Patience brings prey: lessons learned from a year of threat hunting in the cloud

No ratings

Presented at fwd:cloudsec North America 2025 by

Greg Foss

Anthony Randazzo

Although AWS has been around for over 15 years, cloud threat hunting remains a relatively nascent discipline. While opportunistic threats like cryptocurrency mining are well-known, large-scale, cascading attacks targeting cloud-native infrastructure are less frequently discussed. Over the past 18 months, we’ve significantly expanded our cloud threat hunting operations using vendor-agnostic strategies to better understand these emerging threats. This talk will outline our unique approach, which combines hypothesis-driven investigations, TTP-based hunts, and anomaly detection to proactively uncover threats at scale. We’ll also highlight our experiments with broader, cross-functional hunt operations that extend beyond our core team. Attendees will gain insights from our large-scale cloud attack surface analysis and walk away with a deeper understanding of the evolving cloud-native threat landscape.