Security Intelligence

DKTrace Research Lab.

Technical deep-dives, detection engineering guides, deployment runbooks, and threat research — written by the engineers who built DKTrace. Every article includes real detection code, MITRE mappings, and production metrics.

AllITDRUEBANTAComplianceDeploymentTelcoThreat IntelCSPMOT/ICS
★ FEATURED · Deep Dive 14 min readMarch 2026MITRE T1071 · T1486 · T1059

Inside the DKTrace Detection Engine: How We Catch APTs in Under 2 Seconds

A full technical walkthrough of DKTrace's correlation engine — entity graphs, kill-chain reconstruction, MITRE ATT&CK tactic chaining, and why sub-second detection matters for ransomware containment. We trace a real Cobalt Strike beacon from first packet to P1 incident creation in 847 milliseconds.

Entity graph construction using Redis adjacency lists
Kill-chain state machine: 7 stages, 23 transition rules
Why ClickHouse columnar storage enables real-time correlation
How NATS JetStream guarantees zero-event-loss at 100K eps
Read Full Article
ITDR 8 min

Detecting DCSync Attacks with DKTrace ITDR

How DKTrace correlates Windows Event ID 4662 with LDAP query patterns to detect DCSync in under 2 seconds — with zero Sigma rule tuning required.

- `1131f6aa` — DS-Replication-Get-Changes
February 2026
ITDR 11 min

Golden Ticket Detection — Why KRBTGT Hash Rotation Alone Is Not Enough

Kerberos Golden Tickets bypass normal authentication entirely. DKTrace detects them through ticket lifetime anomalies, PAC validation failures, and cross-referencing DC Kerberos logs — even for tickets forged offline.

A Kerberos Golden Ticket is a forged TGT (Ticket Granting Ticket) created using the NTLM hash of the
January 2026
UEBA 9 min

Impossible Travel Detection: Building a Geospatial UEBA Model

How DKTrace's ml-engine calculates whether a login sequence is physically possible using Haversine distance, timestamps, and realistic travel speeds — including VPN, CDN, and NAT gateway edge cases.

- Corporate VPN exit nodes (a London user appears as New York)
December 2025
NTA 10 min

Beaconing Detection Using FFT — Technical Deep Dive

How DKTrace's NTA engine uses Fast Fourier Transforms on inter-packet timing sequences to detect C2 beaconing in encrypted traffic — with no payload inspection. Works on TLS 1.3, QUIC, and DNS-over-HTTPS.

C2 implants communicate with their operators on a schedule. Even when traffic is fully encrypted via
November 2025
NTA 8 min

Detecting DNS Tunnelling Without Deep Packet Inspection

DNS tunnelling encodes arbitrary data into DNS query names. DKTrace detects it through query entropy analysis, subdomain length distribution, and request-per-domain rate — all from metadata alone.

Tools like DNScat2, Iodine, and custom APT tooling encode C2 traffic or exfiltrated data into DNS qu
October 2025
Compliance 12 min

PCI-DSS 4.0 Compliance Automation — A Complete Guide

Walk through all 12 PCI-DSS 4.0 requirements and how DKTrace maps security events to each control — automatically collecting, timestamping, and signing evidence with chain-of-custody for QSA auditors.

| 6.4.1 | Web application protection | detection-engine | ✅ WAF event logs |
September 2025
Compliance 11 min

DORA Compliance for Financial Institutions — What Changes in 2026

The Digital Operational Resilience Act tightens in 2026. Article 17 mandates incident classification in 4 hours. Article 19 requires major incident reporting to regulators in 24 hours. Here's how DKTrace automates both.

| Data integrity impact | event-store anomaly detection | ✅ |
August 2025
Deployment 15 min

Air-Gap Deployment Guide — DKTrace in Classified Networks

Step-by-step guide for deploying DKTrace in air-gapped, classified network environments — including offline TI updates, internal PKI, and the data diode architecture for one-way log ingestion.

- Container image pulls → offline registry
July 2025
Deployment 13 min

DKTrace High-Availability Architecture — Zero-Downtime SOC

How to deploy DKTrace in active-active HA across two data centres with automated failover under 30 seconds. Covers NATS JetStream clustering, ClickHouse replication, PostgreSQL Patroni, and Redis Sentinel.

At 100K events/sec: a single node failure causes **zero event loss**. Consumers rebalance within 5 s
June 2025
UEBA 9 min

UEBA Baseline Building — The 30-Day Model Explained

How DKTrace's ml-engine builds statistical behavioural baselines for every user and entity — and exactly what triggers a deviation alert, including the composite risk score formula.

- Weekly work patterns (Monday behaviour vs. Friday behaviour)
May 2025
Telco 7 min

SS7 Protocol Fraud Detection for Telecom SOC Teams

How DKTrace's telco-monitor detects SIM swap fraud, location tracking, and call interception by analysing MAP messages for anomalous operation sequences — with no lawful intercept required.

- UpdateLocation requests from unexpected SCCP point codes (not in carrier whitelist)
April 2025
Threat Intel 10 min

Threat Intelligence Lifecycle in DKTrace — From IOC Ingest to Alert

How DKTrace's threat-intel-manager ingests IOCs from 15+ feeds, applies confidence scoring with age decay, deduplicates across sources, and makes 1.2M+ indicators available for sub-millisecond lookup.

Raw TI is noise. An IP address that was malicious 18 months ago is probably a recycled residential I
March 2025
CSPM 10 min

Cloud Misconfiguration to Breach — An S3 Case Study

Tracing a real S3 bucket ACL misconfiguration through DKTrace CSPM detection to exfiltration detection and automated remediation — total containment time: 4 minutes 12 seconds.

In a production banking deployment, DKTrace detected an S3 bucket misconfiguration-to-breach chain a
February 2025
OT/ICS 13 min

OT/ICS Security with DKTrace — Purdue Model Monitoring Without Disruption

How DKTrace monitors Modbus, DNP3, and IEC 61850 industrial protocols without sending a single packet to a PLC — with hardcoded safety rules that prevent automated isolation of life-critical assets.

- `life_critical = true`
January 2025
14
Technical Articles
With real code & metrics
47
MITRE Techniques Covered
Across all articles
100K+
Events/sec in Production
All detections described
< 2s
Detection Time
Average across all scenarios

MITRE ATT&CK Coverage in This Issue

T1003.006 DCSyncT1558.001 Golden TicketT1558.003 KerberoastingT1078 Valid AccountsT1071 C2 ChannelsT1071.004 DNS TunnelT1530 Cloud DataT1190 Exploit Public AppT1486 Data EncryptedT1021.002 SMB LateralT1003.001 LSASS DumpT1550.002 Pass-the-Hash

See It Live

Every Detection Described Here Runs in Production.

These aren't theoretical detections. Every technique, every timeline, every metric in these articles comes from live DKTrace deployments at banks, ports, hospitals, and government agencies. Book a demo and we'll show you your own network.

Book a Live Demo Explore the Platform