Skip to main content

Threat Hunting (Planned)

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

warning

This feature is planned for future release. If you are interested, please contact your account manager or support.

Takumi Runner plans to offer a threat hunting feature that proactively detects threats in CI/CD pipelines based on collected trace data.

What Is Threat Hunting

Threat hunting is an approach that proactively searches for potential threats by analyzing accumulated trace data, without relying on known signatures or rules.

Currently, users need to manually review trace data in the console to find suspicious behavior. With threat hunting, Takumi Runner will automatically and continuously analyze accumulated trace data to detect potential threats and notify users.

Expected Use Cases

Threat hunting is designed for scenarios such as:

  • Detecting unknown supply chain attacks: Automatically detect network connections or process executions that deviate from the baseline of normal builds
  • Early discovery of compromises: Capture signs of credential theft or unauthorized code injection via CI/CD pipelines at a granularity that is difficult to spot in standard build logs
  • Continuous security monitoring: Run background analysis on all job executions and only alert on events that require action

Benefits

Threat hunting provides the following benefits:

  • No specialized expertise required: Threats can be automatically detected without security engineers manually reviewing trace data
  • Accuracy through baseline comparison: By learning normal behavior from past build history, false positives are reduced compared to simple rule-based detection
  • No additional deployment cost: Since it leverages trace data already collected by Takumi Runner, no new agents or tools need to be installed

Caveats

The following caveats should be noted:

  • Detection is not definitive: Threat hunting results are reports of "suspicious behavior" — final judgment must be made by the user
  • Baseline construction takes time: A sufficient period of build history accumulation is needed to accurately distinguish between normal and anomalous behavior
  • Not all attacks can be detected: Sophisticated attacks that are indistinguishable from normal build processes may not be detected
Last updated on