To address the practical challenges of deploying machine learning–based threat detection in enterprise security operations—namely, high computational resource demands and steep expertise requirements—this paper proposes a low-maintenance, self-sustaining two-stage hybrid detection framework. The first stage employs permissive YARA rules for high-recall preliminary filtering; the second stage applies a lightweight ML classifier to suppress false positives. Our key contributions are: (i) Simula, a novel synthetic data generation method that requires no ground-truth labels; and (ii) an active learning loop wherein security analysts act as “expert teachers” to iteratively refine the model, enabling autonomous adaptation. Deployed across tens of thousands of endpoints, the system processes 250 billion security events daily, compressing alerts into only a handful of actionable tickets per day. Detection accuracy improves continuously over time, significantly reducing reliance on data science specialists and lowering operational maintenance overhead.

Despite advancements in machine learning for security, rule-based detection remains prevalent in Security Operations Centers due to the resource intensiveness and skill gap associated with ML solutions. While traditional rule-based methods offer efficiency, their rigidity leads to high false positives or negatives and requires continuous manual maintenance. This paper proposes a novel, two-stage hybrid framework to democratize ML-based threat detection. The first stage employs intentionally loose YARA rules for coarse-grained filtering, optimized for high recall. The second stage utilizes an ML classifier to filter out false positives from the first stage's output. To overcome data scarcity, the system leverages Simula, a seedless synthetic data generation framework, enabling security analysts to create high-quality training datasets without extensive data science expertise or pre-labeled examples. A continuous feedback loop incorporates real-time investigation results to adaptively tune the ML model, preventing rule degradation. This proposed model with active learning has been rigorously tested for a prolonged time in a production environment spanning tens of thousands of systems. The system handles initial raw log volumes often reaching 250 billion events per day, significantly reducing them through filtering and ML inference to a handful of daily tickets for human investigation. Live experiments over an extended timeline demonstrate a general improvement in the model's precision over time due to the active learning feature. This approach offers a self-sustained, low-overhead, and low-maintenance solution, allowing security professionals to guide model learning as expert ``teachers''.