Ask-a-Thrunt3r: April 2026 — Signal vs Myth 🐏

Ask-a-Thrunt3r: April 2026 — Signal vs Myth 🐏

📝 Episode Summary Mythos pulled us out of sabbatical. After a few months heads-down on conferences, work, and shipping, the THOR Collective is back with a special episode dedicated to cutting through the Mythos hype cycle. Lauren and Sydney are joined by Trent Lo (aka Surbo), Principal Security Researcher at Marsh and longtime adversary-in-chief from the CenturyLink days. Trent lives on both sides of the fence — offense and defense — which makes him exactly the right person to help us answer the question the whole industry has been screaming about since Anthropic’s announcement: is this real, or is this marketing? The crew walks through what Mythos and Glasswing actually were (versus the cyber-nuclear-war headlines), where AI genuinely changes the game for attackers, and where defenders still hold the line. The throughline: behaviors still win. AI changes tempo, not fundamentals. There is still a human pointing the tool, and that intent — not the model — is what matters. Trent’s take is measured, grounded, and refreshingly free of doom: nation-states already have this capability and have for a while, the have-and-have-nots gap is going to widen, and the smartest move right now is to get your patching program in order before the wave of AI-found vulnerabilities crests. Sydney walks through three new HEARTH features — What Can I Hunt, the Coverage Map, and the Context Graph — and recaps ATHF for anyone who missed her SANS AI Summit talk. Lauren teases her Vercel/Context.ai infostealer-to-SaaS hunt guide. Then the conversation pivots to defense at machine scale: how the well-resourced orgs should be thinking, what the under-resourced shops can actually do with Gemma 4 running locally and Copilot bundled in their E5 license, and why vulnerability programs are about to become the most important muscle on the team. We close with a Myth or Signal rapid round (AI SOC replacing analysts? threat hunting copilots? baselining? autonomous pentest? AI-generated malware?) and conference plans for the rest of the year. ⏱️ Episode Breakdown * 00:23 – Intro and welcome back from sabbatical * 02:06 – Guest intro: Trent Lo (Surbo), Principal Security Researcher at Marsh * 04:24 – THOR updates: new HEARTH features and ATHF recap * 07:41 – April Dispatch posts: Vercel infostealer-to-SaaS hunt + Mythos Won’t Kill Threat Hunting * 10:17 – What Mythos and Glasswing actually were vs. the marketing hype * 15:37 – Where humans still win: judgment, intent, and what “agentic” really means * 21:43 – What actually worries us about Mythos (hint: it’s the keyboard, not the model) * 25:14 – Defense in the open and the widening have-and-have-nots gap * 27:52 – Closed source vs. open source post-Mythos, and the CVE explosion problem * 34:25 – How defenders can actually use AI: imposter syndrome, IR, and machine-scale hunting * 39:56 – Defense at machine scale: resourced vs. under-resourced playbooks * 46:46 – What a two-person team should prioritize (spoiler: patch your shit) * 51:13 – ⚡ Myth or Signal rapid round * 53:41 – Plugs, conferences, and Allbirds becoming an AI company * 56:32 – Happy thrunting 🎤 Hosts & Guest Lauren Proehl (Host) — Manager of the group, cautious optimist, and the person who still has receipts on Trent from CenturyLink days. Sydney Marrone (Host) — Now officially a manager (welcome to the dark side). Built ATHF, shipped three new HEARTH features this cycle, and is the reason 90% of you have a starting point for agentic threat hunting. Trent Lo / Surbo (Guest) — Principal Security Researcher at Marsh. Self-described professional hand grenade thrower who also jumps on the grenades. * LinkedIn: trentlo [https://www.linkedin.com/in/trentlo/] * X: @surbo [https://x.com/surbo] 🔗 Resources & Mentions April Dispatch Posts * Mythos Won’t Kill Threat Hunting. It’ll Prove We Were Right. [https://dispatch.thorcollective.com/p/mythos-wont-kill-threat-hunting] by Lauren Proehl & Sydney Marrone — the editorial thesis driving this episode * Hunting the Infostealer-to-SaaS Pipeline [https://dispatch.thorcollective.com/p/hunting-the-infostealer-to-saas-pipeline] by Lauren Proehl — practitioner hunt guide on OAuth abuse and lateral movement via over-permissioned SaaS apps, using the Vercel/Context.ai breach as a case study Mythos & Glasswing — Primary Sources * Claude Mythos Preview [https://red.anthropic.com/2026/mythos-preview/] — Anthropic’s technical writeup of the model’s vulnerability discovery capabilities * Project Glasswing [https://www.anthropic.com/project/glasswing] — the coordinated disclosure consortium (AWS, Cisco, Google, and others) * Bruce Schneier: On Mythos Preview and Project Glasswing [https://www.schneier.com/blog/archives/2026/04/on-anthropics-mythos-preview-and-project-glasswing.html] — a healthy counterweight to the breathless coverage THOR Collective Tools & Frameworks * HEARTH [https://hearth.thorcollective.com/] — the community hypothesis library. Three new features: What Can I Hunt (pick your data sources, get matched hypotheses), Coverage Map (HEARTH hypotheses linked to MITRE ATT&CK), and Context Graph (adds threat actors and campaigns to the coverage map to surface gaps). Source on GitHub [https://github.com/THORCollective/HEARTH]. * ATHF (Agentic Threat Hunting Framework) [https://github.com/Nebulock-Inc/agentic-threat-hunting-framework] — Sydney’s open-source framework. Maturity model from manual to multi-agent, LOCK pattern, MCP server, AI assistant. Drop it into Cursor or Claude Code. Watch Sydney’s SANS AI Summit talk [https://www.sans.org/cyber-security-training-events/ai-summit-2026]“Designing AI-Assisted Threat Hunting That Remembers” [https://www.sans.org/cyber-security-training-events/ai-summit-2026] for the walkthrough. Other Mentions * AISLE [https://aisle.com/] — the autonomous vulnerability research team that found 12 of 12 OpenSSL CVEs [https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities] in January (covered in our January episode), and 5 of 7 in the April release [https://aisle.com/blog/aisle-uncovered-5-of-7-openssl-vulnerabilities-in-the-april-2026-release]. Their post-Mythos analysis, AI Cybersecurity After Mythos: The Jagged Frontier [https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontier], is directly relevant to Trent’s point about another company quietly doing this work for less money. Give credit for what AISLE actually did without conflating it with Mythos. * Gemma 4 [https://deepmind.google/models/gemma/gemma-4/] — Google’s most capable open model, released April 2 under Apache 2.0 [https://blog.google/innovation-and-ai/technology/developers-tools/gemma-4/]. Lauren is running it locally. Trent’s tip: jumpstart prompts here before burning real API tokens. * Allbirds → NewBird AI [https://techcrunch.com/2026/04/15/after-sale-of-its-shoe-business-allbirds-pivots-to-ai/] — yes, the shoe company. Sold its footwear assets for $39M and pivoted to GPU-as-a-Service. We’re as confused as you are. 📢 Call to Action * Read the April Mythos post — and pass it to anyone in your org panicking about cyber-nuclear war * Check out the new HEARTH features at hearth.thorcollective.com [https://hearth.thorcollective.com/] — start with What Can I Hunt * Fork ATHF on GitHub [https://github.com/Nebulock-Inc/agentic-threat-hunting-framework] — start at Level 1 (one hunt in LOCK format) and grow from there * Fix your patching program — the most boring, most important investment you’ll make this year * Run Gemma 4 locally [https://deepmind.google/models/gemma/gemma-4/] — get your reps in before you burn real API tokens * Catch us on the conference circuit: * Lauren at the CrowdTour in New York * Trent at NCFTA Pittsburgh and Zenith * Antisyphon Threat Hunting Summit [https://www.antisyphontraining.com/event/threat-hunting-summit/] — virtual and free, June 17, 2026 * Sydney: Avoiding Hunt Amnesia: Building a Memory Your AI Can Use [https://www.antisyphontraining.com/event/threat-hunting-summit-talk-avoiding-hunt-amnesia-building-a-memory-your-ai-can-use/] — 12:00 PM ET * Lauren: Fast-track Reports into Ready-Made Hypotheses with AI [https://www.antisyphontraining.com/event/threat-hunting-summit-talk-fast-track-reports-into-ready-made-hypotheses-with-ai/] — 3:00 PM ET * Everyone at Black Hat and DEF CON * Write for THOR Collective — first-time publishers, up-and-coming voices, builders with something to share: come find us 📬 Connect with THOR Collective 🗣️ Social Media * Twitter/X: @THOR_Collective [https://x.com/THOR_Collective] * LinkedIn: THOR Collective [https://www.linkedin.com/company/thorcollective] * BlueSky: @thorcollective [https://bsky.app/profile/thorcollective.bsky.social] 📧 Contact Reach out through any social channel for guest post opportunities, collaborations, or to tell us what you’re building. Get full access to THOR Collective Dispatch at dispatch.thorcollective.com/subscribe [https://dispatch.thorcollective.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

Ask-a-Thrunt3r: January 2026 - Season 2 Premiere 🐏

Ask-a-Thrunt3r: January 2026 - Season 2 Premiere 🐏 📝 Episode Summary New year, same crew — and we’re building. The THOR Collective kicks off 2026 (Season 2!) with a deep dive into why this is the year security practitioners stop waiting on vendors and start building their own solutions. Lauren, Sydney, and John walk through the trio of Dispatch posts that kicked off the year — a manifesto series on building in security — and why the “I’m not technical enough” excuse doesn’t hold up anymore in the age of AI-assisted development. From there, the hosts get into the real talk: what’s actually trending in security right now (spoiler: social engineering isn’t going anywhere, and the agentic attack surface is the new frontier), what’s overhyped (looking at you, “AI SOC that replaces all your analysts”), and what each of them is personally investing in this year. Sydney’s going deep on LLM evaluations and automated baselining. Lauren’s leveling up her rapid development and project scaffolding skills. John’s bouncing adversarial emulation ideas off AI — when it’ll let him. The episode wraps with a lightning round covering certs vs. hands-on work, writing detections vs. hunting, specializing vs. staying broad, and prompt engineering vs. YOLOing it. Plus: conference announcements (CactusCon, WiCYS, BSides SF, RSA, DEF CON), puzzle swaps, PAI voice scaring partners, and Lauren’s Odyssey-inspired take on AI as Athena; a helper on your journey, not a replacement for the hero. ⏱️ Episode Breakdown * 00:01 – Intro and welcome to Season 2 * 03:20 – January Dispatch Highlights: “2026, The Year Builders Show Up” by Lauren & Sydney * 09:22 – “Why You Should Build” by Lauren – breaking the psychological barrier * 13:00 – “Why You Don’t Need a Desk to Build” by Sydney – shipping code from anywhere * 16:32 – What are we trying to solve? The mission behind the builder series * 18:40 – Staying current on AI: AI Daily Brief, Prompt GTFO, and community resources * 20:45 – What’s trending: social engineering, browser extensions, OpenClaw/MoltBot, agentic attack surfaces * 24:57 – AI finding vulnerabilities: OpenSSL discoveries and the CVE explosion * 27:45 – What’s overhyped: the “AI SOC” replacing analysts narrative * 30:00 – Risk tolerance and the human-in-the-loop debate * 34:25 – What we’re investing in: LLM evaluations, automated baselining, rapid development, adversarial emulation * 39:20 – What we’re ignoring: personal balance, saying no, giving up on red teaming * 41:27 – Hot take: ignoring prompt engineering (and the Wispr Flow revolution) * 43:00 – PAI voice scares * 46:04 – Lightning Round: Certs vs. hands-on, detections vs. hunting, specialize vs. stay broad, prompt engineering vs. YOLO * 53:00 – Conference circuit and closing: CactusCon, WiCYS, BSides SF, RSA, DEF CON, SecKC 🎤 Hosts Lauren Proehl (Host) – Manager of the group, chronic overcommitter, manifesto writer, and self-described “cautious optimist.” Sydney Marrone (Host) – Threat hunter turned builder. Shipping code from her phone, couch, bed, and probably CactusCon’s after party. Investing in LLM evaluations and automated baselining this year. John Grageda (Host) – Red teamer who uses AI for adversarial emulation and engagement planning, but notes the models still refuse to build offensive tooling (”nice try, buddy”). 🔗 Resources & Mentions January 2026 Dispatch Posts * 2026: The Year Builders Show Up [https://dispatch.thorcollective.com/p/2026-the-year-builders-show-up] by Lauren Proehl & Sydney Marrone * Why You Should Build [https://dispatch.thorcollective.com/p/why-you-should-build] by Lauren Proehl * You Don’t Need a Desk to Build [https://dispatch.thorcollective.com/p/you-dont-need-a-desk-to-build] by Sydney Marrone Tools & Resources Mentioned * Claude Code – AI coding assistant used by the hosts for building security tools and personal projects * PAI (Personal AI) [https://danielmiessler.com/] by Daniel Miessler – personal AI assistant with voice capabilities * Wispr Flow [https://wisprflow.ai/] – voice-to-text tool for talking at your AI instead of prompt engineering * Detect FYI [https://detect.fyi/] – article by Alex Teixeira on automated baseline detections (30-day baseline + hourly deviation checks) * AI Daily Brief [https://aidailybrief.ai/] – recommended podcast for staying current on AI news * Prompt GTFO [https://www.youtube.com/@PromptorGTFO] – community resource on cybersecurity and AI * OpenClaw [https://github.com/openclaw/openclaw] / ClawBot / MoltBot – AI agents and social networks that had the hosts questioning reality Vulnerability Research & Bug Bounty * AISLE Discovers 12 OpenSSL Vulnerabilities (Jan 2026) [https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities] – AI-powered autonomous analyzer found all 12 CVEs in the January 2026 coordinated release, some dating back to 1998 * The End of the curl Bug-Bounty (Daniel Stenberg) [https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/] – curl ended its HackerOne bug bounty program January 31, 2026 due to flood of AI-generated slop reports * Google: Building AI Agents for Cybersecurity and Defense [https://cloud.google.com/transform/how-google-does-it-building-ai-agents-cybersecurity-defense/] – Google’s approach to agentic defense and building security agents * Slack Engineering: Streamlining Security Investigations with Agents [https://slack.engineering/streamlining-security-investigations-with-agents/] – Slack’s approach to agentic SOC defense using AI agent personas (Director, domain experts, Critic) that break investigations into phases Key Concepts Discussed * AI as Augmentation, Not Replacement – Lauren’s Athena analogy from The Odyssey: AI is a helper on your odyssey, not a replacement for the hero * The Builder Mindset – scripts, queries, playbooks all count as building; you don’t need permission from the developer gods * Return of Generalism – AI raising the floor for lower-level analysts, enabling dynamic workforce reallocation * Agent Manager Future – the theory that everyone becomes a manager of teams of AI agents * Trust but Verify – applies to both AI and humans; both make mistakes * The Boot Camp Loop – AI helps break the cycle of training without applying * Automated Baselining – 30-day baseline detection + hourly checks against deviations (Detect FYI approach) * Agentic Attack Surface – the unknown frontier of securing AI agents and agentic workflows Trends Discussed * Social engineering and phishing – still trending, now AI-enhanced * Browser extensions – emerging attack vector * OpenClaw/MoltBot ecosystem – AI agents with their own social networks * AI vulnerability discovery – 12 OpenSSL vulnerabilities found by AI, some allegedly decades old * CVE reports up ~39-40% last year * Google’s agentic defense approach – breaking prompts into investigation phases * Prompt injection – social engineering AI agents and models * Curl leaving HackerOne due to AI-generated bug bounty report influx 📢 Call to Action * Read the January builder series on Dispatch – and start your own building journey; even a script that saves you a few minutes counts * Try building something you’ll actually use – throw it on GitHub, start small, keep building * Check out the AI Daily Brief podcast and Prompt GTFO – for staying current on AI and security * Get Wispr Flow – if you struggle with prompt engineering, just talk at your AI * Explore automated baselining – use the Detect FYI approach (30-day baseline + hourly deviation checks) * Come find us at CactusCon – February 2026, THOR Collective is sponsoring the after party; swag will be available * Write for THOR Collective – always looking for new voices, up-and-coming voices, and first-time publishers; reach out on socials 📬 Connect with THOR Collective 🗣️ Social Media: * Twitter/X: @THOR_Collective [https://x.com/THOR_Collective] * LinkedIn: THOR Collective [https://www.linkedin.com/company/thorcollective] * BlueSky: @thorcollective [https://bsky.app/profile/thorcollective.bsky.social] 📧 Contact: Reach out through any social channel for guest post opportunities, collaborations, or to share what you’re building in 2026 Get full access to THOR Collective Dispatch at dispatch.thorcollective.com/subscribe [https://dispatch.thorcollective.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

Ask-a-Thrunt3r: December 2025 - DEcember 🐏

Ask-a-Thrunt3r: December 2025 - DEcember 🐏 📝 Episode Summary Welcome back from the holiday break! The THOR Collective returns with a cozy end-of-year reflection meets practitioner reality check, featuring special guest Alex Hurtado, content creator extraordinaire and voice behind Detection Engineering Dispatch. This December edition tackles the often-overlooked but crucial relationship between threat hunting and detection engineering – what Alex calls “the real people that actually just keep shit working.” Alex brings unique insights from her journey from SIEM analyst at ABC during the Rachel Bachelorette era (yes, monitoring for commercial interruptions during primetime TV) to becoming one of the voices in detection engineering content. The conversation dives deep into why detection engineering finally emerged as a distinct discipline, how vendor black-boxing forces teams to rebuild EDR rules in their SIEM, and why treating detections like production code with proper CICD pipelines is non-negotiable. From debating whether to ship detections in “warn mode” to discussing the nuclear option of deleting 50% of your detections tomorrow, this episode delivers unfiltered insights on building sustainable detection programs. Plus, Alex shares her Chicago neighborhood-to-SIEM comparison framework, the team debates worst detections as holiday decorations, and everyone agrees: quarterly detection reviews are a must, but alert volume as a KPI needs to go. ⏱️ Episode Breakdown * 01:32 – Introductions * 03:00 – Alex’s journey: From ABC SIEM analyst to Detection Engineering thought leader * 06:02 – The gatekeeping problem in detection engineering * 10:26 – Icebreaker: Worst detection as a holiday decoration * 13:36 – Deep dive: What is detection engineering really? * 16:15 – Detection engineers beyond the SIEM * 18:01 – The problem with black-box EDR vendors * 20:35 – Hunting to Detection Engineering handoffs * 24:30 – Chaining behaviors vs. static indicators * 36:44 – Detection Engineering as Development (CICD, versioning, documentation) * 42:40 – Metrics that matter: Confusion matrices vs. alert volume * 47:30 – The nuclear option: Cutting 50% of detections * 49:30 – AI’s impact on detection engineering * 52:15 – Ship it or Scrap it rapid-fire * 55:06 – Must-reads and resources * 57:21 – 2025 wrap-up and 2026 preview 🎤 Hosts & Guest Lauren Proehl (Host) – Manager of the group whose worst detection is a creepy 85-year-old nutcracker from grandma that should’ve been recycled (like Log4J scanning alerts still firing). Sydney Marrone (Host) – Head of thrunting and threat hunting whose worst detection is a snow globe - stable until you make one edit and everything goes crazy with alerts. John Grageda (Host) – Red teamer who compares his worst detection to a Christmas tree with all lights constantly rotating in chaos, reminiscent of untuned Sourcefire IDS. Alex Hurtado [https://www.linkedin.com/in/hurtadoalexandra/] (Special Guest) – Content creator, host of Detection Engineering Dispatch, and voice behind the State of Detection Engineering report. Former ABC SIEM analyst who monitored primetime TV for commercial interruptions. THOR Collective Dispatch is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber. 🔗 Resources & Mentions Key Concepts Discussed * Detection Engineering Definition – “The real people that actually just keep shit working” * Detection as Code – Treating detections like production code with CICD pipelines * Versioning & Documentation – The critical importance of change logs and detection diaries * Chaining Behaviors – Moving beyond static indicators to correlated attack chains * Black-box Vendor Problem – Why teams rebuild EDR rules in SIEMs with FDR data * Critical Asset Prioritization – Starting with crown jewels when cutting detection noise * Confusion Matrices – True positive/false positive rates as quality metrics Resources * 2026 SANS Focus on Detection Engineering Survey [https://survey.sans.org/jfe/form/SV_9WXVJlAG80mDxoa] * Alex Teixeira / Detect.FYI [https://detect.fyi/] https://detect.fyi/ * Detection Engineering Weekly [https://www.detectionengineering.net/] * Detections.ai [https://detections.ai/] * MITRE TTP Detections [https://www.linkedin.com/feed/update/urn:li:activity:7404142801954750465/] * Detection Engineering Dispatch [https://www.anvilogic.com/workshop] 📢 Call to Action * Follow Alex Hurtado on LinkedIn – For infographics and detection engineering insights * Subscribe to Detection Engineering Dispatch – Available on Apple Podcasts and Spotify * Participate in the State of DE Survey – Data collection phase is ongoing * Implement quarterly detection reviews – If you’re not doing this, start now * Document your detections – Leave them better than you found them * Write for THOR Collective – Always looking for new voices in thrunting, DE, SOC, and IR 📬 Connect with THOR Collective 🗣️ Social Media: * Twitter/X: @THOR_Collective [https://x.com/THOR_Collective] * LinkedIn: THOR Collective [https://www.linkedin.com/company/thorcollective] * BlueSky: @thorcollective [https://bsky.app/profile/thorcollective.bsky.social] 📧 Contact: Reach out through any social channel to contribute content, be a guest on the podcast, or share your detection engineering war stories Get full access to THOR Collective Dispatch at dispatch.thorcollective.com/subscribe [https://dispatch.thorcollective.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

Ask-a-Thrunt3r: October 2025 Logtoberfest Edition 🍺🐏

Ask-a-Thrunt3r: October 2025 - Logtoberfest Edition 🍺 📝 Episode Summary Welcome to Logtoberfest! The THOR Collective raises their glasses (and their log levels) for the most anticipated episode of the year, featuring special guest Damien Lewke, founder and CEO of Nebulock. This October edition tackles the burning question on every hunter’s mind: what does the future of threat hunting actually look like beyond the marketing hype and slick promo videos? Damien drops the mic with Nebulock’s mission to “democratize threat hunting”, making proactive security a right, not a privilege reserved for the few. The conversation dives deep into how agentic AI has already transformed the adversary landscape, blurring lines between nation-state actors and script kiddies while automating tailored access at scale. The crew explores the reality that while bad actors have gone fully agentic (as Anthropic’s August threat report confirmed), defenders are still stuck with yesterday’s tools. From debating whether AI agents are the future or just expensive autopilots, to discussing quantum computing’s threat timeline and the practicality of SOCs in virtual reality, this episode separates genuine innovation from vendor vaporware. Plus, Sydney drops knowledge on collaborative hunting platforms while John shares red team perspectives on AI-powered attack path mapping. Whether you’re a seasoned hunter or a SOC analyst looking to level up, this episode delivers the unfiltered truth about what’s coming in the next 12-24 months. THOR Collective Dispatch is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber. ⏱️ Episode Breakdown * 01:10 – Welcome to Logtoberfest * 01:24 – Special guest introduction: Damien Lewke [https://www.linkedin.com/in/damienlewke/] from Nebulock [https://nebulock.io/] * 06:17 – Icebreaker: If your favorite log source were a beer, what style would it be? * 09:05 – Thrunt3r Spotlight * 10:58 – October Dispatch Highlights & community milestones * 28:00 - The future of threat hunting * 52:19 – Hype or Bust rapid-fire round * 57:46 – Giveaway announcement * 58:35 – Closing cheers to verbose logs and loud communities 🎤 Hosts & Guest Lauren Proehl (Host) – Manager of the group and self-proclaimed cautious AI optimist who’s evolved from “AI hater” to seeing genuine opportunity with mindful implementation. Sydney Marrone (Host) – Chief thrunter, recently joining Nebulock. Champion of removing gatekeeping from threat hunting and making it accessible to all skill levels. John Grageda (Host) – Red teamer bringing the adversarial perspective. Expert at hiding from endpoint detection (allegedly) and advocate for AI-powered attack path mapping. Damien Lewke (Special Guest) – Founder & CEO of Nebulock, middle child, and longtime listener turned guest. Building the agentic threat hunting platform to bridge the gap between elite hunters and aspiring analysts. 🔗 Resources & Mentions October Dispatch Posts * Agentic Threat Hunting, Part 2: Starting a Hunt Repo [https://dispatch.thorcollective.com/p/agentic-threat-hunting-part-2] by Sydney Marrone * Hunting Beyond Indicators [https://dispatch.thorcollective.com/p/hunting-beyond-indicators] by Sam Hanson * Aligning Risk Management and Threat-Informed Defense Practices (Part 1 [https://dispatch.thorcollective.com/p/aligning-risk-management-and-threat]) by Micah VanFossen Tools & Platforms Mentioned * Nebulock [https://nebulock.io/] – Agentic threat hunting platform * Maltego * GPT-4 and Claude for detection engineering * Traditional SIEM platforms vs. next-gen alternatives Community Resources * Detection Engineering Weekly [https://www.detectionengineering.net/] * Anthropic’s August 2025 threat report [https://www-cdn.anthropic.com/b2a76c6f6992465c09a6f2fce282f6c0cea8c200.pdf] 📢 Call to Action * Message THOR Collective on Discord – First responder after the episode wins Logtoberfest swag! * Share your log-to-beer pairing – Include your favorite log type and beer style for bonus points * Test drive AI hunting tools – Explore how agents can augment your current workflows * Document your baselines – Stable baselines are essential before implementing AI detection * Share your 2026 predictions – What do you think threat hunting will look like next year? * Join the AI debate – Are you team “cautious optimist” or team “show me the code”? * Upskill your SOC analysts – Consider platforms that lower the barrier to threat hunting 📬 Connect with THOR Collective 🗣️ Social Media: * Twitter/X: @THOR_Collective [https://x.com/THOR_Collective] * LinkedIn: THOR Collective [https://www.linkedin.com/company/thorcollective] * BlueSky: @thorcollective [https://bsky.app/profile/thorcollective.bsky.social] 📧 Contact: Reach out through any social channel for guest opportunities, hunt collaborations, or to share your thoughts on the future of threat hunting Get full access to THOR Collective Dispatch at dispatch.thorcollective.com/subscribe [https://dispatch.thorcollective.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

Ask-a-Thrunt3r: September 2025 Recap 🐏

📝 Episode Summary Back to school, Thrunter style! The THOR Collective celebrates a massive milestone with 2,000 Dispatch subscribers while diving deep into the art and science of baselining. This September edition of Ask a Thrunt3r is all about getting back to basics – because you can’t find weird if you don’t know normal, as Sydney reminds us in her must-read post that kicked off the month’s baseline bonanza. The crew unpacks Sydney’s foundational work on baselining and Lauren’s epic 21-minute marathon post featuring 10 baseline hunts that’ll have you questioning everything you thought was “normal” in your environment. From mind-bending 3D visualization techniques for finding compromised workstations with math (yes, math!) to a browser extension exposé, this month’s content proves that sometimes the biggest threats hide in plain sight – or in that innocent-looking Chrome extension your users just installed. Looking ahead, the team tackles the future of hunt collaboration, debating the merits of Git repos, Jupyter notebooks, and AI assistants for threat hunting. Whether you’re team “data” or team “data” (spoiler: it sparked quite the debate), this episode delivers practical insights for hunters at every level. Plus, John is hiring a senior pen tester if you’re looking to cross over to the dark side! ⏱️ Episode Breakdown 01:10 – Welcome back to school02:09 – Job opportunity: Senior pen tester at Lumen (full remote, US-based)03:08 – Milestone celebration: 2,000 Dispatch subscribers! 🎉04:36 – Icebreaker07:09 – Thrunt3r Spotlights09:02 – September Dispatch Highlights28:10 – Future of Hunt Collaboration Discussion42:01 – Lightning Round: Would You Rather edition44:03 – Wheel of Spins45:56 – October preview: Logtoberfest & Future of Threat Hunting47:44 – Closing & happy thrunting 🎤 Hosts Lauren Proehl (Host) – A director type who admits to wildcarding but is improving. Self-proclaimed energy drink enthusiast who turns inspiration into dissertations. Sydney Marrone (Host) – Principal threat hunter and the “thrunter of the group.” Baseline evangelist who kicked off September’s theme. Firm believer in the power of Git skills over Jira tickets. John Grageda (Host) – Red teamer celebrating 10 years at Lumen. Currently hiring a senior pen tester. Plans to retire wrapped in fiber cables and carried to the great cloud in the sky. 🔗 Resources & Mentions September Dispatch Posts 📚 You Can’t Find Weird If You Don’t Know Normal [https://thorcollective.substack.com/p/you-cant-find-weird-if-you-dont-know-normal] by Sydney Marrone📊 Baseline Bonanza: 10 Baseline Hunts [https://thorcollective.substack.com/p/baseline-bonanza-ten-baseline-hunts] by Lauren Proehl🎯 Can’t Hide in 3D [https://thorcollective.substack.com/p/cant-hide-in-3d] by Certis Foster🔒 Even if many plugins are fine, the bad ones are bad [https://thorcollective.substack.com/p/even-if-many-plugins-are-fine-the] by John Tuckner💼 Beyond Hackers and Hoodies: A Project Manager’s Move into Cybersecurity [https://thorcollective.substack.com/p/beyond-hackers-in-hoodies] by Courtney Shar♀️ Why We Need Women in Cybersecurity [https://thorcollective.substack.com/p/why-we-need-more-women-and-intersectional-diversity-in-cyber] by Sydney Marrone & Cassandra Murphy Tools & Technologies Mentioned * Jupyter Notebooks * GitHub/Git for collaboration and version control * GitKraken for local Git management * Threat Hunter Playbook [https://threathunterplaybook.com/intro.html] (s/o @Cyb3rWard0g [https://twitter.com/Cyb3rWard0g] and @Cyb3rPandaH [https://twitter.com/Cyb3rPandaH]) * RBA (Risk-Based Alerting) techniques * BOTs [https://github.com/splunk/botsv3] dataset for testing Community Resources 🔥 HEARTH Repository [https://hearth.thorcollective.com/]📬 The Dispatch Newsletter [https://dispatch.thorcollective.com/]💬 THOR Collective Discord (paid subscribers) 📢 Call to Action 🎯 Submit your baseline hunt ideas to HEARTH📝 Share what Dispatch posts resonated with your current challenges🔮 Join us for Logtoberfest & the Future of Threat Hunting discussion💼 Interested in pen testing? Contact John about the Lumen opportunity🪙 Check your DMs if you’ve won a coin – Sydney’s waiting!📊 Try out the 15 baseline examples from Sydney & Lauren’s posts🎓 Add HEARTH contributions to your LinkedIn projects section 📬 Connect with THOR Collective 🗣️ Social Media:Twitter/X: @THOR_Collective [https://x.com/THOR_Collective]LinkedIn: THOR Collective [https://www.linkedin.com/company/thorcollective]BlueSky: @thorcollective [https://bsky.app/profile/thorcollective.bsky.social] 📧 Contact: Reach out through any social channel for guest post opportunities or hunt collaboration ideas Next Episode: October’s Logtoberfest - Deep dive into the future of threat hunting, AI integration, and strategic planning for 2026. Essential listening for decision-makers and team leads! Get full access to THOR Collective Dispatch at dispatch.thorcollective.com/subscribe [https://dispatch.thorcollective.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]