Modern corporate AI often feels like trying to drive micro-piles with a sledgehammer: businesses instinctively reach for Large Language Models (LLMs) even when a scalpel is required. While the market measures success by parameter counts, Positive Technologies is bucking the trend. Their MOLOT neural network, designed to detect malicious code, is built on a classic BERT encoder rather than a "breakthrough" decoder. This isn't a sign of technological poverty; it’s a cold calculation. In cybersecurity, redundancy isn't just extra zeros on a cloud bill—it's a direct security vulnerability.
Faith in the "GPT magic"—the idea that it must solve any classification task—is becoming comical. In practice, attempting to secure critical infrastructure with universal multi-tools leads to bloated GPU-farm budgets and hallucinations instead of precise verdicts. Maxim Mitrofanov, Head of the ML Application Security team at Positive Technologies, confirms they immediately ruled out models with 1B+ parameters. They simply don't deliver the performance needed in the real world, where code must be scanned instantly and locally, without the indignity of begging neighboring departments for more compute resources.
The Economics of Pragmatism
The choice was purely pragmatic: MOLOT is optimized for local deployment. The system requirements for PT Application Inspector, where the model is integrated, demand the ability to run on a standard CPU. While LLM enthusiasts wait in line for GPUs, the encoder architecture provides speeds that heavyweights cannot match. But cost is only part of the story. Crucially, an encoder lacks "imagination" in the worst sense of the word.
We targeted local operation from the start to ensure that CPU performance and memory bandwidth would be sufficient.
LLM hallucinations aren't a bug; they are a direct consequence of their nature: they are trained to guess the next token. In contrast, MOLOT analyzes the entire sequence and issues a final verdict. In security, where the cost of an error is a missed backdoor, the probabilistic nature of decoders becomes a liability. Using vanilla bert-base-uncased allowed the team to focus on data quality rather than bloating the context window. Experiments with ModernBERT and expanding the window to 4096 tokens showed no gain in accuracy—only a drop in performance and a tendency for the model to "miss" malicious code at the beginning of long chains.
Anatomy of Clean Code
How does MOLOT identify threats? Instead of reading obfuscated code "top-to-bottom" like an inexperienced junior developer or a typical LLM, the system deconstructs it into call graphs and variables. Hackers love hiding logic behind junk comments and convoluted execution paths, but MOLOT works with activity chains—an approach borrowed from the Cerebro solution. This allows the system to classify a file based on the real actions it intends to perform, rather than how "pretty" the text looks.
The encoder architecture allows us to avoid hallucinations. This is achieved through a different training objective: instead of predicting the next token, the model reaches a final decision without probabilistic mechanisms.
For CTOs and risk managers, interpretability is critical. Positive Technologies adapted SHAP analysis, achieving 81% alignment with expert opinions. When a scanner flags a virus, a security officer needs specific lines of code, not vague hints. MOLOT’s architecture allows tokens to be mapped back to the source code, turning the AI "black box" into a transparent audit tool. This provides true immunity to prompt injections: it is impossible to manipulate a model that analyzes API call structures rather than attempting to "understand" the intent of text manipulations.
Moving away from bulky AI orchestras in favor of specialized tools is the only way to achieve a predictable ROI. When the architecture fits the task, you get deterministic results and hardware savings. Using BERT in cybersecurity is a conscious choice of reliability over marketing hype. Security is built on rigid logic and verifiable chains, not on the probability of which syllable comes next in a sentence.