C2 Operations

   29th May 2026
// COMMAND AND CONTROL

Dedicated C2 Infrastructure Lens

A dedicated view of command-and-control infrastructure across the feed. C2 indicators behave differently from other adversary types — highly perishable, frequently reused, central to active campaigns — so they get a dedicated page focused on triage and block-list construction.

// At a glance
Audience
All authenticated roles
Available from
Available in the operator console

// Screen capture

C2 Operations — from the user guide

The screenshot below is taken from the platform user guide. Sensitive data fields are redacted with solid blocks; the page chrome is cropped for clarity.

C2 Operations — page anatomy from HFL Platform User Guide
C2 Operations — page anatomy from HFL Platform User Guide
// Purpose

Why this page exists

C2 indicators are the most operationally valuable subset of the platform’s data. A live C2 IP is something you can block at the perimeter today and gain immediate value from. A C2 domain freshly observed in active campaigns is a high-priority addition to your DNS sinkhole. Because the operational value decays fast, C2 indicators get their own dedicated page with filters tuned to triage and block-list construction.

The page shows current C2 indicators with their source feeds, confidence, severity, first-seen timestamp, and the actor or campaign they are linked to. A filter set focused on freshness — last 24 hours, last 7 days, last 30 days — makes it easy to construct rolling block lists. A per-feed comparison shows which feeds are catching new C2 fastest.

C2 indicators are pivot-rich. Each row links into Knowledge Graph → CIDR Clusters so you can see if the C2 is part of shared infrastructure, into the actor detail page if it is attributed to a named adversary, and into IOC Management for annotation, tagging, or export to your detection stack.

// Workflows

How operators use this page

01

Triage a fresh C2 spike

Set the time window to last 24 hours. Sort by severity descending. The top rows are your highest-priority blocking candidates. Pivot any row into Knowledge Graph CIDR Clusters to check for shared infrastructure.

02

Build a block list for a specific actor

Filter by actor name. The result is every C2 indicator attributed to that actor in the current window. Export to CSV or JSON for direct ingest into your blocking infrastructure.

// Field reference

What the page shows

C2 indicators table (value, type, source feed, confidence, severity, first-seen, actor / campaign link), time-window filter, per-feed comparison, export action.

// Tips and constraints

Best practices and limits

  • For the broader indicator universe, see IOC Management.
  • For shared-infrastructure analysis of C2s, see Knowledge Graph → CIDR Clusters.
// Where to go next

Related platform features

Knowledge Graph → CIDR Clusters

Continue your workflow in a related feature.

Open →

IOC Management

Continue your workflow in a related feature.

Open →

Threat Actors

Continue your workflow in a related feature.

Open →