HACKFORLAB — Outpace the adversary. Operate with intelligence.

   29th May 2026

// THREAT INTELLIGENCE · HUNTING · DETECTION ENGINEERING

Outpace the adversary. Operate with intelligence.

HACKFORLAB is the operator-grade threat intelligence and hunting platform built for defenders who refuse to wait for tomorrow’s headline. A multi-million ML-filtered indicator catalogue, thousands of tracked adversary clusters, a deep historical archive — engineered for the SOC analyst at 03:00, the threat hunter on a Friday afternoon, and the detection engineer shipping code on Monday.

// At a glance
Multi-million
Indicators
Thousands of
Adversaries
Hundreds of
CVEs linked
Continuous
IOC refresh

Cataloged, ML-scored, MITRE-tagged. Refreshed continuously across OSINT, commercial, sandbox, TLS, DNS, and honeynet sources.

Multi-millionIndicator catalogue
Thousands ofAdversary catalogue
Hundreds ofCVE cross-linkage
Full coverageMITRE ATT&CK alignment
ContinuousIOC refresh cadence

// Indicator catalogue

Multi-million observations, structured for query

A breakdown of the catalogue by observable type, plus the top MITRE techniques driving current-cycle indicator volume. Every number is queryable in the operator console; every record carries provenance, confidence score, and attribution.

// IOC TYPES
Multi-million
INDICATORS
IPs70.8%
Domains22.4%
URLs3.3%
Hashes3.0%
Others0.5%
// TOP MITRE TECHNIQUES · OBSERVATION DENSITY
T1105 Ingress Tool Transfer
120K
T1041 Exfil over C2
104K
T1059 Command Scripting
77K
T1071 App Layer Protocol C2
56K
T1204 User Execution
18K
T1190 Public-Facing Exploit
17K
T1566 Phishing
17K
T1498 Network DoS
15K
// Why this exists

Defenders are losing the time race.

Three structural shifts have rewritten what threat intelligence has to do — and most threat-intelligence programs have not caught up.

01

Disclosure-to-exploitation has collapsed

In 2024-2025, the average gap between a high-severity CVE disclosure and the first observed mass-scanning campaign dropped below 96 hours. By the time a manual indicator review reaches your SOC, the adversary is already inside.

02

Supply-chain compromise arrives in waves

In a single calendar week in May 2026, three independent package-registry compromises landed. Multi-month threat reports do not catch wave dynamics. Weekly briefings tied to live indicator deltas do.

03

Adversaries moved into the cloud control plane

Identity-driven cloud attacks now cross both control plane (CloudTrail, IAM, Kubernetes audit) and data plane (VPC Flow, EDR, DNS) — often in a single kill chain. Single-plane hunting is blind by design.

HACKFORLAB was built on a different premise. Continuously refreshed indicator atoms. Machine-learning filtering to separate real threats from feed noise. MITRE-aligned hunt playbooks that ship with their queries. Detection engineering treated as software, with backtests, false-positive curves, and runbooks attached to every rule. We index what adversaries are doing right now — not what they did last quarter — and we expose it through interfaces a SOC analyst, threat hunter, and detection engineer can each use without translating between tools.

Multi-million indicators across more than thousands of adversary clusters, every observation ML-scored for confidence, MITRE-tagged for technique, geo-tagged for region, CVE-linked when applicable, and attributed to the campaign it belongs to. This is the data layer beneath every published playbook on this site and every dashboard inside the operator console at huntintel.hackforlab.com.

// What you do on day one

Five steps. Under two hours. First detection candidate by lunch.

No sales call required. Sign in, point at your log sources, and start producing operational output the same day.

Five-step onboarding journey

Most threat-intelligence platforms have a three-month onboarding cycle that ends with a half-configured deployment. HACKFORLAB is different. The console lands you in the analyst view on the first sign-in. The indicator catalogue is pre-populated with multi-million atoms. The published hunt library is pre-loaded with seven VPC Flow Log playbooks, five cloud-plane playbooks, and twelve detection-engineering patterns. The weekly advisory subscription is one click.

By the end of your first hour, you have searched the catalogue, pivoted from an observed indicator to its adversary cluster, viewed the cluster\’s MITRE technique distribution, and exported a high-confidence indicator subset to your SIEM. By the end of the first session, you have one hunt running against your own log sources and a candidate detection in your triage queue.

// Three operational pillars

Intelligence, hunting, engineering — one platform.

Built around the workflows that real defenders run every day. Not features that sound good in a brochure. Capabilities that show up in your detection coverage, your mean-time-to-detect, and your portfolio of shipped rules.

PILLAR 01

Threat Intelligence That Operates

A live catalogue of adversary infrastructure, indicator atoms, campaign clusters, and CVE-to-IOC links. Streamed via API, exported to your stack, queryable in the operator console. No more weekly indicator email digests — fresh data, every cycle.

Explore intelligence →

PILLAR 02

Hunt Playbooks You Can Run Tomorrow

MITRE-aligned hunts for cloud control planes, VPC Flow Logs, identity systems, and Kubernetes. Each ships with a hypothesis, a feature table, the query, a false-positive curve, and a triage runbook. Reading time to operational use: under an hour.

Open hunt library →

PILLAR 03

Detection Engineering That Ships

A five-stage detection-as-code pipeline with backtests, FP curves, and runbooks attached to every rule. Manage your portfolio in version control. Promote a successful hunt to a continuous detection via pull request. Retire what no longer earns its keep.

See methodology →

// Built for these roles

Four seats in the SOC. One console.

Every persona who touches a security platform gets a dedicated workflow tuned to what they actually do.

ANALYST

Tier 2 / 3 SOC analyst

Paste an observed indicator, get a verdict with full context in under sixty seconds. Pivot from one IP to the adversary cluster, the linked campaign, the MITRE technique distribution, and the recommended block list. Annotate, tag, and pivot back into your SIEM seamlessly.

HUNTER

Threat hunter

Run any of 12+ published playbooks against your VPC Flow, CloudTrail, K8s audit, or EDR sources. Hits land in a triage queue with the features that fired, the upstream telemetry, and a verdict template. Promote useful hunts to continuous detections via pull request.

ENGINEER

Detection engineer

Manage your rule portfolio as code. Backtests against ninety days of historical telemetry. False-positive curves visible at threshold-tuning time. Unit tests survive every change. Retirement criteria documented per rule. The pipeline behaves like software because it is.

CISO

Security leader

A defensible view of your detection portfolio mapped against the live adversary landscape. Weekly briefings short enough for executive consumption. MITRE coverage exports for board reporting. Audit-ready evidence trails on every detection lifecycle event.

// A day in the life

How a SOC analyst actually uses the platform.

A walkthrough of one real workflow — from a noisy SIEM alert at 09:14 to a confirmed adversary attribution and shipped detection by lunchtime.

09:14 — Alert lands. SIEM fires on an outbound connection from a production EC2 instance to an unfamiliar IP. The analyst opens the platform\’s IOC Hunting page and pastes the IP. Two seconds later: Verdict — High. Source feeds — 3 corroborating. Severity — Critical. Actor — known commodity botnet operator. MITRE — T1071 (Application Layer Protocol). Related CIDR cluster — 8 sibling IPs observed in the same /24 over the past 14 days.

09:16 — Pivot to cluster. Click the related-CIDR link. Land in Knowledge Graph → CIDR Clusters with the /24 pre-loaded. See every indicator from that range — 47 IPs, 12 domains, 4 file hashes. See every actor associated — 3 named adversary clusters share the range, hinting at a bulletproof-hosting concentration.

09:24 — Profile the operator. Click the primary actor card. The per-actor page shows TTP frequency, geographic targeting, recent activity sparkline, and the campaign lineage. The analyst now knows this is not a one-off — it is part of a campaign that has been escalating for three weeks.

09:42 — Run a hunt. Open the VPC Flow Log hunting series. Run the “Adaptive C2 Beacon Detection (FFT + DBSCAN)” playbook against the same 30-day window. Twelve more hits surface — including three EC2 instances that did not trip the SIEM alert.

10:18 — Triage and contain. Each hit lands in the analyst queue with the FFT periodicity score, the cluster proximity, and the link to the upstream Athena query. The analyst annotates each, marks the three new EC2s as Confirmed-Malicious, and pushes the IP set to the perimeter blocking infrastructure.

11:36 — Ship a detection. The hunt proved useful enough to become a continuous detection. The analyst opens a pull request that promotes the playbook to the detection-as-code repository, attaches the backtest result (90 days, 12 historical hits, 0 false positives at the chosen threshold), and assigns a reviewer.

12:04 — Lunch. What was a single noisy alert is now an investigated incident, a shipped detection, and a contributing observation to next Monday\’s weekly advisory.

// Global threat landscape

Adversaries operate everywhere. So do we.

Indicator origin density across regions, recomputed continuously. The pulse positions surface where adversary infrastructure is concentrating right now — useful for prioritising geographic detection coverage.

Global threat activity map

// Live activity · last cycle
Pulses sized by observed indicator volume

// Where your program sits

Maturity model — and how the platform moves you up.

A four-level model derived from observed program patterns. Most security teams operate at L1 or L2. The platform is designed to move you to L3 in weeks, not quarters.

Threat intelligence program maturity model

Most security teams are stuck somewhere between Reactive (L1) and Proactive (L2). The technical foundation exists — they have a SIEM, they ingest indicators, they respond to alerts — but the work is alert-driven and triage-heavy. Detection rules accrete without retirement criteria. Hunting happens on an ad-hoc basis when an executive asks. MITRE alignment is aspirational rather than measured.

Moving to Predictive (L3) requires three capabilities most programs lack today: continuous hunting tied to a hypothesis-and-feature workflow, detection-as-code with backtests and metrics, and live MITRE coverage measurement. The platform supplies all three out of the box. Moving to Adaptive (L4) requires ML-augmented detection with closed-loop scoring — also built in.

A typical engagement: an L2 program adopts the platform on Day 0, ships its first PR-managed detection in Week 1, runs its first ML-scored hunt in Week 2, and publishes its first internal MITRE coverage report in Month 1. That is the L2-to-L3 transition, accelerated by an order of magnitude.

// Integration surface

Where the platform connects to your existing stack.

Five integration categories. No proprietary connectors required. Every integration uses open standards or REST.

Integration surface across SIEM, SOAR, EDR, cloud logs, detection-as-code

// What changes after adoption

Operational metrics customers report after the first 90 days.

60s
Mean enrichment time

From “what is this IP?” to a full verdict with attribution, cluster, MITRE technique, and CVE link.

-58%
False-positive rate

ML-filtered indicator scoring eliminates the long tail of low-confidence feed noise that drives alert fatigue.

12+
Live hunt playbooks

MITRE-mapped, query-attached, false-positive-curve-documented. Run against your own log sources.

Thousands of
Adversary clusters tracked

Named profiles built from observed indicator atoms, refreshed continuously.

// Frequently asked questions

Operator-level answers, not marketing answers.

How does HACKFORLAB filter real threats from feed noise?
+
The Intelligence Cluster Analytics layer (see Stage 05 of the Platform Architecture) runs every catalogue record through machine learning models — DBSCAN and HDBSCAN clustering, Isolation Forest anomaly scoring, LSTM sequence learning, XGBoost ensembles, GraphSAGE node embeddings — combined with time-series correlation (FFT, ARIMA, change-point detection), Bayesian threat attribution, and statistical Sigma calculation (μ ± nσ, 3-sigma rule, ROC/AUC evaluation). The result: indicators are confidence-scored, attribution-tagged, and FP-curve-tuned before they ever reach your SIEM.
How fresh is the indicator catalogue?
+
Continuously refreshed. Average lag from observation in source feed to availability in the catalogue is under thirty minutes for high-confidence sources, under six hours for sources requiring corroboration before scoring. The platform also exposes change-log feeds so you can react to deltas the moment they land, rather than polling the full catalogue.
Where does the data come from?
+
OSINT feeds (over thirty curated sources), commercial threat-intelligence feeds where licensing permits redistribution, sandbox detonation telemetry, TLS and DNS observatories, honeynet sinkholes, and government CERT advisories where public. Every indicator carries its provenance source in the catalogue so downstream consumers can decide on trust thresholds.
Can we run hunts on our own telemetry without sharing it externally?
+
Yes. The hunt-execution layer connects to your S3-stored VPC Flow Logs, CloudTrail, and Kubernetes audit logs via an Athena-backed query plane that runs in your AWS account. Your raw telemetry does not leave your environment. Only the hunt definitions and the resulting hit metadata flow back to the operator console. The trust boundary is explicit and enforced.
How does this integrate with our existing SIEM and SOAR?
+
Three integration paths. (1) Streaming export — STIX 2.1, JSON, or CSV indicator deltas piped into your SIEM ingest. (2) Lookup-on-demand — SOAR webhooks that enrich a SIEM event with platform context. (3) Direct query — API endpoints for ad-hoc enrichment from analyst dashboards. Most customers use a combination — streaming for bulk indicator coverage, webhooks for enrichment on alerts.
Is this competitive with our existing threat-intel vendor?
+
Sometimes complementary, sometimes replacement. Customers running mature TIP deployments often layer HACKFORLAB on top as a hunting and detection-engineering capability that their TIP does not provide. Customers running with no formal TIP often start with HACKFORLAB as their primary indicator catalogue and grow from there. The platform is designed to coexist with — not displace — other intelligence sources.
What does a typical first hour on the platform look like?
+
Sign in, browse the indicator catalogue from the current week, pivot from one observed indicator to the linked adversary cluster, view the MITRE technique distribution for that cluster, drill into one of the published hunt playbooks that addresses those techniques, attach a sample log source to run the hunt against, and triage the first batch of results. Most operators have at least one usable detection candidate by the end of the first hour.
How do you handle false positives?
+
Three layers. (1) Confidence scoring at ingest filters obviously low-quality observations. (2) ML-based anomaly scoring at the analytics layer down-weights indicators that fail multivariate sanity checks (Mahalanobis distance, Z-score normalisation). (3) Per-rule false-positive curves are documented at detection-shipping time so analysts see the threshold-vs-FP-rate trade-off explicitly. Annotations on whitelisted indicators are tenant-scoped and persistent.
Do you support MITRE ATT&CK navigator export?
+
Yes. The MITRE Matrix page (inside the operator console) exports both the navigator JSON format and a per-tactic CSV. Useful for board-level reporting and for cross-tool coverage comparison if you run multiple detection platforms.
How is access controlled?
+
Single sign-on with role-based access control. Three primary roles: Analyst (read-only indicator + hunt access), Hunter (additional hunt-execution rights), Admin (user lifecycle + tenant configuration). An audit log captures every action with user, timestamp, action type, target, and source IP — exportable for compliance review. See the Administration documentation inside the console.
How do we get started?
+
Sign in to the platform at huntintel.hackforlab.com with a work email. You will land on the analyst console with the indicator catalogue and the published hunt library pre-loaded. Attaching your own log sources takes about ten minutes of configuration. Subscribing to the weekly advisory takes one click. We do not require a sales call to get value out of the first session.
What about compliance and audit requirements?
+
Every action is logged with full attribution (user, timestamp, action type, target). Audit logs are tenant-scoped, exportable, and retained per your retention policy. Role escalation is forbidden — you cannot grant a role higher than your own. The platform supports SAML SSO for enterprise identity integration. Data residency: customer telemetry stays in customer AWS account; catalogue and ML models live on platform infrastructure with documented locations.

// Hunt library

Twelve playbooks that ship with the queries attached.

Each hunt is a hypothesis, a feature table, a pre-processing query, and a scoring layer — peer-reviewed, backtested, ready to run. No “what should I look for” prose. Run them today.

01

Adaptive C2 Beacon Detection

FFT and DBSCAN for periodicity extraction with jitter modelling on VPC Flow Logs. Targets MITRE T1071.

Read playbook →

02

Low-and-Slow Exfiltration

Isolation Forest plus LSTM seasonality modelling for stealthy data exfiltration over established sessions. Targets T1041.

Read playbook →

03

Lateral Movement Graphs

Graph analytics on VPC Flow Logs with identity-aware east-west traversal and anomalous principal-edge weighting. Targets T1021.

Read playbook →

04

TLS Fingerprinting (JA3/JA4/JARM)

Fingerprint clustering for encrypted C2 hunting. Categorise tooling by fingerprint family.

Read playbook →

05

DGA + DNS-Tunnel Hunting

Entropy and n-gram models on resolved domains. Detection of DNS-tunnelled C2 in cloud DNS metadata.

Read playbook →

06

Living-off-the-Cloud Chain

CloudTrail and VPC Flow fusion to detect cloud-native LotL kill chains end-to-end.

Read playbook →

// Trust and compliance

What we will tell your security review team.

Data residency

Customer telemetry stays in customer cloud account. Athena query plane runs in your AWS account. Platform never copies raw telemetry to its own infrastructure.

Authentication

SAML SSO supported. Three-tier RBAC: Analyst, Hunter, Admin. Role escalation forbidden by design. PII tokenisation enforced at ingest.

Audit trail

Every action logged with full attribution. Exportable, retention configurable per tenant. Supports compliance frameworks requiring demonstrable access-control evidence.

Encryption

TLS 1.3 in transit. AES-256 at rest. HSM-backed key management. Per-tenant key isolation. Cipher suites rotated quarterly.

Vulnerability response

Bug bounty program. Coordinated disclosure window. Critical CVE patch SLA: 24 hours. Quarterly third-party penetration testing.

Sub-processor list

Maintained publicly. Material changes notified 30 days in advance. DPA available on request. SOC 2 Type 2 audit in progress.

// Why operators choose HACKFORLAB

Four differentiators that matter in the field.

01

Built by defenders, for defenders

Every playbook on this site was used in production before it was published. The methodology is what we actually run, not what we wish we ran. The engineers who built the platform have shipped detections for global SOCs and incident response teams.

02

Indicator atoms, not narratives

You get observed infrastructure with provenance, confidence, and timestamps — not vendor prose. Plug it directly into detection. The catalogue is queryable, exportable, and tagged with enough metadata for downstream automation.

03

ML-filtered, MITRE-aligned end to end

Every IOC, every hunt, every detection is ML-scored and tagged against ATT&CK. Your portfolio against the live threat landscape is one click away. Coverage gaps are visible. Investment priorities are computable.

04

Detection-as-code first

The pipeline is engineered. Rules ship via PR with backtests, FP curves, runbooks. Retire what no longer earns its keep. This is software engineering applied to detection — versioned, tested, reviewed, deployable, retirable.

// Ready to operate

Stop reading about threats. Start hunting them.

Sign in to query multi-million ML-filtered indicators, run MITRE-mapped hunts against your own log sources, subscribe to the weekly advisory, and manage your detection portfolio as code. No sales call required for first-session value.