NereusPulse Detection Threat Hunting Blue Team

NereusPulse: Turning 15 Years of Offense Into Real-Time Detection

Mr.Un1k0d3r

I have spent the last fifteen years on the offensive side of security. Red team engagements, tooling, phishing infrastructure, thick-client and cloud attacks, and a lot of time watching detection either catch me or, far more often, miss me completely. Somewhere along the way a pattern of my own emerged: the teams that caught me were never the ones with the biggest IOC feed. They were the ones who understood what an attack actually looks like as it happens, and who had automated that understanding so a human did not have to be staring at the right log at the right second.

NereusPulse is my attempt to bottle that. It is a detection platform that takes everything I have learned about how attackers move and turns it into automation that runs continuously against your environment. Not a signature dump, not another threat-intel subscription. A tool that hunts the way an experienced operator would hunt, in real time, on your telemetry. This post is the story of the idea, the technical shape of the solution, and an honest ask at the end: I am looking for a small number of teams to run it free of charge while I fine tune it.

The idea: stop chasing yesterday's attacker

Most detection programs are built around indicators of compromise. A hash, an IP, a domain, a named actor's TTP list. IOCs are useful, but they share a fatal property: they describe an attack that has already happened to somebody else. By the time an indicator reaches your feed, it has been burned. The infrastructure is rotated, the payload is recompiled, the domain is three DGA-generations old. You are perpetually defending against last week's campaign while this week's walks past.

When I attack, I do not reuse the thing that got caught. What I cannot easily change is the shape of what I am doing. A token request against an unusual client context, a process spawning a child it has no business spawning, an authentication that succeeds from a place that should never authenticate, a burst of directory reads right before an app registration. Those behavioural shapes persist across tools, across payloads, across actors, because they are dictated by the objective, not the implementation. NereusPulse hunts those shapes.

Contrast between IOC-based detection, which reacts to a specific burned indicator after the fact, and pattern-based detection, which matches the persistent behavioural shape of an attack in real time Two ways to look for an attacker Chasing IOCs match one specific, already-burned value hash = 9f2a...c1 ip = 185.12.44.9 domain = evil-cdn[.]top Attacker recompiles → miss Describes an attack that already happened to someone else. Matching patterns match the persistent shape of the behaviour token request → rare client context dir reads → app registration burst login OK → impossible location Attacker recompiles → still matches The objective dictates the shape, so the shape survives the rewrite.
IOCs describe one burned artefact from a past incident. Patterns describe the behaviour an attacker cannot avoid producing, so they keep matching after the tooling changes.

What NereusPulse actually is

Under the hood, NereusPulse is a streaming detection engine with connectors on one side and a pattern library on the other. Telemetry flows in continuously from your existing security stack. The engine normalises it into a common event model, correlates related events across sources and across time, and evaluates them against a library of behavioural patterns I have encoded from years of doing the offensive version of each technique. When a sequence of events lines up with a known attack shape, it raises an alert with the full context that produced it, not just a single orphaned line.

The screenshot below is the live console. Everything you see is driven by real telemetry: an alert overview with severity breakdown, a fourteen-day activity trend, a rolling twelve-hour view of ingested telemetry and login events, and the top talkers by domain and IP. It is deliberately built for a SOC analyst's day, not for a demo.

The NereusPulse threat intelligence dashboard: a dark cyan-themed console showing the Alerts view with an alert overview (32 showing, 29 critical, 3 medium), a 14-day alert activity chart by severity, a 12-hour events chart of ETW telemetry and login events, and a top domains and IPs panel, with a left navigation for Search, Network Search, Alerts, Monitoring, Deployment, Integrations, Team and Billing, Resources, Organisation and Profile
The NereusPulse console. Real-time alert overview, severity trend, telemetry and login-event streams, and top network talkers, all built around how a detection analyst actually works.

The connectors: EDR and Azure Entra ID

A detection engine is only as good as what it can see, so NereusPulse meets your environment where it already lives. Two connectors matter most right now.

Both connectors normalise into the same event model, which is the point. A cloud sign-in anomaly and an endpoint process anomaly that belong to the same intrusion get correlated into one story instead of sitting in two different tools that never talk to each other.

NereusPulse pipeline: EDR and Azure Entra ID connectors feed a normalisation and correlation layer, which evaluates events against a real-time behavioural pattern engine and raises contextual alerts to the SOC How an event becomes an alert EDR connector process, ETW, lineage Entra ID connector sign-ins, audit, consent Normalise + Correlate one event model across source + time Pattern engine real-time match behavioural shapes from 15y of offense Contextual alert to the SOC the full event chain that fired it, not one orphan log line
Connectors feed a shared event model, correlation stitches the story together, and the pattern engine matches attack shapes in real time before handing the analyst a fully contextual alert.

Fusing the signals: one engine, many sources

No single log tells the whole story. A process-creation event on its own is noise. A login on its own is routine. Evil shows up in the relationship between them, which is why NereusPulse never leans on one feed. Its custom-built alerting engine ingests and correlates signal from every source that matters on a Windows estate:

The engine normalises all of it into one timeline per identity and per host, then runs the behavioural patterns across the fused stream. Because the sources are correlated rather than siloed, a single detection can span all of them: an Entra sign-in from an unusual location, followed seconds later by a Sysmon process-creation with a suspicious command line under that same user, followed by an ETW image-load that screams process injection. Any one of those events might slip past a per-source rule. Stitched together on one timeline, they are unmistakable.

Login correlation is where this pays off most. When an authentication succeeds, the engine does not simply record it. It ties that login to everything the identity does next, across every source. A successful sign-in immediately followed by credential-access behaviour, a service install, or lateral movement to another host is exactly the shape the engine is built to surface. It hunts for evil in the seam between "who logged in" and "what happened after" - the precise seam a single-source tool can never see across.

Login-correlation timeline: an Entra ID sign-in, a Windows 4624 logon, a Sysmon process creation, and an ETW image-load under the same identity are correlated by the custom alerting engine into a single high-confidence detection, while unrelated benign events on the same lanes are left alone One identity, four sources, one detection The alerting engine correlates across feeds. The evil chain lights up. The noise does not. Entra ID / login Windows event log Sysmon ETW benign, uncorrelated events - left alone sign-in, rare location 4624 logon proc-create + odd cmdline image-load / inject ALERT: correlated attack pattern
The same identity across four feeds. The engine correlates the sign-in, logon, process-creation, and image-load into one high-confidence alert, while the unrelated events on those same lanes never fire.

Why real time is the whole point

Batch detection tells you that you were breached. Real-time pattern detection gives you the chance to still be in the fight. NereusPulse evaluates patterns as the telemetry arrives, so the window between "the attacker did the thing" and "an analyst is looking at the thing" is measured in seconds, not in the hours it takes a scheduled hunt to run. When a pattern fires, the alert carries the correlated chain of events that triggered it, which is what lets a human make a fast, confident decision instead of pivoting across five consoles to reconstruct what happened.

This is threat hunting turned into a background service. The expensive, senior-analyst work of knowing what to look for is encoded once, in the patterns, and then runs against everyone's telemetry all the time. You do not need a fifteen-year operator on shift at 3am for the engine to notice the 3am token request that does not belong.

The honest part: it needs fine tuning, and I need you

Here is where I am going to be straight with you. NereusPulse works, and I believe in it deeply, but a pattern engine is only as good as its calibration against real, messy, diverse environments. Every network is different. What is anomalous in one tenant is Tuesday in another. To make the patterns sharp enough to be trusted, and quiet enough that analysts do not tune them out, I need to fine tune them against environments that are not mine.

So I am opening a free early-access program. I am looking for a small number of SOC and security teams who are willing to run NereusPulse in their environment at no cost, connect their EDR and/or Entra ID, and work with me directly to fine tune the detections. You get an extra set of eyes built from fifteen years of offensive experience watching your environment in real time. I get the ground truth I need to make the engine excellent. It is the most honest kind of purple teaming: the person who knows how the attack is built, helping you catch it, using your real data to sharpen the tool.

This is genuinely free while I fine tune. No sales motion, no trial clock counting down to a credit card prompt. If you have telemetry and a willingness to give feedback, you are exactly the team I want to talk to.

Come try it

If any of this resonates, whether you want to improve your detection, you are tired of chasing burned indicators, or you just want to see what fifteen years of offense looks like turned into defense, I would love to show you. Email me at contact@truecyber.world for a demo and more information. Tell me a little about your environment and what you are running for EDR and identity, and I will get you set up with a walkthrough and early access.

Detection does not have to be a step behind the attacker. Let me show you what it looks like when it is not.

← Back to Blog