Blogs

Introducing Run to Ground: Welcome to Post-scarcity Detection Engineering

Security teams often find themselves in a reactive mode, responding to alerts and hoping their tools have caught everything. But what if we could move beyond hope and reaction? What if you could have an intelligence, hunt, and forensic assessment to back up every alert that your existing defenses generate? What if we could uncover the entire narrative of an attack, capturing the artifacts of activity that even the most advanced tools could easily miss?

The Problem: Evasive Malware and the Limits of Point-in-Time Security

Traditional security products, even the most advanced Endpoint Detection and Response (EDR) platforms, operate on a point-in-time basis. They identify and respond to threats based on the data available at the moment. While effective to an extent, this approach leaves gaps. Malicious actors bypass these defenses, creating variants and using techniques that slip through the cracks. The result? Security teams often end up with an incomplete picture, reacting to alerts without understanding the full scope of an intrusion.

Introducing RTG: Run To Ground

Run To Ground (RTG) is Stairwell’s newest capability designed to address these gaps. RTG leverages our comprehensive tech stack, including Recursive Variant Discovery (RVD) and File Timeline Technology, to provide a holistic view of potential threats.

Recursive Variant Discovery

Recursive Variant Discovery (RVD) analyzes every variant of a given file, including variants of variants, recursively. This means RTG doesn’t just stop at direct variants; it digs deeper, uncovering related variants in our extensive malware corpus, spanning several years and nearly a billion files. By tracing these connections, RVD builds a comprehensive list of all related files, providing a high degree of certainty in identifying threats.

File Timeline Technology

Our File Timeline Technology maintains a comprehensive inventory of what files were seen where and when. This operationalized data at scale allows us to definitively prove the presence or absence of files within an environment over time. By knowing the exact timeline and location of file occurrences, security teams can gain a forensic-quality understanding of the impact a threat or alert poses.

How RTG Works

RTG operates by running the hash of a file of concern through Recursive Variant Discovery, analyzing its content, structure, and tracing its lineage. This process, combined with File Timeline Technology, provides security teams with a unique comprehensive view and impact assessment. Once all variants of concern (VOC) are identified, RTG checks the customer’s environment for any instance of a VOC or the original file. It then performs a prevalence file timeline analysis, creating a forensic-quality record that highlights low-prevalence files around the time the VOC appeared. This reduces noise by filtering out common files and accelerates rapid analysis days, months, or even years in the past.

Take an interactive tour of RTG

A Real-World Example: EDR + Stairwell at Work

Consider a recent case with one of our customers. They received an alert from their top-tier EDR platform. EDR identified a malicious file on a user’s computer. Typically, this would be the end of the process: the alert would be sent to a Security Orchestration, Automation, and Response (SOAR) system for remediation. But this customer was an early beta tester of Stairwell’s RTG.

Instead of stopping there, they took the hash of the detected file and ran it through RTG.
RTG revealed that the identified malicious file was just the tip of the iceberg. Almost immediately after this file appeared on the system, a variant also appeared—a variant that the EDR had missed. Our Recursive Variant Discovery and File Timeline Technology had caught this follow-on threat, appearing just one second after the initial file.

But the story didn’t end there. By preserving all executable files, RTG showed that before the EDR-detected file was on the machine, a batch script had been executed. This script was responsible for downloading and executing the malicious file. Once again, the EDR had failed to flag this script as malicious.
In seconds, the security team had reconstructed the entire timeline of the intrusion: from the initial download to the execution of the dropper and finally to the long-term payload. And this was all based on first-hand data, not just observed behavior.

RTG didn’t stop at identifying the immediate threats. It also highlighted another asset implicated in the attack—an asset that had received no alerts from the EDR. On this second asset, the same pattern emerged: a CMD script, a dropper, and a payload, all with different hashes but similar content and filenames. This validation underscored the importance of variant discovery over simple hash matching, allowing the security team to reconstruct events with unparalleled accuracy.

The reason the EDR missed this second machine’s infection was that the attackers had distributed different builds of their malware, each with distinct evasion techniques. While one build was caught, the other successfully evaded detection. However, Stairwell saw both because you can’t hide what you actually are.

The Unprecedented Value of RTG

Typically, this level of incident response and analysis would require high-cost consultants, with engagements running into hundreds of thousands, if not millions, of dollars. Such comprehensive analysis is often reserved for rare and catastrophic incidents. But at Stairwell, we believe in the value of this approach for every security event, no matter how small.

We bring this level of analysis to every security professional, from the IT guy wearing multiple hats to the dedicated full-time threat hunter. With just a click, they can apply this rigorous analysis to every alert in their SIEM, gaining full visibility of the entire history of a threat in their environment within seconds. Hundreds, even thousands of times per day.

Welcome to post-scarcity detection engineering.

The Questions You Didn’t Think to Ask

Many security teams don’t ask themselves critical questions: “When did my tools gain the ability to catch this threat? Was the threat present before this? If so, for how long?” These questions often remain unasked because the answers seem unknowable or economically infeasible to obtain. However, these questions are vital for understanding the full impact of a threat and ensuring comprehensive protection.
We want security professionals to start asking these questions: “At what point was I protected? Was I affected before that point? Did it find everything?” With RTG, we answer these questions with certainty, providing not an absence of evidence, but evidence of absence.

Conclusion

With RTG, we’re not just reacting to threats—we’re anticipating and dismantling them, piece by piece. This level of visibility and insight is unprecedented, turning what used to be a complex, costly, and time-consuming incident response engagement into a seamless, efficient process that can be applied to every alert, every day. Click. Done. That’s threat hunting, alert triage, and forensics with RTG.

Background pattern