AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content

Q3 Threat Report. SOC trends to take action on | Take a tour of Expel MDR for Cloud Infrastructure


Threat hunting

Find stealthy new threats that slip past your security tech

Proactively hunt for unexpected activity

(a.k.a. spotting the camouflage)

When you’re looking for attackers and the alarms didn’t go off, it can be difficult to know where to start. In addition to your MDR, you need a multi-layered security approach. With Expel Hunting, we pull data from your security tech, detect attacker activity, fill in your blind spots and tell you how to prevent them.

What you get:

  • Threat hunts performed by experienced analyst
  • Hunt techniques aligned to your unique risks
  • Clear guidance on what to improve
  • Hunting with the tools you’ve already invested in

What we do


We pick the hunt technique best suited to your unique risks, your security tech and activity we’ve observed in your environment.


Our bots do the tedious work of collecting and enriching data, while our analysts use human judgement to dig into outliers and investigate.


We provide details of each hunting technique along with the data we collect, analyst insights and the final results of the hunt.

How it works

Every month, we pull data we’ve been collecting from your tech and create a hypothesis to determine the hunt. Bots then take on actions that can be automated (think data gathering and clustering) so our analysts can focus on things only a human can track.

Our analysts apply their expertise to investigate things that flew under the radar. We tell you when we find a threat and also share notable activity that looks “abnormal” (like activities a software performed that you and your team didn’t know about … not bad, but strange). And we provide a step-by-step guide on how to investigate.

What we look for

(The hunt is on)

Our techniques map to the MITRE ATT&CK framework with each hunt looking for tactics attackers use during specific stages of the attack lifecycle. We create a hypothesis and then look for activity where you would’ve expected alerts to be generated. The results also help fill gaps in your detection strategy.


Unwanted users
blending in


API calls that are truly


IP Address activity to
help spot abnormalities


Misconfigured tools that
could be costing you


User activity to help
highlight best practices


Odd configurations
within your

Hunting techniques tailored to your tech

We’re constantly adding to our library of hunting techniques based on the most recent threat activity we see among our clients. Here’s a list of techniques to give you a sense of the things we look for.

Hunting Technique Attack Surface
MDR for on-prem MDR for SaaS apps MDR for cloud infrastructure
Anomalous process relations (productivity, database, web server apps)
Successive reconnaissance commands
Scripted web downloader
Execution from user directories
Historical script interpreter activity
HTTP beaconing
Connections to sinkholed domains
IOC hunt
App consent grants
Data center login
Suspicious Duo push
Login geo-infeasibility
Suspicious inbox rules
Unused unsupported cloud regions
EC2 modifications
New cloud user (AWS)
RDS modifications
Successful bruteforce


What is (cyber) threat hunting and where do you start?

We want to demystify what hunting is and what it’s not. So here goes nothin’ …


How to find anomalous process relationships in threat hunting

Finding anomalous process relationships — commands that don’t belong together — might indicate a problem within your environment. Here’s how to spot ‘em.


3 must-dos when you’re starting a threat hunting program

So you decided you want to build a threat hunting program … but where do you start? Here are our three must-dos when you’re planning your hunt.

Review Expel on G2

© 2022 Expel, Inc. All Rights Reserved

Back To Top