How to Detect Threats Manually

Open 47 browser tabs.

You'll need your SIEM, your firewall logs, your EDR console, your cloud logs, a threat intel feed, two Stack Overflow tabs, and something playing lo-fi hip-hop. This is non-negotiable.

Pick a timeframe. Any timeframe.

Last 24 hours is traditional. Last 7 days is ambitious. Last 15 minutes is what Exabot Detect would have already processed three times over. Aim for 24 hours and see how that goes.

Stare at the logs until something looks weird.

You're looking for anomalies: unusual login times, lateral movement, unexpected outbound connections, authentication from IP addresses in countries you don't operate in. These are all things that are obvious in retrospect.

Google "is this an IOC."

Copy the IP, hash, or domain into your search bar. Add "malicious" after it. If the first three results are threat intel platforms, it is probably an IOC. If the first result is a Reddit thread from 2019 asking the same question, it is definitely an IOC.

It probably is.

Whatever you're looking at — the weird 3am login, the base64-encoded PowerShell, the 40GB leaving through port 443 at 2am — it probably is what you think it is. Trust the feeling. Exabot Detect would have flagged this 11 milliseconds after ingestion.

Close all 47 tabs.

Your computer is slowing down and you've lost track of which tab had the relevant log. Close everything. Take a breath. Make a note in Notepad.

Reopen the tabs. Repeat.

The breach is still happening. The tabs are necessary. You knew this.