I have spent the last fifteen years on the offensive side of security. Red team engagements, tooling, phishing infrastructure, thick-client and cloud attacks, and a lot of time watching detection either catch me or, far more often, miss me completely. Somewhere along the way a pattern of my own emerged: the teams that caught me were never the ones with the biggest IOC feed. They were the ones who understood what an attack actually looks like as it happens, and who had automated that understanding so a human did not have to be staring at the right log at the right second.
NereusPulse is my attempt to bottle that. It is a detection platform that takes everything I have learned about how attackers move and turns it into automation that runs continuously against your environment. Not a signature dump, not another threat-intel subscription. A tool that hunts the way an experienced operator would hunt, in real time, on your telemetry. This post is the story of the idea, the technical shape of the solution, and an honest ask at the end: I am looking for a small number of teams to run it free of charge while I fine tune it.
The idea: stop chasing yesterday's attacker
Most detection programs are built around indicators of compromise. A hash, an IP, a domain, a named actor's TTP list. IOCs are useful, but they share a fatal property: they describe an attack that has already happened to somebody else. By the time an indicator reaches your feed, it has been burned. The infrastructure is rotated, the payload is recompiled, the domain is three DGA-generations old. You are perpetually defending against last week's campaign while this week's walks past.
When I attack, I do not reuse the thing that got caught. What I cannot easily change is the shape of what I am doing. A token request against an unusual client context, a process spawning a child it has no business spawning, an authentication that succeeds from a place that should never authenticate, a burst of directory reads right before an app registration. Those behavioural shapes persist across tools, across payloads, across actors, because they are dictated by the objective, not the implementation. NereusPulse hunts those shapes.
What NereusPulse actually is
Under the hood, NereusPulse is a streaming detection engine with connectors on one side and a pattern library on the other. Telemetry flows in continuously from your existing security stack. The engine normalises it into a common event model, correlates related events across sources and across time, and evaluates them against a library of behavioural patterns I have encoded from years of doing the offensive version of each technique. When a sequence of events lines up with a known attack shape, it raises an alert with the full context that produced it, not just a single orphaned line.
The screenshot below is the live console. Everything you see is driven by real telemetry: an alert overview with severity breakdown, a fourteen-day activity trend, a rolling twelve-hour view of ingested telemetry and login events, and the top talkers by domain and IP. It is deliberately built for a SOC analyst's day, not for a demo.
The connectors: EDR and Azure Entra ID
A detection engine is only as good as what it can see, so NereusPulse meets your environment where it already lives. Two connectors matter most right now.
- EDR connector. This is the endpoint firehose: process creation and lineage, module loads, ETW telemetry, script activity, and the parent-child relationships that give away living-off-the-land behaviour. NereusPulse consumes that stream and runs the process-and-behaviour patterns against it. This is where a benign-looking binary spawning an unexpected child, or a signed process being used as a proxy, stops being invisible.
- Azure Entra ID connector. Identity is where modern intrusions actually happen, and it is the area I have spent a lot of my recent offensive research on. This connector pulls sign-in and audit activity so NereusPulse can watch for the identity patterns that precede a cloud compromise: token requests against unusual first-party client contexts, application registrations by accounts that should never register apps, directory enumeration bursts, impossible-travel sign-ins, and consent grants that do not fit the user. If you read my writeup on Entra ID default permissions, this is the defensive other half of it.
Both connectors normalise into the same event model, which is the point. A cloud sign-in anomaly and an endpoint process anomaly that belong to the same intrusion get correlated into one story instead of sitting in two different tools that never talk to each other.
Fusing the signals: one engine, many sources
No single log tells the whole story. A process-creation event on its own is noise. A login on its own is routine. Evil shows up in the relationship between them, which is why NereusPulse never leans on one feed. Its custom-built alerting engine ingests and correlates signal from every source that matters on a Windows estate:
- ETW (Event Tracing for Windows) - the low-level kernel and provider telemetry: process and thread activity, image loads, network, and the in-memory behaviour that never lands in a classic log file.
- Sysmon - high-fidelity, tamper-resistant records of process creation with full command lines and hashes, parent-child lineage, network connections, and file and registry changes.
- Windows event logs - the Security, System, and PowerShell operational channels: authentication (4624 / 4625), privilege use, service installs, scheduled tasks, and the rest of the audit trail.
- Identity and login telemetry - sign-in and authentication events from both the host and Azure Entra ID, so a cloud login and an on-host session become part of the same picture.
The engine normalises all of it into one timeline per identity and per host, then runs the behavioural patterns across the fused stream. Because the sources are correlated rather than siloed, a single detection can span all of them: an Entra sign-in from an unusual location, followed seconds later by a Sysmon process-creation with a suspicious command line under that same user, followed by an ETW image-load that screams process injection. Any one of those events might slip past a per-source rule. Stitched together on one timeline, they are unmistakable.
Login correlation is where this pays off most. When an authentication succeeds, the engine does not simply record it. It ties that login to everything the identity does next, across every source. A successful sign-in immediately followed by credential-access behaviour, a service install, or lateral movement to another host is exactly the shape the engine is built to surface. It hunts for evil in the seam between "who logged in" and "what happened after" - the precise seam a single-source tool can never see across.
Why real time is the whole point
Batch detection tells you that you were breached. Real-time pattern detection gives you the chance to still be in the fight. NereusPulse evaluates patterns as the telemetry arrives, so the window between "the attacker did the thing" and "an analyst is looking at the thing" is measured in seconds, not in the hours it takes a scheduled hunt to run. When a pattern fires, the alert carries the correlated chain of events that triggered it, which is what lets a human make a fast, confident decision instead of pivoting across five consoles to reconstruct what happened.
This is threat hunting turned into a background service. The expensive, senior-analyst work of knowing what to look for is encoded once, in the patterns, and then runs against everyone's telemetry all the time. You do not need a fifteen-year operator on shift at 3am for the engine to notice the 3am token request that does not belong.
The honest part: it needs fine tuning, and I need you
Here is where I am going to be straight with you. NereusPulse works, and I believe in it deeply, but a pattern engine is only as good as its calibration against real, messy, diverse environments. Every network is different. What is anomalous in one tenant is Tuesday in another. To make the patterns sharp enough to be trusted, and quiet enough that analysts do not tune them out, I need to fine tune them against environments that are not mine.
So I am opening a free early-access program. I am looking for a small number of SOC and security teams who are willing to run NereusPulse in their environment at no cost, connect their EDR and/or Entra ID, and work with me directly to fine tune the detections. You get an extra set of eyes built from fifteen years of offensive experience watching your environment in real time. I get the ground truth I need to make the engine excellent. It is the most honest kind of purple teaming: the person who knows how the attack is built, helping you catch it, using your real data to sharpen the tool.
This is genuinely free while I fine tune. No sales motion, no trial clock counting down to a credit card prompt. If you have telemetry and a willingness to give feedback, you are exactly the team I want to talk to.
Come try it
If any of this resonates, whether you want to improve your detection, you are tired of chasing burned indicators, or you just want to see what fifteen years of offense looks like turned into defense, I would love to show you. Email me at contact@truecyber.world for a demo and more information. Tell me a little about your environment and what you are running for EDR and identity, and I will get you set up with a walkthrough and early access.
Detection does not have to be a step behind the attacker. Let me show you what it looks like when it is not.