Skip Navigation
Get a Demo
 
Share
 
 
 
 
 
 
 
 
Resources Videos
Security operations

Red Canary Office Hours: Episode 44 – Naughty or nice: decoding normal vs. anomalous behavior

Air Date: December 9, 2025

Decoding normal vs. anomalous behavior

Keith is joined by Brittany Sattler and Tyler Winchester, threat hunters at Red Canary, as they break down why context matters when trying to decode between normal and anomalous behavior. A big part of this comes from having a baseline of how a user typically behaves, by identifying network spikes or abuse of normal protocols.

The two outline how Red Canary plans, executes, and reports on hunts, and give tips on how teams can better operationalize their own through tools like Surveyor.

View the video
Episode 44: Naughty or nice
Resources mentioned in this episode
Red Canary blog
Creating user baseline reports to identify malicious logins
Open source tool
Surveyor is a Python utility that queries Endpoint Detection and Response (EDR) products and summarizes the results. Security and IT teams can use Surveyor to baseline their environments and identify abnormal activity.
Related Resources
 

See Red Canary in action

Watch the 10-minute demo now.
Watch the demo

Security gaps? We got you.

Sign up for our monthly email newsletter for expert insights on MDR, threat intel, and security ops—straight to your inbox.

 
 
 
 
Back to Top