The Threshold Your Detection Can Never Reach

Your EC2 enumeration detection buckets events into 5-minute windows, counts the distinct instances...

mercoledì 10 giugno 2026 New tab

825 words~4 min read

Your EC2 enumeration detection buckets events into 5-minute windows, counts the distinct instances each actor touched, and alerts when that count passes 10. Reasonable on paper. A burst of instance enumeration is recon, and recon is worth catching early.

It has never fired.

Not because nobody is enumerating your environment. Because the math forbids it from ever firing, at any attacker pace you'll actually see, and it shows up green on your dashboard the entire time.

The detection that looks tuned

index=aws sourcetype=aws:cloudtrail eventName=DescribeInstances

Other newsrooms on this story

· 1 sources

Full timeline →

thehackernews.com·Jun 15, 2026 · 2 g fa
Why Runtime Scanning Is Too Late for Your CI/CD Supply Chain Security

The Threshold Your Detection Can Never Reach

Other newsrooms on this story

The Threshold Your Detection Can Never Reach

Other newsrooms on this story

Related reading

How I Detected Merlin QUIC C2 Traffic Using Entropy and Z-Scores (490K Packets,…

The Next Generation Platform Won't Track Configurations. It'll Track Why They…

Running a Full Multi-Stage Intrusion Simulation. Every Detection Fired.

Building a Cloud SIEM from Scratch with AWS Lambda and EventBridge

Application Metrics — Trace-Connected and High-Cardinality

What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack…

Related reading

How I Detected Merlin QUIC C2 Traffic Using Entropy and Z-Scores (490K Packets,…

The Next Generation Platform Won't Track Configurations. It'll Track Why They…

Running a Full Multi-Stage Intrusion Simulation. Every Detection Fired.

Building a Cloud SIEM from Scratch with AWS Lambda and EventBridge

Application Metrics — Trace-Connected and High-Cardinality

What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack…