hack3rs.ca network-security
/learning/tools/suricata :: tool-guide-4

defender@hack3rs:~/learning/tools$ open suricata

Suricata

IDS / IPS / detection

Suricata IDS IPS is a high-performance network detection engine that blue teams deploy for signature-based alerting, protocol-aware inspection, and traffic metadata generation. Getting value from it requires tuning discipline, not just rule volume.

how-to-learn-this-tool-like-a-defender

Work through the stages in order. Each one builds on the previous. Skipping straight to 'run a command' without knowing what the output means is how analysts end up misreading evidence under pressure.

  • $Name the specific question this tool answers — and one question it cannot answer alone.
  • $Run the simplest command in a lab against a host you control; read every field in the output before moving on.
  • $Identify which output fields are direct evidence and which are inferences the tool made on your behalf.
  • $Pull a second source — a log, a PCAP, a SIEM event — that either confirms or contradicts what the tool reported.
  • $Write down the exact command you ran, what you expected, what you got, and what you are doing next.

preflight-checklist-before-using-tool

  • $Confirm in writing: who authorized this, what hosts are in scope, and what the maximum acceptable impact is.
  • $State the question you are trying to answer — not 'run the tool' but 'confirm whether port 443 is open on 10.10.20.15'.
  • $Name the second source you will use if the tool output is ambiguous (log, PCAP, CMDB, another tool).
  • $Record the start time, the host or interface you ran it on, and the exact command — enough for another analyst to reproduce it.
  • $Know what normal output looks like for this host before you run anything in anger.

how-experts-read-output

  • $Field recognition: identify the two or three fields that directly answer your question and ignore the rest for now.
  • $Scope check: confirm the output covers the host, interface, and time window you intended — not a cached or adjacent result.
  • $Evidence type: is this a direct observation (packet captured, port open) or an inference the tool made (service guessed from banner)?
  • $Correlation: name the one other source — a log line, a PCAP stream, a CMDB entry — that would confirm or contradict this.
  • $Decision: close the question, escalate with evidence, refine the scope, or collect another source — pick one and do it.

official-links

open docs Official Suricata documentation rules docs Suricata rule syntax and rule management suricata updates Suricata news and release announcements

ethical-use-and-defense-scope

Run Suricata only in networks you are authorized to defend. IDS/IPS tooling inspects traffic content and, in IPS mode, actively affects traffic flow — both require governance and change control from day one.

Align alerting and inspection rules with documented security objectives and privacy constraints. Do not use Suricata to surveil beyond your approved scope or to collect more traffic detail than the security purpose requires.

Test rule changes against lab traffic before pushing to production. A poorly tested IPS rule can take down a service; a poorly tested IDS rule can generate enough alert noise to hide the real detections.

tool-history-origin-and-purpose

  • $When created: Developed under OISF in the late 2000s; project launched around 2009 with first stable Suricata 1.0 released in 2010.
  • $Why it was created: Defenders needed an open engine that could handle IDS, IPS, and network security monitoring use cases with stronger multi-threaded performance and protocol-aware inspection for modern traffic.

The Open Information Security Foundation (OISF) was organized to build a next-generation open-source IDS/IPS engine with community and industry support, including a focus on performance and modern protocol handling.

why-defenders-still-use-it

People use Suricata because it combines detection, protocol parsing, and traffic inspection in one engine for IDS/IPS/NSM workflows. It is widely used for real-time monitoring, PCAP replay analysis, and signature-driven detection with operational telemetry.

How the tool evolved
  • +Started as a community-backed effort to advance open-source IDS/IPS capabilities.
  • +Expanded into a mature detection and network telemetry engine used in sensors, appliances, and platforms.
  • +Continues to evolve with protocol support, performance improvements, and detection ecosystem tooling.

when-this-tool-is-a-good-fit

  • +Frontline network intrusion detection on internet-facing paths and internal chokepoints.
  • +Protocol-aware alerting for suspicious HTTP requests, DNS patterns, and known malware C2 behavior.
  • +Selective IPS enforcement on specific traffic segments after tuning achieves acceptable false positive rates.
  • +eve.json metadata output for SIEM enrichment, alert correlation, and analyst triage workflows.

when-to-use-another-tool-or-source

  • !When you need host process/user context, pair with endpoint or OS logs.
  • !When you need ownership and business impact, pair with CMDB/ticketing/asset context.
  • !When the tool output is ambiguous, validate using a second evidence source before concluding.
  • !When production risk is high, test in a lab first and use change coordination.

1. What Suricata Does in a Defensive Stack

Suricata inspects network traffic and generates alerts based on signatures, protocol logic, and detection rules. Depending on deployment mode, it operates as a passive IDS, an active IPS, or a traffic metadata producer — and in practice, many teams use all three roles in different network segments.

For blue teams, Suricata is often the frontline detection engine on critical network paths. A well-tuned deployment catches known exploit patterns, command-and-control traffic, policy violations, and protocol anomalies without requiring every one to be a packet analyst.

The value is not just in the alerts. Suricata writes rich metadata to eve.json — flow records, HTTP transactions, DNS queries, TLS details, and file hashes alongside alert context. That metadata supports SIEM correlation and triage even for events that did not fire a signature.

2. IDS vs IPS: Operational Tradeoffs

In IDS mode, Suricata observes and alerts without touching traffic. This is the right starting point — it lets teams measure alert quality, tune rules, and understand performance impact before making the engine a traffic enforcer.

In IPS mode, Suricata drops or rejects traffic based on detection logic. False positives now have operational consequences: a wrong rule blocks a legitimate service. Rule quality, change control, and rollback planning matter much more in IPS mode.

Most mature teams start in IDS mode, tune until they trust a specific ruleset, and move selective traffic flows to IPS only where they have high confidence. Jumping to IPS on day one is a common way to cause an outage.

3. Rule Quality, Tuning, and Alert Hygiene

Enabling every rule in a large ruleset without tuning produces alert fatigue fast. The right approach is to align rules with the protocols and services that actually run in your environment, then tune aggressively for the first few weeks until the noise floor is manageable.

Tuning is not a one-time task. Review the top-firing signatures regularly. Understand why each fires, then decide whether to suppress with a narrow condition, scope to specific assets, enrich with context, or disable with a documented rationale. Blanket suppression without understanding is how you hide real detections.

Alert quality improves when Suricata output is correlated with asset inventory and role context. The same signature firing on a lab host during a scheduled test window is a different conversation than that signature firing on a production identity service at 2 a.m.

4. Protocol Awareness and Inspection Context

Suricata is more than string matching on raw packets. Its protocol parsers understand HTTP methods, DNS record types, TLS handshake structure, SMB commands, and other application-layer semantics. Rules that use protocol keywords are more precise and less noisy than content matches on raw bytes.

Learn which protocols Suricata parses in your environment and what fields it extracts. When an alert fires, that knowledge lets you explain what the rule detected — not just its name — and whether the detection makes sense for the traffic context.

Encrypted traffic limits payload visibility, but Suricata still reports TLS handshake metadata, flow behavior, and protocol-level anomalies. Those signals support detections even when you cannot see what is inside the encrypted session.

5. Performance, Placement, and Reliability

A Suricata sensor on a congested mirror port or an under-provisioned host drops packets silently. Packet loss means missed detections with no error messages to tell you it happened. Monitor sensor statistics — packets dropped, capture percentage, threads — as a normal operational task.

Choose deployment points based on what traffic matters most: internet edge, data center boundaries, VPN aggregation, or critical internal segments. Not every segment needs the same inspection depth, but critical paths need deliberate coverage decisions — not gaps that exist because nobody planned for them.

Baseline CPU, memory, and throughput before major ruleset changes. Rule updates that double the number of active signatures can change performance significantly, especially on high-traffic sensors.

6. Suricata in Analyst Workflows

Treat a Suricata alert as the start of an investigation, not the end. Validate with eve.json metadata, Zeek logs if available, firewall records, and endpoint telemetry before assigning severity or containment actions. Signature name alone is not enough.

Build a triage workflow with explicit steps: alert review, context enrichment, evidence collection, disposition decision, and tuning feedback. Without the feedback loop, noisy alerts accumulate and real detections get lost.

Write playbooks for your most common alert families — web attacks, DNS anomalies, C2 patterns, scanner traffic, policy violations. Analysts who know the expected steps for each family work faster and make fewer errors under pressure.

7. Learning and Maintaining Suricata Skills

Start by learning to read eve.json before you write any rules. Understand the event_type field, connect alert events to flow events using the flow_id, and read the protocol-specific metadata alongside each alert.

Study rule syntax with a focus on the keywords that actually matter: content, flow, protocol, detection_filter, and thresholding. Writing a rule is much easier once you can explain in plain language what behavior the rule is supposed to detect.

Build a change process: test rules against lab traffic, document what changed and why, review top alerts weekly, and revisit tuning decisions after incidents. Sustainable Suricata operations come from repeatable process, not from loading every rule available.

scenario-teaching-playbooks

Work through each scenario step by step. The goal is to practice making decisions with the tool — not just executing commands — so the workflow becomes automatic before you need it under pressure.

1. Frontline network intrusion detection on internet-facing paths and internal chokepoints.

Suggested starting block: Config Validation And Service Checks

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

2. Protocol-aware alerting for suspicious HTTP requests, DNS patterns, and known malware C2 behavior.

Suggested starting block: PCAP Replay And Alert Review

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

3. Selective IPS enforcement on specific traffic segments after tuning achieves acceptable false positive rates.

Suggested starting block: Rule / Output Hygiene

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

4. eve.json metadata output for SIEM enrichment, alert correlation, and analyst triage workflows.

Suggested starting block: Config Validation And Service Checks

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

cli-workflows

Lab-safe commands for authorized environments. Run each one, read the output, and note what field or value tells you something useful before moving to the next.

cli-walkthroughs-with-expected-output

One command per block, with sample output. Study the output before you run the command yourself — you should recognize what you are looking at when it appears on your screen.

Config Validation And Service Checks

Beginner
Command
sudo suricata -T -c /etc/suricata/suricata.yaml
Example Output
Info: Configuration provided was successfully loaded.
Info: rule files processed successfully.

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

PCAP Replay And Alert Review

Intermediate
Command
sudo suricata -r sample.pcap -c /etc/suricata/suricata.yaml -l ./suricata-out
Example Output
17/3/2026 -- 10:00:00 - <Notice> - This is Suricata version 7.0.3 RELEASE running in USER mode
17/3/2026 -- 10:00:00 - <Notice> - reading pcap file sample.pcap
17/3/2026 -- 10:00:01 - <Notice> - pcap file read complete
Alerts logged: 3  (see /var/log/suricata/fast.log)

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Rule / Output Hygiene

Advanced
Command
grep -R "sid:" /etc/suricata/rules | wc -l
Example Output
/etc/suricata/rules/emerging-scan.rules:alert tcp any any -> any 22 (msg:"ET SCAN Potential SSH Scan"; sid:2001219; rev:5;)
/etc/suricata/rules/emerging-web.rules:alert http any any -> any any (msg:"ET WEB_SERVER SQL Injection Attempt"; sid:2006445; rev:8;)

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

command-anatomy-and-expert-usage

Each card explains what the command is for, what can go wrong, and what the output means. Syntax is easy to look up; knowing which command to reach for — and what to ignore in the output — is the skill worth building.

Config Validation And Service Checks

Beginner
Command
sudo suricata -T -c /etc/suricata/suricata.yaml
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: suricata -T -c /etc/suricata/suricata.yaml
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Validate detection engine config or inspect traffic/alerts.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
Info: Configuration provided was successfully loaded.
Info: rule files processed successfully.

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Config Validation And Service Checks

Beginner
Command
sudo systemctl status suricata
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: systemctl status suricata
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Validate detection engine config or inspect traffic/alerts.

$ risk: Medium-High: may affect services/platform state depending on command and environment.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
● suricata.service - LSB: Next Generation IDS/IPS
   Loaded: loaded (/etc/init.d/suricata)
   Active: active (running) since Mon 2026-03-17 10:00:00 UTC; 1h ago
  Process: 1234 ExecStart=/etc/init.d/suricata start
 Main PID: 1235 (Suricata-Main)
   Status: "Running as IDS mode"

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Config Validation And Service Checks

Beginner
Command
sudo journalctl -u suricata -n 100 --no-pager
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: journalctl -u suricata -n 100
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Validate detection engine config or inspect traffic/alerts.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
Mar 17 10:00:01 lab-host Suricata[1235]: <Notice> - This is Suricata version 7.0.3
Mar 17 10:00:02 lab-host Suricata[1235]: <Notice> - all 4 packet processing threads, 4 management threads initialized
Mar 17 10:00:03 lab-host Suricata[1235]: <Notice> - Signal Received. Stopping Suricata...

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

PCAP Replay And Alert Review

Intermediate
Command
sudo suricata -r sample.pcap -c /etc/suricata/suricata.yaml -l ./suricata-out
Command Anatomy
  • $Base command: sudo
  • $Primary arguments/options: suricata -r sample.pcap -c /etc/suricata/suricata.yaml
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Validate detection engine config or inspect traffic/alerts.

$ risk: Low in lab replay mode; use sample PCAPs where possible.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
17/3/2026 -- 10:00:00 - <Notice> - This is Suricata version 7.0.3 RELEASE running in USER mode
17/3/2026 -- 10:00:00 - <Notice> - reading pcap file sample.pcap
17/3/2026 -- 10:00:01 - <Notice> - pcap file read complete
Alerts logged: 3  (see /var/log/suricata/fast.log)

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

PCAP Replay And Alert Review

Intermediate
Command
jq '.event_type' suricata-out/eve.json | sort | uniq -c
Command Anatomy
  • $Base command: jq
  • $Primary arguments/options: '.event_type' suricata-out/eve.json | sort |
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Validate detection engine config or inspect traffic/alerts.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
     12 "alert"
      8 "dns"
      6 "flow"
      3 "http"
      1 "stats"

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

PCAP Replay And Alert Review

Intermediate
Command
jq '. | select(.event_type=="alert") | {timestamp, src_ip, dest_ip, alert: .alert.signature}' suricata-out/eve.json
Command Anatomy
  • $Base command: jq
  • $Primary arguments/options: '. | select(.event_type=="alert") | {timestamp,
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Validate detection engine config or inspect traffic/alerts.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
     12 "alert"
      8 "dns"
      6 "flow"
      3 "http"
      1 "stats"

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Rule / Output Hygiene

Advanced
Command
grep -R "sid:" /etc/suricata/rules | wc -l
Command Anatomy
  • $Base command: grep
  • $Primary arguments/options: -R "sid:" /etc/suricata/rules | wc
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Validate detection engine config or inspect traffic/alerts.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
/etc/suricata/rules/emerging-scan.rules:alert tcp any any -> any 22 (msg:"ET SCAN Potential SSH Scan"; sid:2001219; rev:5;)
/etc/suricata/rules/emerging-web.rules:alert http any any -> any any (msg:"ET WEB_SERVER SQL Injection Attempt"; sid:2006445; rev:8;)

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Rule / Output Hygiene

Advanced
Command
grep -R "classtype" /etc/suricata/rules | head
Command Anatomy
  • $Base command: grep
  • $Primary arguments/options: -R "classtype" /etc/suricata/rules | head
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Validate detection engine config or inspect traffic/alerts.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
/etc/suricata/rules/emerging-scan.rules:alert tcp any any -> any any (classtype:attempted-recon; sid:2001219; rev:5;)
/etc/suricata/rules/emerging-exploit.rules:alert tcp any any -> any any (classtype:attempted-admin; sid:2009700; rev:6;)

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Rule / Output Hygiene

Advanced
Command
jq '. | select(.event_type=="stats")' /var/log/suricata/eve.json | tail -1
Command Anatomy
  • $Base command: jq
  • $Primary arguments/options: '. | select(.event_type=="stats")' /var/log/suricata/eve.json |
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Validate detection engine config or inspect traffic/alerts.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
     12 "alert"
      8 "dns"
      6 "flow"
      3 "http"
      1 "stats"

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Config Validation And Service Checks

sudo suricata -T -c /etc/suricata/suricata.yaml
sudo systemctl status suricata
sudo journalctl -u suricata -n 100 --no-pager

PCAP Replay And Alert Review

sudo suricata -r sample.pcap -c /etc/suricata/suricata.yaml -l ./suricata-out
jq '.event_type' suricata-out/eve.json | sort | uniq -c
jq '. | select(.event_type=="alert") | {timestamp, src_ip, dest_ip, alert: .alert.signature}' suricata-out/eve.json

Rule / Output Hygiene

grep -R "sid:" /etc/suricata/rules | wc -l
grep -R "classtype" /etc/suricata/rules | head
jq '. | select(.event_type=="stats")' /var/log/suricata/eve.json | tail -1

defensive-use-cases

  • $Frontline network intrusion detection on internet-facing paths and internal chokepoints.
  • $Protocol-aware alerting for suspicious HTTP requests, DNS patterns, and known malware C2 behavior.
  • $Selective IPS enforcement on specific traffic segments after tuning achieves acceptable false positive rates.
  • $eve.json metadata output for SIEM enrichment, alert correlation, and analyst triage workflows.

common-mistakes

  • $Enabling large rulesets without tuning and generating alert volume that buries real detections.
  • $Deploying IPS mode before building tuning maturity and change control processes.
  • $Ignoring dropped packet statistics until an incident reveals that coverage was missing.
  • $Treating high alert count as a sign of security value instead of a sign of poor tuning.

expert-habits-for-free-self-study

Free teaching resource. The loop that makes analysts better: ask a precise question, collect evidence, read it carefully, validate against a second source, document what you found, and repeat with a harder question.

  • $Pick the least disruptive command that can still answer the question — then run that one first.
  • $Before you look at output, write one sentence stating what you expect to see.
  • $Mark each output field as 'observed' or 'inferred by tool' before acting on it.
  • $Save the exact command with flags and target — not a paraphrase — so another analyst can run the same thing.
  • $During a quiet period, capture what normal output looks like from key hosts; store those samples where you can find them during an incident.
  • $When you escalate, include the command output, the timestamp, and one sentence on why it matters — not just 'looks suspicious'.

knowledge-check

  • ?What question is this tool best suited to answer first?
  • ?What permissions or scope approvals are needed before using it?
  • ?Which second evidence source should you pair with it for higher confidence?
  • ?What does normal output look like for your environment?

teaching-answer-guide

Show teaching hints
  • #Start from the tool’s role and the scenario you are investigating.
  • #Never rely on one tool alone for high-confidence incident decisions.
  • #Document normal output patterns during calm periods so anomalies are easier to spot.
  • #Prefer lab validation for new commands, rules, or scans before production use.

practice-plan

# Validate a Suricata config, then review the full structure of one eve.json alert event.
# Replay a pcap with known exploit traffic and trace the alert back through flow context and packet evidence.
# Identify the three noisiest rules in a lab deployment and tune each with a documented rationale.
# Write a one-page alert triage workflow your team could run consistently during an incident.

related-learning-modules

Study the core concepts and workflows behind this tool so your usage stays evidence-driven and repeatable.

open /learning/network-security-monitoring-zeek-suricata Network Security Monitoring with Zeek and Suricata open /learning/alert-triage-false-positives-detection-tuning Alert Triage, False Positives, and Detection Tuning

related-threat-workflows

See where this tool fits into threat-specific detection, triage, and remediation workflows.

open /threats/lateral-movement-after-initial-access Lateral movement after initial access open /threats/vulnerability-exploitation-and-misconfiguration-abuse Vulnerability exploitation and misconfiguration abuse

related-tools-in-this-path

Continue within the same guided track. These tools are commonly studied next in the path(s) this page belongs to.

<- previous tool Zeek -> next tool Security Onion