| Recon |
Traffic profiling & metadata analysis |
Asset/process visibility |
Terrain mapping for decoy placement |
CSPM scanning for exposed services |
| Initial Access |
Detects exploit payloads & anomalous requests |
– |
– |
Misconfiguration detection enabling remote access |
| Execution |
Identifies C2 callbacks, reverse shells & exploit traffic |
Detects suspicious processes and command execution |
– |
Vulnerability assessment of workloads |
| Persistence |
Retrospective metadata hunting for persistence traffic |
Forensics on persistence artifacts |
– |
Detects rogue workloads & drift |
| Lateral Movement |
ATT&CK-mapped detection of SMB/SSH/LDAP movement |
Tracks movement via process/connection tracing |
Decoy alerts for movement attempts |
CI/CD scanning prevents vulnerable deployments |
| Exfiltration |
Detects outbound DLP violations, tunneling, exfil patterns |
Identifies unusual outbound network activity |
– |
Access-control hardening to limit data exposure |
