Threat Hunting

   29th May 2026
// THREAT HUNTING

Hunt the adversary, not the alert queue

A playbook library built from real engagements: cloud control-plane hunts, VPC Flow Log analytics, identity-attack hunting, and detection engineering recipes. Methodology you can apply on Monday morning — every playbook ships with the query, the feature table, and the false-positive curve.

// At a glance
7
VPC Flow playbooks
5+
Cloud hunts
12+
Detection patterns
Full coverage
TTP mappings

A hunt is not a query. It is a hypothesis tested against scoped telemetry, with a documented false-positive curve and a path to ship as code.

7VPC Flow hunt playbooks
5+Cloud control-plane hunts
12+Detection patterns documented
Full coverageTTP mappings
// Hunting philosophy

A hunt is a hypothesis tested against telemetry

Threat hunting is often described as “looking for what your detections missed”. That is true but incomplete. A hunt is more precisely a hypothesis tested against scoped telemetry, with documented success and failure modes. Every hunt in the platform’s library starts the same way — a one-sentence statement of adversary behaviour, mapped to a MITRE technique, scoped to a specific telemetry source, with an explicit hypothesis about what the data should look like if the behaviour is present.

From that hypothesis, the playbook proceeds in five stages. Telemetry inventory: what log sources are available, what fields are populated, what retention applies. Feature engineering: which observations in the raw logs become the input to detection. Pre-processing query: the materialisation step that produces the feature table. Scoring model: rule-based threshold, statistical method, or ML model that produces a binary detection signal from the features. Triage workflow: what happens when the score exceeds threshold — analyst queue, enrichment lookups, runbook execution.

Every published hunt ships with all five stages documented. You do not get a “look for periodic outbound connections” hand-wave. You get the query, the feature definitions, the FFT parameters, the DBSCAN epsilon value, the false-positive curve at different thresholds, and the path to promote the hunt to a continuously running detection if it proves useful in your environment.

// Coverage map

Where the hunt library reaches

A spider projection of telemetry surfaces covered by published playbooks. Outer ring = saturated coverage.

NetworkIdentityCloud APIKubernetesEndpointDNS / TLS

Cloud-network first, identity-aware throughout

Network telemetry is the highest-leverage surface for cloud-era hunting — cheap to capture, hard for attackers to avoid. The library leans heaviest there, with full identity context fused on top.

Kubernetes audit, endpoint telemetry, and DNS/TLS metadata round out the coverage so you can cross-source pivot in a single platform.

// Methodology

The five-stage hunting pipeline

Every published playbook follows this pipeline. Reproducible, peer-reviewable, and shippable as code.

STAGE 01 Telemetry inventory STAGE 02 Feature engineering STAGE 03 Pre-processing query STAGE 04 Scoring model STAGE 05 Triage workflow

A hunt is not a query. It is a hypothesis tested against scoped telemetry, with a documented false-positive curve, a documented missed-detection cost, and a path to ship as a continuously running detection.

// Hunt playbook library

What we have published

01

VPC Flow Log Hunting Series

Seven playbooks: beacon FFT, DGA + DNS tunnel hunting, TLS fingerprint clustering, lateral-movement graph analysis, low-and-slow exfiltration scoring, botnet coordination, Markov-chain LotL.

Open the series →

02

Cloud Threat Hunting

CloudTrail + VPC Flow fusion, Living-off-the-Cloud attack chains, Kubernetes east-west hunting, identity-attack hunting.

Open cloud playbooks →

03

Detection Engineering

The five-stage pipeline: telemetry inventory, feature engineering, pre-processing, scoring, triage. Production examples.

Open methodology →

04

Insider Threat (UEBA)

Behavioural analytics without endpoint agents. Identity-aware netflow features, peer-group scoring, time-of-day anomalies.

Read the playbook →

05

Anonymizer Egress Hunting

Tor and proxy egress patterns on VPC Flow. Categorisation: exit nodes, bridges, commercial VPN, residential proxy.

Read the playbook →

06

Cryptojacking Detection

Mining-pool hunting at scale on AWS. JA3 / JA4 clustering for Stratum protocol, TLS-tunnelled mining detection.

Read the playbook →

// Telemetry sources

What we hunt across

Each playbook ties to one or more telemetry sources. Cross-source fusion is where most signal lives.

The biggest leverage point in modern threat hunting is fusion across telemetry sources. A network-only hunt sees the connection but not who initiated it. An identity-only hunt sees the privilege escalation but not what it accessed. A Kubernetes-only hunt sees the pod activity but not the network movement. When you fuse network, identity, and audit telemetry, you see the kill chain. The platform’s hunt library is structured around that fusion principle.

VPC Flow Logs

Network connection records — source, destination, ports, bytes, packets, action. The cheapest, highest-coverage cloud telemetry.

CloudTrail

AWS API event logs. Every identity action, every console click, every cross-account hop.

Kubernetes Audit

Cluster API events: pod creation, secret access, role binding changes, service-account use.

EDR Telemetry

Process, command-line, file, registry, network telemetry from endpoints. Linked back to network observables for fusion.

IAM / SSO logs

Identity events: authentication, MFA challenges, federation flows, session token lifetimes.

DNS / TLS Metadata

Resolved queries, NXDOMAIN density, TLS fingerprints (JA3 / JA4 / JARM), certificate transparency feeds.