Resources • Videos
Security operations

Red Canary Office Hours: Episode 44 – Naughty or nice: decoding normal vs. anomalous behavior

Air Date: December 9, 2025

Decoding normal vs. anomalous behavior

Keith is joined by Brittany Sattler and Tyler Winchester, threat hunters at Red Canary, as they break down why context matters when trying to decode between normal and anomalous behavior. A big part of this comes from having a baseline of how a user typically behaves, by identifying network spikes or abuse of normal protocols.

The two outline how Red Canary plans, executes, and reports on hunts, and give tips on how teams can better operationalize their own through tools like Surveyor.

Episode 43: Naughty or nice

Resources mentioned in this episode

Red Canary blog

Creating user baseline reports to identify malicious logins

Open source tool

Surveyor is a Python utility that queries Endpoint Detection and Response (EDR) products and summarizes the results. Security and IT teams can use Surveyor to baseline their environments and identify abnormal activity.

Related Resources

Red Canary Office Hours: Episode 51 – Signal to story: A threat hunt deconstructed

Videos| Security operations

Red Canary Office Hours: Episode 51 – Signal to story: A threat hunt deconstructed

Red Canary Office Hours: Episode 50 – Build vs. buy for AI in the SOC

Videos| Security operations

Red Canary Office Hours: Episode 50 – Build vs. buy for AI in the SOC

Red Canary Office Hours: Episode 49 – Measuring impact: The true ROI of AI in the SOC

Videos| Security operations

Red Canary Office Hours: Episode 49 – Measuring impact: The true ROI of AI in the SOC

Red Canary Office Hours: Episode 48 – How SOCs defend against AI-powered attacks

Videos| Security operations

Red Canary Office Hours: Episode 48 – How SOCs defend against AI-powered attacks

Security gaps? We got you.

Sign up for our monthly email newsletter for expert insights on MDR, threat intel, and security ops—straight to your inbox.

Back to Top