Incoming Events — 5 Teams, 72 Hours
Isolated
CTI — Threat Intel
FBI Advisory: Scattered Spider variant targeting financial sector
New social engineering playbook. Targets helpdesk via phone + SMS. Requests MFA reset. Pivots to Okta admin console.
Mon 09:14 AM — Severity: High
Isolated
SOC — Operations
VPN anomaly: auth from unrecognized device
Service account VPN login from residential IP in Phoenix, AZ. Device not enrolled in MDM. User claims no login.
Mon 02:47 PM — Severity: Medium
Isolated
Email Security
Spear-phish to 3 helpdesk staff
Spoofed IT leadership. Links to fake Okta SSO page. 1 user clicked. No credential submission detected.
Tue 10:22 AM — Severity: Medium
Isolated
IAM — Identity
MFA reset request via helpdesk ticket
User "jchen" submitted ticket claiming new phone. Helpdesk reset MFA without voice verification. Same user as VPN anomaly.
Tue 03:15 PM — Severity: Low
Isolated
Endpoint — EDR
PowerShell execution from jchen workstation
Encoded PowerShell command downloading remote toolkit. Matches known Scattered Spider stage-2 loader pattern.
Wed 01:08 AM — Severity: High
Before KTLYST — Siloed View
5 events. 5 teams.
0 connections. Each team triages independently.
The attacker's campaign stays invisible.
0 connections. Each team triages independently.
The attacker's campaign stays invisible.
5
Events Linked
92%
Campaign Confidence
7
Artifacts Generated
3 min
Time to Close Loop
KTLYST Output
Current State
🚫
No Cross-Team Intelligence
Each team sees their own event.
No system connects the dots.
The campaign continues.
No system connects the dots.
The campaign continues.
What Each Team Knows
CTI
"We forwarded the advisory. Not sure if anyone read it."
SOC
"VPN anomaly — closed as false positive. User said it wasn't them."
Email Sec
"Blocked the phishing domain. Filed the ticket."
IAM
"MFA reset completed per SLA. No anomaly flagged."
Endpoint
"PowerShell alert. Escalated to IR. Waiting on triage."