When to go deep
Neural networks are powerful — but power without need is just complexity. Here's when depth helps and when simplicity wins.
Tabular Data
CSV logs, features
Use: LogReg, RF, XGBoost
Use: LogReg, RF, XGBoost
vs
Unstructured Data
Images, text, raw bytes
Use: Neural Networks
Use: Neural Networks
Use neural networks when:
- Data is unstructured (images, text, audio, raw packets)
- You have 100,000+ labelled samples
- Simple models have plateaued and you need more capacity
- You're doing transfer learning from pre-trained models
Use simple models when:
- Data is tabular (structured features in rows/columns)
- You have fewer than 10,000 samples
- You need explainability (SOC analysts need to understand why)
- You need fast inference and easy deployment
What you learned
| Step | Concept | Key takeaway |
|---|---|---|
| 0 | Single neuron | weighted sum + bias + activation |
| 1 | Activations | ReLU for hidden, sigmoid/softmax for output |
| 2 | Architecture | params = (inputs × neurons) + neurons per layer |
| 3 | Forward pass | Data flows input → hidden → output in milliseconds |
| 4 | Training loop | Epochs of forward → loss → backward → update |
| 5 | Overfitting | Stop when val accuracy peaks, not when train accuracy is perfect |
| 6 | Baseline comparison | Simple models often match neural nets on tabular data |
This lesson's model
NN AUC
97.0%
LogReg AUC
90.0%
Dataset
Samples
2,000
Attack rate
13.4%
Loading...
Think Deeper
Try this:
Your team has 500 labelled malware samples and 50,000 benign samples. Should you use a neural network?
Probably not. With severe class imbalance and limited data, tree-based models (Random Forest, XGBoost) often work better. Neural networks need more data to generalise. Start simple, go deep only if the data supports it.
Cybersecurity tie-in: Most SOC ML tasks (alert triage, malware classification, user behaviour analytics)
work on tabular data with limited labels. Start with Random Forest or XGBoost.
Reserve neural networks for raw packet analysis, NLP on threat reports, or image-based malware detection.