When the SUW alert appeared on the wall display, the mood in the Security Operations Center shifted.
SOC analysts were trained to monitor, detect, and contain. Their work was methodical, structured, and reactive by necessity. But when the Security Unconventional Warfare team activated, the atmosphere changed in a subtler way.
They did not simply respond to attacks.
They hunted them.
At the far side of the room, the SUW workstations came alive almost instantly. Three operators leaned over their terminals while a fourth stood quietly behind them, studying the telemetry flowing across the screens.
Keren didn’t raise her voice.
She didn’t need to.
“Let’s slow them down,” she said.
Her accent carried the faint edge of somewhere else, sharpened by years spent speaking English inside operational environments. No one in the SOC had ever asked her directly what she used to do before joining the company. The rumors varied, but they all ended in the same place.
Someone who had done this before. With Ari.
One of the operators brought up the vendor gateway telemetry on a larger display.
“Credential attempts are still probing the perimeter,” he said. “Pattern suggests automated reconnaissance.”
Keren nodded.
“Good. That means they’re impatient.” She stepped closer to the console and tapped a section of the network map. “Wake up the dormant segments.”
One of the analysts smiled slightly.
“Thought you might say that.”
Within seconds, a portion of the company’s internal infrastructure that normally remained invisible began to light up inside the monitoring system. Hidden systems and network devices appeared. Additional network routes quietly came online. Several storage systems that had been intentionally left inactive began broadcasting subtle signals across the internal routing tables.
To an external observer probing the network, it would look like systems that were reachable. Valuable systems.
“Decoy environments and honypots active,” the analyst reported.
Ari watched the map expand.
“Bait,” he said quietly.
Keren glanced toward him briefly. “Information,” she corrected.
On the screen, one of the probing connections immediately shifted direction.
Instead of continuing toward the vendor gateway authentication portal, it redirected toward one of the newly visible internal nodes.
The attacker had noticed the change.
One of the SUW operators leaned forward.
“There we go.”
Packets began to stream across the telemetry feed. The system recorded every move, every request, every malformed handshake attempt as the probing software attempted to interact with the decoy environment.
“Not human,” the operator said after a few seconds. “Behavioral timing too consistent.”
Another analyst nodded.
“Bot.”
The traffic pattern intensified. The bot scanned directories, tested authentication prompts, and attempted to enumerate services running on the decoy environment.
Keren watched quietly for nearly a minute. “Let it explore,” she said.
Ari folded his arms. “What are we learning?”
“TTPs,” the analyst replied without looking away from the screen. “Tool signatures, behavior patterns, scanning logic. We use a bot of our own to learn real time”
Another operator zoomed into the outbound traffic pattern.
“Wait.”
Keren stepped closer.
“What is it?”
The operator pointed to a sequence of outbound packets buried inside the stream.
“It’s trying to report back. It’s injecting the request inside what appears to be a request for OS updates”
“Command and control?”
“Looks like it.”
The team immediately began isolating the packet pattern.
The bot wasn’t just scanning. It was attempting to communicate with an external system, sending compressed telemetry packets toward a remote IP address.
Ari leaned slightly closer. “Can we intercept it?”
The operator tilted his head.
“Maybe.”
Keren’s voice remained calm.
“Reverse engineer the signal if you can.”
That process took some time but using their internal LLM hooked into several agents deployed in the decoy environment helped.
The bot’s outbound communication used a simple but slightly obfuscated protocol designed to disguise command traffic as normal network activity. One of the SUW engineers began reconstructing the packet structure after the AI dropped it, while another worked to identify the remote endpoint.
Several minutes passed before one of them spoke again.
“Got it.”
He rotated the monitor so Keren could see.
“Command structure. We can mimic the server response.”
Keren nodded once. “Do it.”
The team began crafting a spoofed response packet, carefully replicating the formatting and timing they thought was expected by the bot’s command protocol.
A moment later the outbound connection attempt triggered again. This time the SUW system intercepted it. The bot believed it had reached its command server. Instead, it had reached them.
The operator leaned back slightly.
“Well,” he said quietly, “that’s interesting.”
“What?” Ari asked.
“It’s accepting commands.”
Keren allowed herself the faintest smile.
“Good.”
“What do we tell it to do?” the analyst asked.
“Nothing,” she said.
They looked at her.
“For now,” she clarified. “We feed it noise.”
The operator nodded and began injecting harmless responses back through the spoofed channel.
False directory structures. Fake system identifiers. Simulated responses that made the decoy environment look even more valuable than it really was.
The bot accepted everything.
Meanwhile, Ari stepped away from the console. He found Daniel Park at the main SOC station.
“I need a situation report,” Ari said.
Daniel nodded immediately.
“For the board?”
“For the CEO, COO, and Elena.”
Daniel pulled up a reporting interface.
“What level of detail?”
“Clear enough that they understand the risk,” Ari said calmly. “Simple enough that they don’t misunderstand the response.”
Ari opened his own tablet and began organizing the information.
Vendor compromise. External probing. SUW disruption operations active. Containment measures holding.
He wrote the report with the same deliberate clarity he used in every crisis communication. No drama. No speculation. Just facts and controlled assessment.
Ten minutes later he reviewed the document once more.
Then he sent it.
Across the room, one of the SUW analysts suddenly leaned forward.
“Keren.”
She stepped beside him. “What is it?”
He expanded a second telemetry window.
“This traffic isn’t coming from the vendor connection.”
Keren studied the display.
“Where?”
The analyst zoomed in further. Another inbound connection had appeared on the internal network. Not through the vendor gateway; from somewhere else entirely.
Keren’s voice remained quiet.
“Hmmmm,” she said, “that’s unexpected.”
Across the room, Ari’s tablet vibrated again.
← Back to all chapters