HUNTRY
FR EN
Request a demo
Cyber Threat Hunting·a WELAN service

The threat always
leaves a trace.

HUNTRY actively hunts indicators of compromise directly on your systems — instead of waiting for an alert to fire.

Request a demo → How it works
// active search · monitored perimeter · 24/7 défiler
0
live markers — continuously enriched & pruned
0 /7
active search across the monitored perimeter
4
in-house indicator sources
0 %
aligned with ANSSI frameworks
Threat Hunting

Hunt for compromise,
don't wait for it.

Traditional mechanisms (EDR, SOC, IDS) react to alerts generated by static rules. Threat hunting takes a dynamic, targeted approach: searching for the traces — the artifacts — left behind by attackers.

// Classic monitoring
» HUNTRY · Active hunting
Waiting for the signal
Verifying on the system itself
Dependent on known signatures
Proactive, continuous and targeted search
High alert volume & false positives
Novel in-house indicators & correlated OSINT
Blind to threats without an existing rule
Reveals what static rules miss
The problem

The SOC model
no longer suffices.

Overwhelmed by alerts generated by static rules, operations centres miss what matters. HUNTRY doesn't replace the SOC — it closes its blind spot.

0
security alerts received on average per day in a SOC.
0 %
of alerts are never investigated, for lack of time.
0 d
average time before a compromise is detected.
// sector ballpark — to be confirmed
Traditional model · SOC
passive detection · alert-driven
0 alerts received
0 not investigated
0 threats drowned out
// The signal is lost in the noise: static rules, false positives, analyst fatigue.
VS
HUNTRY · Active hunting
active search · verified on the system
0 hosts verified
0 markers confirmed
0 false positives
» Every detection is factual: a marker present, on an identified machine.
Architecture

A gateway
deployed at your site.

HUNTRY deploys a gateway inside your perimeter: it searches for markers directly on your systems, then talks to the HUNTRY platform over an encrypted VPN tunnel. Your systems are never exposed — an architecture aligned with ANSSI frameworks.

  • 01

    Client side — the gateway lives in your network, as close as possible to your systems.

  • 02

    Encrypted VPN tunnel — the only link to the HUNTRY platform, controlled and one-way.

  • 03

    HUNTRY side — detection engine and IoC database, isolated from your systems.

CÔTÉ CLIENT · CHEZ VOUS CÔTÉ HUNTRY Vos systèmes RECHERCHE ACTIVE SUR VOS SYSTÈMES Passerelle VPN chiffré Moteur de détection Base d'IoC
The indicator factory

From collection to the hunt,
continuously.

Every marker follows the same path: collected from multiple sources, sorted then pruned, consolidated in our database, and checked in real time against your monitored systems.

COLLECTE TRAITEMENT BASE D'IoC SURVEILLANCE INTERNE Honeypotsleurres · TTPs Surfaces d'attaquescans · vulnérabilités OSINTdark web · feeds Threat Intelligencerenseignement · incidents Triage & filtrage purge · dédoublonnage Base d'IoC ≈ 2,1 M vivants · évolutif Commanditaire Arecherche active Commanditaire Brecherche active
0 new markers · 24 h
0 markers pruned · 24 h
0 active searches · session
0 confirmed alerts
Indicator feed · MISP format
type → value → source → IDS
live
Indicators of compromise

A marker
never lies.

A technical trace left by an intrusion. HUNTRY verifies its presence where it counts — directly on the machine.

sample · IoC database MISP format
01 sha256 275a021bbfb6489e…aabf651fd0f Payload delivery
02 sha256 ed01ebfbc9eb5bbe…babe8e080e41aa Payload delivery
03 domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com Network activity
04 url hxxp://www[.]eicar[.]org/download/eicar.com Payload delivery
05 regkey HKLM\SOFTWARE\WanaCrypt0r\wd Persistence
06 mutex Global\MsWinZonesCacheCounterMutexA0 Artifacts dropped
07 filename @WanaDecryptor@.exe Payload delivery
08 ja3-fingerprint-md5 e7d705a3286e19ea42f587b344ee6865 Network activity
09 yara Ransom_WannaCry External analysis
10 user-agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) Network activity
11 vulnerability CVE-2017-0144 External analysis
12 vulnerability CVE-2024-3400 External analysis
Innovation

Detection that complements
mainstream tools.

HUNTRY's innovation rests on four pillars — from approach to architecture.

IoC vérifiés → HUNTRY marquants vérifiés EDR SIEM SOC

Autonome — ou intégré à votre stack existante.

A
The approach

Active & continuous search

Monitoring built on searching directly for markers on systems — the ability to verify a presence, rather than infer it from a log stream.

B
The tools

Open source & reusable

HUNTRY relies on open-source tools not exclusively dedicated to hunting. A choice in favour of transparency, trust and reusability.

C
The method

Indicators produced in-house

Beyond external sources: honeypots, malware analysis in a sandbox, vulnerability intelligence and lessons from WELAN's incident-response engagements.

D
The architecture

An isolated enclave at your site

Designed to ANSSI frameworks, the architecture deploys an "enclave" on the client side — guaranteeing isolation, even if an incident hits HUNTRY's own infrastructure.

WELAN expertise

Detection proven
in the field.

HUNTRY draws on WELAN's expertise in threat detection, built over real-world engagements.

01

SOC audits — assessing detection capabilities under real conditions.

02

SIEM integration in-house, and industrialising collection.

03

Detection strategies tailored to the monitored environments.

Sceau ANSSI — Agence nationale de la sécurité des systèmes d'information
ANSSI-qualified PDIS assessor Security Incident Detection Provider

David Weber, president of WELAN, is a PDIS assessor qualified by ANSSI. This expertise — at the heart of the French state's detection frameworks — feeds directly into HUNTRY's methodology.

Ready to hunt?

Close the blind spot
in your detection.

See how HUNTRY continuously checks your perimeter against a living database of markers — and reveals what static rules let through.

Request a demo →