by Tradecraft Signal

Introducing Defensive Analysis: AI-Driven Detection Briefs from Offensive Tradecraft

announcementAIBlue TeamRed Team

Most cybersecurity feeds show you the attack and leave the defense as an exercise for the reader. Your team reads a Kerberoasting walkthrough, then spends an hour mapping it to detection logic, telemetry requirements, and mitigations. Multiply that by every post, every day, across every operator blog worth following.

We built Defensive Analysis to compress that cycle from hours to seconds.

What is Defensive Analysis?

Every post curated into Tradecraft Signal is automatically analyzed by AI to produce a structured defensive brief. When you open a curated post about offensive tradecraft, the Defensive Analysis appears right alongside it — a starting point that covers detection logic, telemetry requirements, and mitigations for the technique you just read about.

The goal is not to replace your team’s analysis — it is to accelerate it. Defensive Analysis gives your analysts a structured first draft to work from instead of a blank page. Every brief should be reviewed, validated against your environment, and adapted before being operationalized. AI-generated output can contain inaccuracies, hallucinated artifacts, or recommendations that don’t apply to your specific infrastructure.

ATT&CK-aware from the start

Before a Defensive Analysis is generated, every curated post is automatically tagged with specific MITRE ATT&CK technique IDs. The analysis is not generic — it knows which techniques are in play and cross-references them against the MITRE Cyber Analytics Repository (CAR) for existing detection logic. This means the briefs reference real technique IDs, real analytics, and real detection gaps specific to the tradecraft described in the post.

Posts that are purely defensive — detection guides, blue team tutorials, hardening documentation — are automatically identified and skipped. Defensive Analysis only runs on offensive tradecraft content, so every brief you see is relevant.

What’s inside every brief

Each Defensive Analysis covers:

  • Detection opportunities — Specific logs, telemetry sources, and event IDs (Windows Security, Sysmon, PowerShell, ETW, Linux auditd, cloud audit logs) that reveal the described activity
  • ATT&CK analytics references — MITRE CAR analytics mapped to the tagged techniques, so you can see what existing detection logic already covers the attack
  • Detection gap assessment — Can you catch this with default logging? What telemetry upgrades are needed? Where are the blind spots in your current stack?
  • Sigma and YARA rule categories — Applicable detection rule patterns to deploy or validate against your existing rule library
  • Mitigations — MITRE mitigation IDs and concrete hardening steps to prevent or limit the technique
  • Data source requirements — Exact event IDs, audit policies, and logging prerequisites your environment must have enabled

Inferred IOCs: beyond what the article says

The most powerful section of every Defensive Analysis is Inferred Indicators of Compromise. Traditional IOC feeds scrape hashes and domains from blog posts — the artifacts the author chose to include. Defensive Analysis goes deeper.

For every named tool or demonstrated technique, the AI reasons about what actually happens when the attack executes in production — default configurations, file-system footprints, memory artifacts, network signatures, authentication anomalies — and generates IOCs that may not appear in the original post at all.

Every inferred IOC includes:

  • Tier — Primary (demonstrated in the content) or Related (referenced but not the focus), so you immediately know the depth of analysis behind each indicator
  • Artifact type — Precise labels like process_command_line, named_pipe, windows_event_id, ja3_fingerprint, behavioral_pattern, and 30+ other categories
  • Detection visibility — The exact log source, event ID, and field names where the IOC surfaces, plus any non-default logging prerequisites
  • Confidence level — HIGH, MEDIUM, or LOW with explicit reasoning, so your team can prioritize validation effort accordingly

Everything is organized by the Pyramid of Pain — from volatile hash values up to durable behavioral patterns — so your detection engineering team can prioritize the indicators adversaries cannot easily change.

Not just what they published

A Kerberoasting blog post might show you a Rubeus command line. Defensive Analysis will also surface the expected Kerberos event 4769 with TicketEncryptionType = 0x17, the anomalous TGS-REQ patterns, the process tree from the execution chain, the named pipes if lateral movement followed, and the specific Advanced Audit Policy settings your domain controllers need enabled to see any of it.

That is the difference between copying a blog post and understanding an attack.

Who is this for

Detection engineers and SOC analysts — Use the briefs as a starting point for new detection rules. The telemetry mappings, event IDs, and Sigma/YARA categories give you a structured foundation to build from instead of researching each technique from scratch.

Threat hunters — The inferred IOCs and behavioral patterns provide hunt hypotheses grounded in how tools and techniques actually behave at runtime, not just what the blog author chose to mention.

Purple teamers — Validate whether your defensive stack catches what the brief describes. The detection gap assessments tell you exactly which logging prerequisites and audit policies need to be in place.

Red teamers — Defensive Analysis shows you how the techniques you use look from the other side. Every brief maps out the telemetry sources, event IDs, and behavioral patterns that defenders rely on to catch the tradecraft you just read about. That is directly actionable OPSEC intelligence: understand which artifacts your tooling leaves behind, which log sources expose your activity, and where detection coverage is strongest — so you can adapt your tradecraft, test your evasion assumptions, and build more realistic adversary simulations.

Built into every curated post

Defensive Analysis is not a separate product or an add-on. It is generated automatically for every piece of offensive tradecraft our curators publish to the feed. Open any curated post, expand the Defensive Analysis panel, and the brief is already there — structured, searchable, and ready to accelerate your next detection rule or hunt hypothesis.

Every Defensive Analysis brief is fully indexed. You can search across all briefs for a specific event ID, technique, tool name, or artifact type and find every curated post where it surfaces — turning the feed into a queryable knowledge base for your detection engineering or red team operations.

A starting point, not the final word

Defensive Analysis is entirely AI-generated. It is designed to give your team a significant head start — not to be copy-pasted into production detections without review. Treat every brief as a draft that needs human validation: verify IOCs against your telemetry, confirm event IDs match your logging configuration, and test detection logic in your environment before deploying. The confidence labels and tiering are there to help you triage, but your analysts remain the final authority.

Stay ahead of the tradecraft. We will keep curating the offense. Defensive Analysis accelerates the defense.