Every signal has an innocent explanation. Detect the combination that has none.
In April 2025, a team at Cambridge led by the astronomer Nikku Madhusudhan announced what the headlines immediately called the strongest hints yet of life beyond Earth. Using the James Webb Space Telescope, they reported a signal in the atmosphere of a planet called K2-18b, a sub-Neptune world 124 light-years away, that they attributed to dimethyl sulfide, or DMS, a gas that on Earth is produced almost exclusively by marine life. For about a week, it looked like the most important detection in the history of the question are we alone?
And then it came apart, in exactly the way these things always come apart. Within weeks, independent teams reran the analysis. One paper, in Astronomy & Astrophysics, was titled, with academic bluntness, "Insufficient evidence for DMS and DMDS in the atmosphere of K2-18b." Another concluded the planet "does not meet the standards of evidence for life." The DMS signal, the reanalyses found, sat at around three sigma, below the bar physics uses for a claim, was sensitive to an instrumental quirk, and could be confused with other sulfur gases that look the same in the spectrum. The methane held up at four sigma. The biosignature did not. NASA, notably, distanced itself with a sentence that is the whole point of this essay: a single potential biosignature would not constitute the discovery of life, and confirming one would require multiple converging lines of evidence that rule out the boring explanations.
This is not a story about K2-18b. It is a story about why no single signal is ever proof: in astrobiology, in fraud detection, in incident response, anywhere you are trying to catch a rare and important thing hiding inside a sea of innocent noise. And it is a story about the one detection discipline that actually solves the problem.
The deep difficulty in the search for life is that every individual gas that screams "life!" has a boring abiotic explanation.
Take oxygen, the obvious one. Earth's atmosphere is a fifth oxygen, and that oxygen is made by photosynthesis, so surely oxygen means life? No. Ultraviolet light splits water vapor into hydrogen and oxygen; the light hydrogen escapes to space; the oxygen can build up. Around the small, active M-dwarf stars that host most of the galaxy's planets, this water photolysis can manufacture an oxygen-rich atmosphere with no biology anywhere near it. Oxygen alone is not proof. It has an innocent explanation.
Take methane. On Earth it pours mostly out of living things: microbes, cattle, wetlands. But methane also seeps abiotically from volcanoes and from a water-rock reaction called serpentinization that needs no life at all. Titan, a frozen dead moon, is drenched in methane. Methane alone is not proof. It, too, has an innocent explanation.
Run down the whole list, every candidate biosignature gas, every spectral hint, and you find the same thing: a real signal, and a perfectly mundane way to make it without life. This is not a failure of instruments. It is structural. A single signal, by itself, cannot carry the weight of proof, because for any one signal there exists at least one innocent cause that produces it. The single-gas detection is doomed to permanent ambiguity. You will either set your bar so high you miss the real thing, or so low you cry "life!" at every volcano.
If that dilemma sounds familiar to anyone who has run a detection system, hold that thought.
The escape from the dilemma is one of the most elegant ideas in twentieth-century science, and it came from James Lovelock in 1965, working for NASA's Jet Propulsion Laboratory on the problem of how the Mars probes might detect life. Lovelock's insight was to stop asking "is there a gas that means life?" and start asking "is the atmosphere as a whole in a state that only life could maintain?"
His answer was chemical disequilibrium. A dead world's atmosphere settles, over time, into thermodynamic equilibrium: the chemistry reaches its lowest-energy resting state and stays there, like a ball at the bottom of a bowl. Mars's atmosphere is like that: mostly carbon dioxide, chemically calm, near equilibrium. Lovelock looked at that calm and concluded, before any lander touched the surface, that Mars was probably dead, not because he found a poison, but because he found nothing pushing the chemistry uphill. Earth's atmosphere, by contrast, is a screaming thermodynamic anomaly. And the sharpest anomaly of all is this: Earth's air contains, at the same time, abundant oxygen and abundant methane.
Those two gases react. Methane and oxygen, together, oxidize: the methane should burn away to carbon dioxide and water, and in our oxygen atmosphere a methane molecule survives only about a decade before it's destroyed. By any equilibrium reckoning, Earth's methane should all be gone. It isn't. It persists at concentrations vastly above what the chemistry allows, which means something is replenishing it as fast as the oxygen destroys it, pumping two mutually-destroying gases into the air continuously, holding the system far from its resting state, doing thermodynamic work against the grain. Nothing abiotic does that. Volcanoes make methane but don't make oxygen; photolysis makes oxygen but doesn't make methane. No single innocent process produces both at once. Life does: photosynthesis floods the air with oxygen, and microbes flood it with methane, and the impossible coexistence of the two is the fingerprint.
That is the ensemble biosignature. Not oxygen. Not methane. The combination of oxygen-and-methane-together: a pair that has no joint abiotic explanation, a co-occurrence that could only be sustained by the very thing you are trying to detect.
The method got its most beautiful test in 1993, when Carl Sagan and colleagues did something delightfully cheeky: they used Earth as a control. The Galileo spacecraft, on its way to Jupiter, swung past Earth, and Sagan's team pointed its instruments at our own planet and asked: could we detect life here, from a passing spacecraft, knowing nothing? They published the result in Nature: "A search for life on Earth from the Galileo spacecraft." And the single strongest piece of evidence they found was not any one gas. It was the oxygen-methane disequilibrium: the thermodynamically incompatible pair that should not be able to coexist. The proof of life on the one planet we know is alive turned out to live not in a signal but in a combination.
Now turn the telescope around, because this is precisely the problem, and precisely the solution, for anyone building anomaly, fraud, or intrusion detection.
The false-positive problem in security is the biosignature problem wearing a different hat. Every single signal you might alert on has an innocent explanation. A latency spike? Probably a deploy. A login from a new country? Probably a vacation. An error-rate bump? A flaky dependency. An unusual database query? A curious analyst exploring. Each signal, taken alone, is the new-country login that means nothing: your volcanic methane, your photolytic oxygen. And so single-signal detection lands in exactly Lovelock's dilemma: tune the threshold high and you miss the real attack hiding in an individually-boring signal; tune it low and you drown your team in false alarms.
This is not a tuning failure you can engineer your way out of by being cleverer with one signal. It is mathematical. In 1999, the researcher Stefan Axelsson laid it out in a paper every detection engineer should read, "The Base-Rate Fallacy and the Difficulty of Intrusion Detection." His argument: attacks are rare relative to the ocean of normal events. When the thing you're hunting has a low base rate, even a detector that is individually very accurate will produce alerts that are overwhelmingly false positives, because the false-positive rate, multiplied across millions of benign events, swamps the handful of true ones. The arithmetic guarantees alert fatigue. A single-signal detector in a low-base-rate world is not unlucky; it is doomed.
We have the corpses to prove it. In December 2013, the retailer Target suffered a breach that exposed about 40 million payment cards. The grim punchline, reported afterward by Bloomberg Businessweek, was that Target's detection tooling had fired the alerts. The malware was flagged. The signals were there. They were lost in the noise of thousands of other alerts and went unactioned, because no single alert could distinguish itself from the daily flood of individually-explicable anomalies. The detection didn't fail because the signal was missing. It failed because a single signal can never carry the weight of proof: the same reason a single gas can't.
So do what the astrobiologists did. Stop hunting the one definitive signal, and define the ensemble: the combination of individually-innocent signals that has no benign joint explanation. A new-country login is nothing. A password change is nothing. A bulk data-export request is nothing. But a new-country login and a password change and a data-export, together, in a tight window, is the account-takeover ensemble, and no single innocent cause produces all three at once, just as no single abiotic process produces oxygen and methane at once. That combination is your disequilibrium. It is the footprint of an agent doing work against the grain.
Here is the rigorous heart of it, the part worth internalizing, because it explains why ensembles beat single signals so decisively.
Under the innocent hypothesis, your signals are roughly independent and each is fairly common. A traveler logs in from abroad; separately, some users rotate passwords; separately, some users export data. Because these are independent under the null, their joint occurrence in one account in one window is rare: you multiply the probabilities, and the product is tiny. But under the guilty hypothesis, the signals are not independent at all: a single attacker causes all of them together, logs in from their country, changes the password to lock out the owner, exfiltrates the data. The very same combination that is vanishingly rare for an innocent user is the expected behavior of an attacker.
So you are not, in fact, hunting an unlikely signal. You are hunting an unlikely correlation. And the likelihood ratio of the combination, how much more probable it is under "attacker" than under "innocent", can be enormous even when each signal's individual likelihood ratio is barely above one. Three boring signals, each of which alone tells you almost nothing, multiply into a combination that tells you almost everything. That is the same math by which oxygen (ambiguous) and methane (ambiguous) combine into a disequilibrium that is nearly unambiguous. The proof was never going to be in a signal. It was always going to be in the joint improbability.
There is one refinement that separates a good ensemble from a great one, and astrobiology hands it to us directly.
The oxygen-methane pair is not powerful merely because the two gases co-occur. It is powerful because they are thermodynamically incompatible: they actively destroy each other, so their coexistence isn't a lucky coincidence; it is an ongoing impossibility that requires something to be continuously forcing it. Disequilibrium is the signature of work being done against the natural tendency.
The best detection ensembles have the same property. Don't just AND together signals that happen to co-occur; find the signals that are in tension under the innocent model: combinations that shouldn't both be true at once unless something is actively forcing them. A password was changed, and yet the previous session is still active: a legitimate password change should have invalidated it. A user is authenticated from two countries in the same minute: a real human can't be in two places at once. A service marked read-only is issuing writes. These aren't just co-occurrences; they're contradictions, mutually-destroying facts that, like oxygen and methane, cannot both persist innocently. When you find a combination that shouldn't be able to exist and yet does, you have found your disequilibrium, and disequilibrium always means an agent is in there, doing work.
Stop looking for the one definitive signal. It does not exist. Every signal you have has its volcanic methane: an innocent explanation that will, sooner or later, make a fool of any alert wired to it alone. Internalize that, and the whole shape of your detection strategy changes.
Inventory your signals and accept that each one is individually innocent: that is not a weakness to be fixed but a fact to be designed around. Then define your ensembles: for each thing you actually need to catch (account takeover, data exfiltration, a failing deploy, a fraudulent transaction), write down the combination of signals that has no innocent joint explanation, and alert on the combination, scoring its likelihood ratio rather than each signal's. This move kills both failure modes at once: you stop missing real threats that hid inside individually-boring signals, and you stop paging your team for every lone anomaly, because no single boring signal fires an alert anymore. Where you can, prefer the incompatible combinations, the signals in tension, the facts that shouldn't both be true, over mere co-occurrence, because those are the ones that, like two reactive gases, betray an agent forcing the system away from its resting state. And respect the base rate: in a world where the thing you're hunting is rare, the ensemble is not a nice-to-have; it is the only thing that mathematically works.
The reframe underneath all of it is the gift astrobiology gives the rest of us. You are not, ultimately, detecting a signal. You are detecting an agent, the life, the attacker, the fraud, the thing whose defining trait is that it does work to produce a combination that should not be able to happen by accident. A dead planet relaxes to equilibrium; a living one holds two reactive gases in the air at once. A normal account drifts along its boring baseline; a compromised one shows you three impossible things before breakfast. The proof is never in any one observation. It is in the disequilibrium: the combination that something, somewhere, must be actively maintaining, because nothing innocent ever would.
You can't catch a misbehaving agent on any single action. You need the combination.
No one tool-call proves an agent went wrong: each has an innocent explanation, the agent's volcanic methane. The misbehavior lives in the ensemble, the combination of reasoning, tools, and actions that has no innocent joint explanation, the disequilibrium that betrays an agent doing work against the grain. But you can only score that combination if you have all the signals in one correlated, trustworthy record. Chain of Consciousness is that record: a tamper-evident chain of an agent's reasoning, tools, and actions, the substrate ensemble detection needs instead of three disconnected logs you can't join.
See Hosted Chain of Consciousness · verify an action chain
pip install chain-of-consciousness · npm install chain-of-consciousness