Lighthouse AI is Faddom’s new deep learning-based engine for detecting unusual traffic behavior and potential security threats. Built on a multi-layered deep learning architecture, Lighthouse continuously learns the characteristics of your environment, surfaces only the most relevant insights, and reduces alert noise over time.
Some of the key coverage areas include security threats such as DoS, man-in-the-middle (MITM) attacks, DNS spoofing, port scanning, data exfiltration and additional network abnormalities.
To ensure data privacy, the information sent to Lighthouse is abstracted by your Faddom server, which strips identifiable data before processing. While the Lighthouse servers analyze connection patterns and behaviors, they never have access to actual IP addresses, hostnames, or other identifying information of your environment.
Important Note
Lighthouse AI uses deep learning models that continuously improve but may occasionally produce inaccurate results. All alerts should be verified before taking action. As this is a Beta feature, functionality and accuracy will continue to improve over time.
Prerequisites
Faddom version of 2026.1.44 or above.
The Faddom server must be able to connect to https://lighthouse.faddom.ai either directly or via http proxy.
Valid Faddom license including the Lighthouse module.
At least one data source with 14 days of stable traffic data.
At least one notification subscription for Lighthouse to send alerts in real time.
How it Works
Faddom constantly sends traffic data to Lighthouse. For the first detection, a minimum of two weeks of data is required. If less than two weeks of data is available, Faddom will continue sending data until it has two weeks’ worth. Once the two-week data is received, Faddom will continue adding to the data and continue analyzing it. When new data sources are added or discovery runs, the Lighthouse model will need to relearn your network to accommodate for new data.
When Faddom detects an anomaly, you will receive a notification through your configured notification channels.
Statuses
You will see one of five statuses in the Lighthouse UI depending on the analysis stage of the data:
Initializing - The Faddom server is starting up and determining the current Lighthouse status.
Learning - Faddom is gathering the required data on your environment.
Training - The model is training based on your data.
Up - AI Anomaly Detection is fully functional.
Down - Lighthouse is currently down.
Managing Anomalies and Rules
Lighthouse identifies unusual network behavior by analyzing connection patterns across different levels of activity. To make results easier to review, related activity may be grouped into a single consolidated view. This helps provide broader context around an anomaly and can make it easier to create rules that apply to similar traffic patterns.
When Lighthouse shows “Multiple”, it means several related connections were involved, and the connections can still be reviewed.
When Lighthouse shows “Many”, it means a larger volume of related connections was involved, so the individual connections are summarized rather than listed one by one.
Faddom classify anomalies by event type. When a larger amount of anomalous activity is detected within the same timeframe, it will be categorized as a broader event - “Major Event.”
If the same anomaly is detected after 10 minutes from original detection, it will be marked as "Ongoing"
When reviewing detected anomalies, you can resolve them to help Lighthouse learn your preferences. Resolving an anomaly closes the event and determines how similar anomalies will be handled in the future.
You can mark an anomaly as valid, indicating to Lighthouse that the detection was accurate and you are interested in being alerted on similar anomalies going forward. This will help Lighthouse understand your environment better, and to improve over time.
Alternatively, you can mark anomalies as ones that should be ignored in the future. When doing so, you must provide a reason explaining why the detection should be ignored. This is critical to Lighthouse’s effectiveness - the reason you provide is used to create rules that prevent similar anomalies from being raised again. Well-defined rules are essential for reducing alert noise and improving detection accuracy over time.
The rules provide administrators with granular control over anomaly detection through custom exclusion rules. These rules are highly flexible, allowing you to exclude specific traffic patterns such as unusual source ports, TTL (Time to Live) anomalies, or DNS-related alerts. You can even set schedules to silence known activity during specific windows. Each rule is fully manageable with a clear history and individual toggles. Creating these rules is as simple as chatting with AI - just describe the specific behavior you want to bypass in natural language, and Lighthouse will generate the rule. Rules can be configured globally within the settings menu or applied directly from any anomaly screen for immediate refinement.
Generate Report
For anomalies detected by Faddom, you can generate a detailed report with additional context about the unusual behavior. The report is designed to provide more information about the anomaly and the related activity that Lighthouse investigated.
The report is not intended to determine whether the anomaly is a true positive or false positive, and it should not be used as the sole decision maker. Instead, it helps provide supporting context so the user can better understand the behavior and decide how to handle it.
You can also review abnormal traffic related to an anomaly by selecting “Investigate.” For more information, see Traffic Behavior Investigation.
For additional help with Lighthouse AI, contact support@faddom.com.