Finding Patient Zero With Security Analytics

The Patient Zero Problem

SIEM economics force security teams to drop the very telemetry that would reveal patient zero. Ingestion is priced by volume, so every additional source is a budget decision, and the low-volume, high-fidelity signals that betray early-stage compromise are usually the first cut. Attackers exploit exactly the gaps that economics create. Patient zero is not hidden by attackers. It is hidden by architecture.

That earliest foothold is the first compromised identity, endpoint, workload, or application session in your environment. It is where defenders have the least context and the most opportunity to contain a breach. When Scattered Spider compromised MGM Resorts in 2023, the entry point was a single help-desk social engineering call that pivoted into identity-based lateral movement across the gaming and hotel environment within hours. The same arc recurs across publicly disclosed incidents: one undetected session, then credential access, then exfiltration. Contain at patient zero and you investigate one event. Miss it and you give the attack time to develop.

Common Bottlenecks and Challenges

The structural problem is not tooling: it is the economics of ingesting and processing security data.

Data ingestion costs

SIEM pricing scales with volume, which forces a recurring tradeoff. A single high-volume source, such as network flow data or DNS telemetry, can cost multiples of endpoint log ingestion, making it easy to justify cutting. Security teams reduce coverage to control costs, and the low-volume behavioral signals most likely to reveal early-stage compromise are usually the first to go. The coverage gaps are predictable. Attackers plan for them.

Processing limits

Deep analysis requires enrichment against threat intelligence feeds, external reputation APIs, and cross-environment baseline data. At scale, that enrichment pipeline is expensive to run on every event, so security teams sample, strip, or defer it. The result is findings that arrive without the context needed to make a fast triage decision. Analysts spend investigation time reconstructing context that should have been attached to the finding at detection time.

Detection maintenance

Security teams using detection-as-code write rules in one query language and then translate them to run in each additional platform: Sigma to KQL for Microsoft Sentinel, to SPL for Splunk, to YARA-L for Chronicle. Each translation introduces drift. When a vendor updates log schemas, rules that passed CI/CD workflows (the build and deploy automation that ships rule changes to production) silently stop matching. Engineering time that should go toward building new detections goes toward keeping existing ones from breaking.

Threat Detection Outside the SIEM

Even with unlimited budget, feed-based detection cannot solve patient zero. Each campaign stands up new infrastructure (fresh domains, IP space, TLS fingerprints) deployed days or hours before use. Threat intelligence cannot match indicators that have never existed before, so signature-based detection is inherently reactive. The first defender to see a new attacker domain is on their own. What identifies it as suspicious is not what it is. It is the fact that no one else has ever resolved it.

Cross-tenant prevalence is the primary mechanism AlphaSOC uses to find patient zero. By measuring how rare a destination, identity, or pattern is across the full population of customer environments, the platform flags the first appearance of attacker infrastructure before any feed has cataloged it. The other five scoring dimensions filter, confirm, and contextualize that signal, but rarity is what makes a previously unknown indicator visible at all.

AlphaSOC operates outside the SIEM as a dedicated detection layer. It ingests telemetry from cloud, application, network, and endpoint sources, processes all of it without volume-based pricing, and runs it through a patented scoring stack before producing OCSF (the Open Cybersecurity Schema Framework, a common event schema that lets detections work consistently across tools) detection findings for triage.

The practical effect is that detection runs with full visibility. No source is excluded because ingestion is too expensive. Enrichment runs against threat intelligence from 70+ sources, including threat feeds, commercial partners, and AlphaSOC's own network scanning infrastructure, maintaining 1M+ live, curated indicators. Only OCSF findings that have triggered prevalence scoring and behavioral analysis are sent to downstream systems.

The Detect stage combines custom Sigma rules (an open detection rule format that runs across analytics platforms without vendor-specific translation) with managed AlphaSOC detections aligned to MITRE ATT&CK (the open catalog of attacker tactics, techniques, and procedures observed in the wild).

Reveal Unknown Threats

A teenager working from a hotel room in England breached Uber, Okta, Microsoft, and NVIDIA over the course of 2022. No zero-days. No novel exploits. Every campaign started with credentials acquired elsewhere, and at Uber LAPSUS$ bombarded a contractor with MFA prompts until one was accepted out of fatigue. The session pivoted into the internal Slack workspace, secrets vault, and cloud control plane within hours. One compromised identity was the entire foothold.

Patient zero rarely announces itself. The earliest compromise is usually indistinguishable from normal activity until enough evidence accumulates. These are the patterns AlphaSOC surfaces before that threshold is reached.

Spear phishing infrastructure

Threat actors register lookalike domains to support social engineering campaigns. AlphaSOC monitors Certificate Transparency logs (public records of every TLS certificate issued, useful for catching lookalike domains as soon as they are stood up) and network telemetry to identify lookalike domains and malicious traffic patterns at the point of first contact, before a user clicks.

Malicious user behavior

Armed with a valid identity or session, an adversary can exfiltrate data from applications including Slack, GitHub, Salesforce, and 1Password. The 2024 Shiny Hunters campaign against Snowflake customer tenants followed exactly this pattern: valid credentials acquired elsewhere, unusual application-layer access, and bulk extraction that no malware signature would catch. AlphaSOC processes application logs to surface unusual data access across both external attackers and insider threats.

Lateral movement

Once inside, threat actors seek to access credentials, bypass EDR tools, map internal networks, and install RMM tools. Community Sigma rules for Windows, macOS, and Linux surface these tactics within endpoint telemetry without requiring rule translation.

Covert network activity

Attackers evade signature-based detection using DNS tunneling (encoding payloads in DNS queries to exfiltrate data over a port that almost no firewall blocks), ICMP tunneling (smuggling data inside ping packets), RMM tools, DNS-over-HTTPS (DNS resolution wrapped in encrypted HTTPS so it bypasses DNS-layer inspection), and anonymizing protocols. AlphaSOC identifies unusual traffic patterns to low-prevalence destinations to uncover compromised endpoints and cloud workloads.

Six Dimensions of Scoring

Prevalence becomes a high-confidence signal at scale. If a domain, IP, or traffic pattern appears in one customer environment and nowhere else across AlphaSOC's customer base, it is not just unusual. It is likely attacker-controlled infrastructure. A single observation isolated across thousands of environments warrants immediate scrutiny, regardless of whether that indicator has any threat intelligence match.

AlphaSOC evaluates every event across six scoring dimensions:

No single signal is conclusive on its own. The scoring stack combines them. A destination with zero cross-tenant prevalence, a periodic beaconing pattern (a compromised host calling back to attacker infrastructure on a regular interval), and fingerprinting results consistent with C2 behavior (command-and-control traffic from the attacker-operated infrastructure that issues instructions to compromised hosts) produces a high-confidence OCSF detection finding before any threat intelligence feed has caught up.

That is the concrete mechanism: an endpoint resolves a domain no other environment has touched, the connection fires at regular intervals, and active probing confirms the destination is behaving like C2 infrastructure. Three weak signals become one actionable finding.

A natural objection is that low cross-tenant prevalence will flag every internal custom tool, every new vendor, and every legitimate rare destination. It would, if rarity were the only input. A new internal application shows low prevalence but no active fingerprinting match for C2, no periodic beaconing, and clean reputation. A first-touch business application scores rare but resolves cleanly under the other five scoring dimensions. The stack produces an OCSF detection finding only when multiple dimensions agree, which is what filters benign rarity out of the analyst queue.

Security teams using Sigma for detection-as-code can deploy custom rules directly against this pipeline without translating them to other query languages. The Sigma community repository contains thousands of rules for Windows, macOS, Linux, cloud platforms, and applications, all deployable via standard version control and CI/CD workflows.

Coverage, Speed, and Confidence

Shifting detection outside the SIEM changes three operational outcomes.

Full telemetry coverage

Sources previously excluded from the SIEM because of cost are now part of the detection surface. Cloud application logs, high-volume network telemetry, and identity events are processed and scored rather than left unanalyzed. Compromised identities, suspicious egress patterns, and anomalous application behavior become visible.

Speed to detection

Analysts see findings at first contact rather than after the attacker has had time to establish persistence. Cross-tenant prevalence flags infrastructure the moment it touches an environment, even when no prior intelligence exists.

Investigation confidence

High-confidence findings reduce investigation load. When an OCSF detection finding arrives enriched with prevalence data, behavioral signals, and threat intelligence correlation, the analyst has the context to reach a decision faster. Fewer findings require extended investigation to reach a verdict.

Conclusion

Patient zero is rarely identified with certainty in real time. What analytics surfaces is a likely patient zero: the earliest event in a session or campaign that carries enough behavioral and contextual signals to warrant immediate investigation. That is not the same as confirmed ground truth, but it is operationally sufficient. Acting on a likely patient zero early enough prevents the events that would have eventually confirmed it.

The question is not whether your detection stack identifies known threats. That is the baseline. The harder question is whether it identifies the first step of an attack that no one has seen before, at the moment it happens, before the attacker has time to move.

Prevalence analysis and behavioral correlation are the mechanism. The architecture has to enable them.

Ready to detect patient zero? Book a demo or start a free, unrestricted 30-day evaluation.