Ari read the alert once. Then he walked back toward the SUW console.
“Where did it come from?” he asked.
The analyst highlighted the connection path. “Internal entry point. Different vector.” he said.
Ari looked at Daniel.
“How did we miss that?”
The question wasn’t accusatory. It didn’t need to be.
Daniel frowned and began typing commands into his terminal.
“Give me a minute.”
The SOC screens shifted as he began replaying historical telemetry from earlier in the morning. Packet captures scrolled across the display while Daniel traced the path of the connection backward through the network.
Another analyst joined him, scanning authentication logs.
“Found it,” Daniel said after a moment.
He zoomed the screen. The connection had entered through a service endpoint used by a vendor support application installed months earlier.
Keren watched silently.
Ari spoke again. “Why didn’t it trigger detection?”
Daniel hesitated.
“Because… it wasn’t supposed to…”
Ari waited.
Daniel sighed quietly and leaned back in his chair.
“Remember the changes we had to make last quarter for the internal audit review?”
Ari nodded slowly.
“Compliance required adjustments to several monitoring pipelines,” Daniel continued. “Logging thresholds. Alert tuning. Some service channels were temporarily excluded because the audit systems kept flagging them as noise.”
He gestured toward the screen.
“This endpoint was one of them.”
Ari said nothing for several seconds. Then he nodded once.
“So we blinded ourselves.”
Daniel didn’t argue.
“Unintentionally,” he said.
Across the room, the SUW team had already begun analyzing the second connection.
Keren spoke without looking up from the display.
“This one isn’t automated.”
Ari turned toward her. “How can you tell?” he asked.
“Timing.”
She pointed to the telemetry.
“The bot from the vendor network probes continuously. This connection pauses, adjusts, then resumes.”
Ari understood immediately.
“A human operator.”
“Yes.”
One of the SUW analysts rotated his chair toward Ari.
“They might have used the bot as a distraction.”
Keren nodded slightly. “Possible.”
The decoy environment still glowed brightly on the network map while the bot continued interacting with the spoofed command channel. Meanwhile, the second connection moved carefully across a different part of the network.
Slower. More deliberate.
Keren turned toward Ari.
“You wanted a demonstration earlier,” she said.
Ari watched the second connection path form across the display.
“Yes,” he replied.
“Well,” she said calmly, “now you have two.”
One of the SUW operators pushed an empty chair toward Ari.
“Want to help?”
Ari sat down without hesitation.
“Show me what you’re seeing, and put me to work.”
The operator brought up the command interface.
“Attacker is enumerating service accounts and system interfaces. Looking for escalation paths.”
Ari’s fingers moved across the keyboard.
“Let’s give him something to think about.”
Across the room, the SOC and SUW teams worked side by side now.
Detection.
Deception.
Containment.
The network map shifted slowly as the intruder continued moving through the environment, unaware that every step was being watched.
Ari studied the telemetry calmly.
Then he began typing.
← Back to all chapters