<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"><channel><title>Threat Foundry Research &amp; Insights</title><link>https://threat-foundry.com/blog.html</link><description>Practical guidance for review-first threat operations.</description><language>en-us</language><lastBuildDate>Tue, 14 Jul 2026 00:00:00 GMT</lastBuildDate><item><title>AI-assisted threat hunting should be review-first, not autopilot.</title><link>https://threat-foundry.com/blog/ai-assisted-threat-hunting-review-first.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/ai-assisted-threat-hunting-review-first.html</guid><description>How AI can accelerate hunt generation, CTI summarization, Sigma drafting, and YARA drafting while keeping analysts in control.</description><category>AI and Hunting</category></item><item><title>Community Sigma and YARA Detection Exchange</title><link>https://threat-foundry.com/blog/community-sigma-yara-detection-exchange.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/community-sigma-yara-detection-exchange.html</guid><description>How Threat Foundry approaches opt-in community sharing for Sigma and YARA detections while keeping customer rules private by default.</description><category>Detection Engineering</category></item><item><title>Tune CTI prioritization with CTI Modeling and Metric Weights</title><link>https://threat-foundry.com/blog/cti-modeling-metric-weights-threat-foundry.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/cti-modeling-metric-weights-threat-foundry.html</guid><description>How to use Threat Foundry CTI Modeling, reporting, Auto Triage, and Metric Weights to tune CTI prioritization without creating noisy queues.</description><category>Threat Intelligence</category></item><item><title>Detecting lateral movement with Threat Foundry.</title><link>https://threat-foundry.com/blog/detecting-lateral-movement-threat-foundry.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/detecting-lateral-movement-threat-foundry.html</guid><description>How Threat Foundry helps teams hunt and detect lateral movement across identity, endpoint, network, cloud, and asset context.</description><category>Threat Hunting</category></item><item><title>The DFIR feedback loop: turn incidents into better detections.</title><link>https://threat-foundry.com/blog/dfir-feedback-loop-detection-engineering.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/dfir-feedback-loop-detection-engineering.html</guid><description>Why incident response should produce reusable intelligence, Sigma/YARA candidates, playbooks, and telemetry improvements.</description><category>Incident Response</category></item><item><title>Enterprise detection engineering needs governance as much as content.</title><link>https://threat-foundry.com/blog/enterprise-detection-engineering-at-scale.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/enterprise-detection-engineering-at-scale.html</guid><description>Why large security programs need repeatable detection lifecycle management, field normalization, evidence review, and reporting around Sigma, YARA, and hunt workflows.</description><category>Enterprise Security</category></item><item><title>KEV is vulnerability intelligence, not just a patch list</title><link>https://threat-foundry.com/blog/kev-catalog-vulnerability-intelligence.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/kev-catalog-vulnerability-intelligence.html</guid><description>How CISA KEV can help security teams prioritize exploited vulnerabilities, scope exposure, trigger hunts, and drive detection work.</description><category>Vulnerability Intelligence</category></item><item><title>A practical detection program for midsize businesses.</title><link>https://threat-foundry.com/blog/midsize-business-detection-program.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/midsize-business-detection-program.html</guid><description>How midsize organizations can build useful threat hunting and detection workflows without needing enterprise-scale tooling or staff.</description><category>Midsize Business</category></item><item><title>How MSPs can offer threat hunting without adding a full hunt team.</title><link>https://threat-foundry.com/blog/msp-threat-hunting-without-adding-headcount.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/msp-threat-hunting-without-adding-headcount.html</guid><description>A practical model for MSPs and MSSPs to package CTI-led hunting, detection review, and customer reporting with repeatable workflows.</description><category>MSP Strategy</category></item><item><title>Practical YARA for incident response teams.</title><link>https://threat-foundry.com/blog/practical-yara-for-incident-response.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/practical-yara-for-incident-response.html</guid><description>How IR teams can use YARA to turn malware traits, strings, and file artifacts into reviewable detection content.</description><category>YARA and DFIR</category></item><item><title>From CTI to triage: making SOC analyst workflows less noisy.</title><link>https://threat-foundry.com/blog/soc-analyst-workflow-from-cti-to-triage.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/soc-analyst-workflow-from-cti-to-triage.html</guid><description>How SOC teams can move from raw intelligence to reviewed hunts, detections, triage, and cases without turning every feed item into work.</description><category>SOC Operations</category></item><item><title>Hunting living off the land attacks with Threat Foundry.</title><link>https://threat-foundry.com/blog/threat-foundry-living-off-the-land-hunting.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/threat-foundry-living-off-the-land-hunting.html</guid><description>How to use Threat Foundry to hunt living off the land attacks by turning legitimate-tool abuse into reviewed ATT&amp;CK-driven hunts, Sigma candidates, and evidence.</description><category>Threat Hunting</category></item><item><title>Threat Hunting in the Cloud, Part 1: From Logs to Behavior</title><link>https://threat-foundry.com/blog/threat-hunting-in-the-cloud.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/threat-hunting-in-the-cloud.html</guid><description>A provider-neutral model for cloud threat hunting built around identity, control-plane activity, data movement, workload runtime, and the MITRE ATT&amp;CK Cloud matrix.</description><category>Cloud Hunting</category></item><item><title>Threat Hunting in the Cloud, Part 2: AWS</title><link>https://threat-foundry.com/blog/threat-hunting-aws-cloudtrail-guardduty-security-lake.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/threat-hunting-aws-cloudtrail-guardduty-security-lake.html</guid><description>How to build AWS threat hunts around CloudTrail, GuardDuty, Security Lake, IAM, S3, EKS, runtime telemetry, and the MITRE ATT&amp;CK Cloud matrix.</description><category>Cloud Hunting</category></item><item><title>Threat Hunting in the Cloud, Part 3: Microsoft Azure</title><link>https://threat-foundry.com/blog/threat-hunting-microsoft-azure-entra-sentinel-defender.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/threat-hunting-microsoft-azure-entra-sentinel-defender.html</guid><description>How to build Azure cloud hunts around Entra ID, Activity Logs, Defender XDR advanced hunting, Microsoft Sentinel, hybrid identity, and the ATT&amp;CK Cloud matrix.</description><category>Cloud Hunting</category></item><item><title>Threat Hunting in the Cloud, Part 4: Google Cloud</title><link>https://threat-foundry.com/blog/threat-hunting-google-cloud-security-command-center-secops.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/threat-hunting-google-cloud-security-command-center-secops.html</guid><description>How to build Google Cloud hunts around Security Command Center, Google Security Operations, IAM, service accounts, BigQuery, GKE, Cloud Run, and the ATT&amp;CK Cloud matrix.</description><category>Cloud Hunting</category></item><item><title>Start with a threat hunting charter before buying more tools.</title><link>https://threat-foundry.com/blog/threat-hunting-charter-before-tools.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/threat-hunting-charter-before-tools.html</guid><description>How mature hunt programs define mission, scope, PIRs, authority, cadence, and handoffs before scaling technology.</description><category>Threat Hunting Program</category></item><item><title>The power of information sharing in threat intelligence</title><link>https://threat-foundry.com/blog/threat-intelligence-sharing-collective-defense.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/threat-intelligence-sharing-collective-defense.html</guid><description>Why threat intelligence sharing is a force multiplier when it is timely, trusted, contextual, and tied to hunt and detection workflows.</description><category>Threat Intelligence</category></item><item><title>Why TTP-driven hunting beats IOC chasing.</title><link>https://threat-foundry.com/blog/ttp-driven-hunting-beats-ioc-chasing.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/ttp-driven-hunting-beats-ioc-chasing.html</guid><description>Why durable threat hunting starts with adversary behavior, not just disposable indicators.</description><category>Threat Hunting</category></item><item><title>Getting the most from Threat Blueprints</title><link>https://threat-foundry.com/blog/getting-the-most-from-threat-blueprints.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/getting-the-most-from-threat-blueprints.html</guid><description>A practical guide to turning architecture context, data flows, attack paths, findings, and remediations into an operating security workflow.</description><category>Threat Blueprints</category></item><item><title>How to leverage CTI across the Threat Foundry platform</title><link>https://threat-foundry.com/blog/leveraging-cti-across-threat-foundry.html</link><guid isPermaLink="true">https://threat-foundry.com/blog/leveraging-cti-across-threat-foundry.html</guid><description>Move selected intelligence through normalization, review, prioritization, hunting, detection, investigation, and reporting without losing provenance.</description><category>Threat Intelligence</category></item></channel></rss>
