{"id":47237,"date":"2026-04-06T11:18:42","date_gmt":"2026-04-06T16:18:42","guid":{"rendered":"https:\/\/rud.is\/b\/?p=47237"},"modified":"2026-04-06T11:18:42","modified_gmt":"2026-04-06T16:18:42","slug":"unprompted-spring-2026-threat-hunting-in-the-matrix","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/","title":{"rendered":"[un]prompted Spring 2026: Threat Hunting In The Matrix"},"content":{"rendered":"<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"510\" height=\"287\" src=\"https:\/\/www.youtube.com\/embed\/k19CmI_Ni3M?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span><\/p>\n<p>At our previous employer, the global deception and detection infrastructure generates tons of events that eventually make their way into an ever-growing data lake with (as of February 2026) 22 TB of PCAPs and 32 TB of session protocol data. When trying to find novel and truly dangerous attacker behavior, the bottleneck isn&#8217;t the data \u2014 it&#8217;s the analyst trying to hold it all in their head while toggling between <a href=\"https:\/\/arkime.com\/\">Arkime<\/a>, <a href=\"https:\/\/censys.com\/\">Censys<\/a>, <a href=\"https:\/\/www.virustotal.com\/\">VirusTotal<\/a>, and five other tabs.<\/p>\n<p><a href=\"https:\/\/www.cyberuk.uk\/2026\/speaker\/2134961\/glenn-thorpe-iii\">Glenn Thorpe<\/a> and I built Orbie to attack that problem. It&#8217;s a prompt-engineered analytical system running in Claude Code that coordinates 16 data source integrations, 8 investigation skills, and 2 background enrichment agents across structured, reproducible workflows \u2014 with one rule we never bent on: never assume, always query, show your work.<\/p>\n<p>The full architecture, the failure modes, and where it&#8217;s going are in the talk we gave at the February 2026 installment of <a href=\"https:\/\/unpromptedcon.org\/\">[un]prompted<\/a>, above, and you can get some more info and freebies at <a href=\"https:\/\/github.com\/GreyNoise-Intelligence\/2026-labs-unprompted\">https:\/\/github.com\/GreyNoise-Intelligence\/2026-labs-unprompted<\/a>.<\/p>\n<p>There&#8217;s going to be another [un]prompted likely later this year and I highly recommend attending and \u2014 if you have some of your own accomplishments to share \u2014\u00a0presenting. It was an incredible experience.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At our previous employer, the global deception and detection infrastructure generates tons of events that eventually make their way into an ever-growing data lake with (as of February 2026) 22 TB of PCAPs and 32 TB of session protocol data. When trying to find novel and truly dangerous attacker behavior, the bottleneck isn&#8217;t the data [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"federated","footnotes":""},"categories":[891,681,677,709,754],"tags":[],"class_list":["post-47237","post","type-post","status-publish","format-standard","hentry","category-ai","category-cybersecurity","category-data-analysis-2","category-data-driven-security","category-data-science"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>[un]prompted Spring 2026: Threat Hunting In The Matrix - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[un]prompted Spring 2026: Threat Hunting In The Matrix - rud.is\" \/>\n<meta property=\"og:description\" content=\"At our previous employer, the global deception and detection infrastructure generates tons of events that eventually make their way into an ever-growing data lake with (as of February 2026) 22 TB of PCAPs and 32 TB of session protocol data. When trying to find novel and truly dangerous attacker behavior, the bottleneck isn&#8217;t the data [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-06T16:18:42+00:00\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"[un]prompted Spring 2026: Threat Hunting In The Matrix\",\"datePublished\":\"2026-04-06T16:18:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/\"},\"wordCount\":216,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"articleSection\":[\"AI\",\"Cybersecurity\",\"Data Analysis\",\"data driven security\",\"data science\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/\",\"url\":\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/\",\"name\":\"[un]prompted Spring 2026: Threat Hunting In The Matrix - rud.is\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/#website\"},\"datePublished\":\"2026-04-06T16:18:42+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/rud.is\/b\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[un]prompted Spring 2026: Threat Hunting In The Matrix\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/rud.is\/b\/#website\",\"url\":\"https:\/\/rud.is\/b\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/rud.is\/b\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\/\/rud.is\"],\"url\":\"https:\/\/rud.is\/b\/author\/hrbrmstr\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"[un]prompted Spring 2026: Threat Hunting In The Matrix - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/","og_locale":"en_US","og_type":"article","og_title":"[un]prompted Spring 2026: Threat Hunting In The Matrix - rud.is","og_description":"At our previous employer, the global deception and detection infrastructure generates tons of events that eventually make their way into an ever-growing data lake with (as of February 2026) 22 TB of PCAPs and 32 TB of session protocol data. When trying to find novel and truly dangerous attacker behavior, the bottleneck isn&#8217;t the data [&hellip;]","og_url":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/","og_site_name":"rud.is","article_published_time":"2026-04-06T16:18:42+00:00","author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"[un]prompted Spring 2026: Threat Hunting In The Matrix","datePublished":"2026-04-06T16:18:42+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/"},"wordCount":216,"commentCount":0,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"articleSection":["AI","Cybersecurity","Data Analysis","data driven security","data science"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/","url":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/","name":"[un]prompted Spring 2026: Threat Hunting In The Matrix - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2026-04-06T16:18:42+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2026\/04\/06\/unprompted-spring-2026-threat-hunting-in-the-matrix\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"[un]prompted Spring 2026: Threat Hunting In The Matrix"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-chT","jetpack_likes_enabled":true,"jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/47237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=47237"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/47237\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=47237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=47237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=47237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}