A method of probing and responding to a security breach in a computer network security system includes defining first and second rules and defining a model to output a probability that a security breach has occurred based on an input and to generate commands. Data is collected at first nodes according to the first rules and a first portion of the collected data is selected and sent from the first nodes to a second node. The selected first portion is input into the model to obtain an output probability that a security breach has occurred and the following steps are performed: determining signs of a security breach, generating a first command with the model to cause a second portion of the collected data to be selected, and generating a second command with the model to cause a change in settings at one or more of the first nodes.