What we built: June 2026

By Scout Scholes

July 1, 2026  •  2 minute read



Placeholder image for What we built: June 2026

TL;DR

  • This is a monthly recap of everything our product team shipped in the last 30 days
  • Questions? Reach out to your Expel contact, or if you don’t have one, connect with us here
  • This month we’re featuring two new threat hunts added to the catalog, two new Workbench features, and one integration update to CrowdStrike Falcon

 

Live this month

New threat hunts

Entra ID token auth method anomalies

What it is: Tokens can satisfy Entra ID authentication requirements without triggering fresh interactive challenges, which makes stolen token replay hard to distinguish from legitimate re-authentication. This hunt surfaces sign-in events where token reuse looks abnormal, like unusual volume, deviations in MFA methods, new device registrations, or unusual Conditional Access traversal that suggest an attacker struggling to satisfy controls with a stolen token.

Why it matters: Token-based attacks are difficult to catch precisely because they’re designed to look like legitimate re-authentication. This hunt is built around the specific signals that give that masquerade away—which is exactly when proactive hunting is most valuable.

Cloud credential enumeration of dev tools

What it is: This hunt evaluates process and command line activity across endpoints for multi-platform cloud credential enumeration patterns initiated by developer tooling. It detects commands that read, list, or print credentials for GitHub, AWS, Azure, Google Cloud, SSH, and Kubernetes, bucketing results in specific time increments per device and user, to help distinguish normal activity from the kind of automated enumeration tied to supply chain attack groups like TeamPCP.

Why it matters: Cloud credential enumeration initiated through dev tooling is a common early-stage supply chain technique that can fly under the radar in environments where that tooling runs frequently. Our threat hunters can now proactively test for this activity across your environment, instead of just reacting to it after an alert fires.

 

Resilience recommendations in incident context

What it is: You can now update the status of a resilience recommendation directly from an Incident in Expel Workbench™, without switching to the standalone resilience page. Reviewing, accepting, or updating a recommendation happens in the same place you’re already working, with full visibility into the incident it relates to.

Why it matters: Context switching is friction, and friction means things get deferred. When a recommendation is surfaced inside the incident it’s tied to, you can evaluate it against what you’re already looking at and act on it without losing your place. The interaction data this generates also helps our SOC surface more relevant, better-targeted recommendations for your environment over time.

Notification filtering by security device

What it is: You can now configure Workbench notifications to trigger based on the specific security device an event originated from. In the Notifications tab, select the new Security Device condition and choose one or more of your organization’s onboarded security vendor devices. Multi-select is supported, so you can route alerts from multiple sources with a single rule.

Why it matters: Not all alerts from all tools deserve the same routing. This condition lets you build notification rules that reflect how your environment is actually organized by directing alerts from specific tools to the right people or channels, without creating a separate rule for each source.

 

Integration updates

Enhanced CrowdStrike Falcon detection coverage

We’ve updated our CrowdStrike Falcon integration to ingest CrowdStrike’s Automated Leads, ensuring continued detection coverage as CrowdStrike evolves its detection APIs. Suspicious activity surfaced by Falcon continues to flow into Expel for triage and investigation by our SOC, with no action required on your part.

Detection API changes can quietly create gaps in coverage if integrations aren’t kept current, and this update closes the gap before it opens. Suspicious Falcon signals continue routing to our SOC for triage without interruption or configuration changes on your end.