Patience brings prey: lessons learned from a year of threat hunting in the cloud
Greg Foss, Anthony Randazzo
fwd:cloudsec North America 2025 · Day 1 · Track 1 - Crystal
Greg Foss and Anthony Randazzo from Datadog's product detection engineering team presented a year-in-review of their cloud threat hunting program, sharing operational methodology, two detailed case studies, and aggregate findings from investigating threats across thousands of customer environments. The talk bridged the gap between traditional hypothesis-driven threat hunting and the signal-driven, large-scale approach that a security vendor with massive telemetry can execute. Key findings included a **MIMO/Mimolet** threat actor employing rootkits and nine-day dwell times on compromised workloads, widespread **LLM/Bedrock abuse** via stolen access keys, and the unsurprising-but-quantified confirmation that **compromised long-term access keys** remain the dominant cloud breach vector.
AI review
Datadog's threat hunting team shares operational findings from a year of cloud-scale hunting across thousands of environments. The MIMO case study with a nine-day dwell time, Diamorphine rootkit, and proxy jacking on Magento is genuinely interesting. The LLM abuse hunting methodology shows solid pivoting tradecraft. Held back by the 20-minute format forcing breadth over depth on the most compelling findings.