SDG demonstrate it works well enough to produce measurable improvements on benchmark datasets.
2. The Transformer is the right architecture for this problem: Multi-head self-attention captures temporal dependencies and cross-session relationships in network traffic that earlier LSTM and CNN approaches miss. The combination of ExtraTrees for feature selection and Transformer encoding for representation learning in ET-SDG reflects a sound architectural choice that multiple independent research groups are converging on.
3. Benchmark results are not operational results: A 1 to 4 percentage point improvement on controlled datasets does not tell you what happens in a live SOC environment with real adversaries actively adapting their techniques. False positive rates under production conditions are the metric that matters, and the research literature has not adequately addressed this yet.
4. Living-off-the-land techniques remain a hard ceiling: Any detection approach that relies on traffic-level anomalies will struggle against APT operators who use legitimate system tools and blend their activity into normal administrative behavior. Network traffic ML is one layer of a defense stack, not a complete solution.
5. The GAN itself is an attack surface: Training pipelines that use conditional GANs for data augmentation are vulnerable to both evasion attacks at inference time and poisoning attacks at training time. Adversarial robustness testing should be a mandatory evaluation requirement for any GAN-augmented detection system, and current research largely skips this.
6. Model drift is an organizational problem, not just a technical one: APT detection models decay as adversaries adapt and network environments change. A system that performs well on deployment day will degrade without a continuous learning infrastructure, analyst feedback loops, and regular retraining cycles. Organizations that cannot maintain that infrastructure should not treat a deployed ML model as a persistent detection capability.
7. The future is hybrid and explainable: The most operationally useful direction combines synthetic augmentation, graph-based campaign modeling, and LLM-based explanation layers. Detection that produces actionable analyst-facing narratives rather than raw confidence scores is the difference between a tool that gets used and one that generates alert fatigue.
8. Federated learning and differentially private synthesis are the path to collective resilience: No single organization has enough APT data to build a robust model alone. Federated architectures that aggregate model updates rather than raw data, combined with structured threat intelligence as a GAN conditioning signal, offer a viable path to collectively better detection without requiring organizations to share operationally sensitive traffic captures.
9. Defenders are not the only ones with generative models: The same class of model that produces synthetic APT training data can be used by a capable adversary to generate evasion traffic specifically designed to fall outside the detector's learned distribution. Red-teaming a GAN-augmented system with adversarially generated inputs needs to be a mandatory part of evaluation, not an optional exercise. Continuous adversarial evaluation — not one-time deployment testing — is the operational standard this field needs to reach.
10. Organizational readiness is not optional: The most technically sound detection system will fail in an organization that lacks the analyst depth, escalation procedures, and maintenance infrastructure to act on its output. Deploying a GAN-augmented detection capability is a multi-year operational commitment, not a product installation. Organizations should assess their readiness honestly before deployment, not after.

The research represented by ET-SDG is genuinely advancing the field. It is solving a real problem — data starvation — in a technically sound way. The questions that remain are not about whether the approach is valid. They are about whether the gap between controlled evaluation and real-world adversarial conditions can be closed; whether the GAN pipeline that solves the data problem introduces new attack surfaces that defenders have not yet mapped; whether organizations can share the data needed to train collectively better models without exposing operationally sensitive information; whether attackers with access to the same generative tools will simply move their activity to the edge of the detector's learned distribution; whether the organizations deploying these systems have the operational infrastructure to keep them current; and whether the human analysts at the end of the detection pipeline have the context, authority, and institutional support to act effectively on what the model tells them. Those are harder problems than any transformer architecture can solve on its own. They require the research community, the security industry, and the organizations that operate real networks to be asking them out loud — and not treating them as someone else's problem to solve.