Blog

Your rule fires at ten failed logins in five minutes. The attacker tried nine. Your detection logic has a floor, and the attacker is standing just below it, reading your rules the same way you wrote them.

The binary is signed by Microsoft. The process is legitimate. The parent is expected. Your EDR just watched a full intrusion chain execute and flagged nothing, because every tool used ships with Windows.

The alert fired 847 times in 90 days. Every one was a false positive. On day 91 it fired for a real intrusion. The analyst closed it in four seconds. This is not an alert fatigue story. It is a conditioning story, and the difference matters because one can be deliberate.

Anomaly hunting is expensive archaeology, sifting through everything hoping to find something. Hypothesis-driven hunting is targeted excavation, you already know what you are looking for and where to dig. The difference is analytical discipline applied before the hunt starts.

Your team just spent forty hours on a hunt. They found nothing. Next week they start another hunt. Nothing from the first will inform the second. The queries are gone. The telemetry gaps are untracked. Forty hours. Zero institutional value.

The senior analyst closes the alert in forty seconds. The junior analyst works it for twenty minutes and escalates it as a P1. Both looked at the same event. One of them knew something the other didn't, but nobody has ever written down what it was.