Step 01
Directed Hunting Question
Deploy a hunting hypothesis using natural language. No query syntax required.
Threat Hunting
Turn every analyst into an effective hunter.
Guided hypothesis workflows put senior-hunter logic in front of the whole team, so junior analysts run hunts that hold up to review.
The Problem
Hunting is locked behind query fluency and Tier-3 talent.
Proactive threat hunting is the most effective way to catch dormant threats before they execute. But fluency in complex query languages and a critical shortage of senior talent means junior and mid-level analysts are excluded, hunting becomes a bottleneck, and the enterprise defaults to a reactive posture.
$140K+
average salary for a senior threat hunter
<2 yrs
median tenure due to burnout
~30%
of SOCs maintain effective hunting functions
How It Works
Guided hypothesis workflows for the entire team.
Shared investigation workspaces that mirror how senior hunters reason. The platform prompts the next question at each step, so the path of a hunt is visible to the whole team.
02
Step 02
Federated Query Execution
The platform translates and executes queries across every connected data source simultaneously.
03
Step 03
Correlated Results
Results are mapped and correlated across the environment into a unified view.
04
Step 04
Guided Follow-Up
The platform prompts the next questions a senior architect would ask. Every hunt becomes a learning experience.
05
Step 05
Reusable Asset
Save the hunt as a repeatable asset. Anyone in the SOC can run it instantly.
Key Benefits
Senior-grade hunts, run by the rest of the team.
01
Instant Upskilling
Turn Tier-1 and Tier-2 staff into effective threat hunters. Guided workflows provide the follow-up questions a senior architect would ask.
02
Reusable Hunting Logic
Once a complex hunt is built, save and deploy it as a repeatable asset. Anyone in the SOC can run it instantly.
03
Force Multiplier
Free senior architects from writing queries for junior staff. Their expertise is encoded into the platform and scales across the entire team.
04
Proactive Security
Catch dormant or lingering threats before they execute, without waiting for an alert to trigger.
Spotlight Scenario
Zero-day response.
Before
A critical vulnerability is disclosed. Senior threat hunters spend hours crafting complex queries across Splunk, CrowdStrike, and AWS CloudTrail, each requiring unique syntax. Junior analysts sit idle.
Full assessment takes 48 hours
After
A Tier-2 analyst deploys a directed hunting question in Command Zero. The platform executes federated queries across every connected data source, returns correlated results, and prompts: "Do any of these servers have outbound connections to known C2 infrastructure?"
Enterprise-wide hunt completed in minutes
Hunt Coverage
Go beyond standard SIEM search bars.
Living off the Land
Hunt for unauthorized use of native administrative tools, like marketing users executing encoded PowerShell scripts.
Supply Chain Compromise
Query the environment for anomalous outbound connections from approved third-party vendor applications.
SaaS Application Misuse
Search for indicators like auto-forwarding rules to external domains to identify inbox compromise.
Legacy Auth Bypass
Monitor for BAV2ROPC user agents and other legacy authentication bypasses with saved, reusable hunts.
Guided investigative logic: Reusable hunting assets that encode senior expertise for the whole team, not just another SIEM search bar.
Encoded Expertise
Questions are the unit of expertise.
Every investigation starts with a question. Command Zero ships with thousands. All built from real SOC workflows, mapped to your tools.
What site access requests were approved in Microsoft 365 SharePoint or OneDrive?
Understand and monitor approved SharePoint site access requests for identifying security risks and ensuring compliance with organizational policies.
SharePoint
What secure sharing links were created in Microsoft 365 SharePoint or OneDrive by this user?
The creation of secure sharing links by a specific user in Microsoft 365 SharePoint or OneDrive, to assess security risks and detect anomalies.
SharePoint
What files were copied by this user in Microsoft 365 SharePoint or OneDrive?
Investigate and identify files copied by a user in Microsoft 365 SharePoint or OneDrive for detecting unusual behavior or security breaches.
SharePoint
What users had full access delegate permissions for their mailbox removed in Microsoft 365 Exchange?
Understand the security implications of removing full access delegate permissions and to identify the users affected by such changes.
M365 Exchange
What users had full access delegate permissions for their mailbox added in Microsoft 365 Exchange?
Which users had Full Access delegate permissions added to their mailboxes in Microsoft 365 Exchange, to determine if these additions were legitimate or indicative of a security issue.
M365 Exchange
What files were accessed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files accessed by a user in Microsoft 365 SharePoint or OneDrive to assess potential security risks and understand the user's or attacker's actions.
SharePoint
What secure sharing links were deleted in Microsoft 365 SharePoint or OneDrive by this user?
Which secure sharing links have been deleted by a specific user in Microsoft 365's SharePoint or OneDrive, to identify potential security breaches or unusual behavior.
SharePoint
What IP addresses accessed this Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific Microsoft 365 Exchange mailbox.
M365 Exchange
What Microsoft 365 SharePoint sites were visited by this user?
Investigate the SharePoint sites visited by a specific user to detect any unusual or unauthorized activity.
SharePoint
What resource access requests were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made by a user to access requests in SharePoint or OneDrive, which could reveal unauthorized or suspicious activities.
SharePoint
What groups were added in Microsoft Entra ID?
Gather information about newly added groups in Microsoft Entra ID to assess for any unusual or unauthorized changes.
Microsoft Entra ID
What groups were created by this user in Microsoft Entra ID?
The groups created by a specific user in Microsoft Entra ID to identify any potential security incidents.
Microsoft Entra ID
What files were downloaded from Microsoft 365 SharePoint or OneDrive by this user?
Understand the user's activities or actions of a potentially compromised account by analyzing downloaded files.
SharePoint
What sign-in activity originated from this user in Microsoft Entra ID?
The sign-in activity associated with a specific user in Microsoft Entra ID for security analysis purposes.
Microsoft Entra ID
What transport forwarding rules were created or enabled in Microsoft 365 Exchange?
Highlight the significance of investigating transport forwarding rules to uncover potential unauthorized activities and security breaches.
M365 Exchange
What transport forwarding rules were created or enabled by this user in Microsoft 365 Exchange?
The creation or enabling of transport forwarding rules by a user, which could indicate potential security issues.
M365 Exchange
What secure links were used to access this resource in Microsoft 365 SharePoint or OneDrive?
The usage of secure links for accessing resources in Microsoft 365 SharePoint or OneDrive for security investigation purposes.
SharePoint
What email forwarding rules were created for mailboxes in Microsoft 365 Exchange?
Guide analysts on how to investigate and determine the legitimacy of email forwarding rules that could be part of a BEC attack.
M365 Exchange
What anonymous sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to anonymous sharing links by a specific user in Microsoft 365 SharePoint or OneDrive.
SharePoint
What secure sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to secure sharing links in SharePoint or OneDrive by a specific user, which can indicate suspicious activities.
SharePoint
What site access requests were approved in Microsoft 365 SharePoint or OneDrive?
Understand and monitor approved SharePoint site access requests for identifying security risks and ensuring compliance with organizational policies.
SharePoint
What secure sharing links were created in Microsoft 365 SharePoint or OneDrive by this user?
The creation of secure sharing links by a specific user in Microsoft 365 SharePoint or OneDrive, to assess security risks and detect anomalies.
SharePoint
What files were copied by this user in Microsoft 365 SharePoint or OneDrive?
Investigate and identify files copied by a user in Microsoft 365 SharePoint or OneDrive for detecting unusual behavior or security breaches.
SharePoint
What users had full access delegate permissions for their mailbox removed in Microsoft 365 Exchange?
Understand the security implications of removing full access delegate permissions and to identify the users affected by such changes.
M365 Exchange
What users had full access delegate permissions for their mailbox added in Microsoft 365 Exchange?
Which users had Full Access delegate permissions added to their mailboxes in Microsoft 365 Exchange, to determine if these additions were legitimate or indicative of a security issue.
M365 Exchange
What files were accessed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files accessed by a user in Microsoft 365 SharePoint or OneDrive to assess potential security risks and understand the user's or attacker's actions.
SharePoint
What secure sharing links were deleted in Microsoft 365 SharePoint or OneDrive by this user?
Which secure sharing links have been deleted by a specific user in Microsoft 365's SharePoint or OneDrive, to identify potential security breaches or unusual behavior.
SharePoint
What IP addresses accessed this Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific Microsoft 365 Exchange mailbox.
M365 Exchange
What Microsoft 365 SharePoint sites were visited by this user?
Investigate the SharePoint sites visited by a specific user to detect any unusual or unauthorized activity.
SharePoint
What resource access requests were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made by a user to access requests in SharePoint or OneDrive, which could reveal unauthorized or suspicious activities.
SharePoint
What groups were added in Microsoft Entra ID?
Gather information about newly added groups in Microsoft Entra ID to assess for any unusual or unauthorized changes.
Microsoft Entra ID
What groups were created by this user in Microsoft Entra ID?
The groups created by a specific user in Microsoft Entra ID to identify any potential security incidents.
Microsoft Entra ID
What files were downloaded from Microsoft 365 SharePoint or OneDrive by this user?
Understand the user's activities or actions of a potentially compromised account by analyzing downloaded files.
SharePoint
What sign-in activity originated from this user in Microsoft Entra ID?
The sign-in activity associated with a specific user in Microsoft Entra ID for security analysis purposes.
Microsoft Entra ID
What transport forwarding rules were created or enabled in Microsoft 365 Exchange?
Highlight the significance of investigating transport forwarding rules to uncover potential unauthorized activities and security breaches.
M365 Exchange
What transport forwarding rules were created or enabled by this user in Microsoft 365 Exchange?
The creation or enabling of transport forwarding rules by a user, which could indicate potential security issues.
M365 Exchange
What secure links were used to access this resource in Microsoft 365 SharePoint or OneDrive?
The usage of secure links for accessing resources in Microsoft 365 SharePoint or OneDrive for security investigation purposes.
SharePoint
What email forwarding rules were created for mailboxes in Microsoft 365 Exchange?
Guide analysts on how to investigate and determine the legitimacy of email forwarding rules that could be part of a BEC attack.
M365 Exchange
What anonymous sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to anonymous sharing links by a specific user in Microsoft 365 SharePoint or OneDrive.
SharePoint
What secure sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to secure sharing links in SharePoint or OneDrive by a specific user, which can indicate suspicious activities.
SharePoint
What files were moved in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has moved within Microsoft 365's SharePoint or OneDrive, which is critical for a cybersecurity investigation.
SharePoint
What IP addresses accessed this user's Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific user's Microsoft 365 Exchange mailbox.
M365 Exchange
What folders were moved to the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific folders a user has moved to the recycle bin in Microsoft 365 SharePoint or OneDrive and to assess whether these actions were authorized or potentially malicious.
SharePoint
What files were renamed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has renamed in Microsoft 365 SharePoint or OneDrive to assess potential security risks.
SharePoint
What transport forwarding rules were deleted or disabled in Microsoft 365 Exchange?
Understand the significance of deleted or disabled transport forwarding rules in Microsoft 365 Exchange and the steps required to investigate such events.
M365 Exchange
What transport forwarding rules were deleted or disabled by this user in Microsoft 365 Exchange?
Which transport forwarding rules were deleted or disabled by a specific user in Microsoft 365 Exchange.
M365 Exchange
What search queries were performed against Microsoft 365 SharePoint or OneDrive by this user?
The search queries performed by a specific user in Microsoft 365 SharePoint or OneDrive to identify any unusual or potentially malicious activity.
SharePoint
What groups were updated in Microsoft Entra ID?
Which groups have been updated in Microsoft Entra ID during a specific investigation timeframe.
Microsoft Entra ID
What properties of this group were updated in Microsoft Entra ID?
The specific properties of a user group that were updated in Microsoft Entra ID to assess the security implications of those changes.
Microsoft Entra ID
What previously deleted users were restored in Microsoft Entra ID?
Which user accounts that had been previously deleted have been restored in Microsoft Entra ID, in order to identify potential security issues.
Microsoft Entra ID
What resource access requests were denied in Microsoft 365 SharePoint or OneDrive?
Identify denied access requests to SharePoint or OneDrive resources to uncover potential security risks and user behavior anomalies.
SharePoint
What users were added in Microsoft Entra ID?
The new users added to Microsoft Entra ID to identify any unusual or potentially malicious activity.
Microsoft Entra ID
What users were created by this user in Microsoft Entra ID?
The user accounts created by a specific user in Microsoft Entra ID, to investigate potential security issues.
Microsoft Entra ID
What users were removed from a group in Microsoft Entra ID?
Which users have been removed from a group in Microsoft Entra ID, which could signal a security breach.
Microsoft Entra ID
What members were removed from this group in Microsoft Entra ID?
The members who were recently removed from a specific Microsoft Entra group.
Microsoft Entra ID
What groups was this user removed from in Microsoft Entra ID?
The specific Microsoft Entra groups from which a user has been removed, which could indicate malicious activity.
Microsoft Entra ID
What files were emptied from the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific files a user has deleted from the recycling bin in Microsoft 365 SharePoint or OneDrive.
SharePoint
What emails were sent by a delegate from this user's Microsoft 365 Exchange mailbox?
The process of identifying emails sent by a delegate from a user's Microsoft 365 Exchange mailbox to assess potential security risks.
M365 Exchange
What service principals were added in Microsoft Entra ID?
Detect potential security breaches and understand the context of new service principal additions in Microsoft Entra.
Microsoft Entra ID
What files were uploaded to Microsoft 365 SharePoint or OneDrive by this user?
The details of files uploaded by a specific user to SharePoint or OneDrive in the context of a cybersecurity investigation.
SharePoint
What files were moved in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has moved within Microsoft 365's SharePoint or OneDrive, which is critical for a cybersecurity investigation.
SharePoint
What IP addresses accessed this user's Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific user's Microsoft 365 Exchange mailbox.
M365 Exchange
What folders were moved to the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific folders a user has moved to the recycle bin in Microsoft 365 SharePoint or OneDrive and to assess whether these actions were authorized or potentially malicious.
SharePoint
What files were renamed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has renamed in Microsoft 365 SharePoint or OneDrive to assess potential security risks.
SharePoint
What transport forwarding rules were deleted or disabled in Microsoft 365 Exchange?
Understand the significance of deleted or disabled transport forwarding rules in Microsoft 365 Exchange and the steps required to investigate such events.
M365 Exchange
What transport forwarding rules were deleted or disabled by this user in Microsoft 365 Exchange?
Which transport forwarding rules were deleted or disabled by a specific user in Microsoft 365 Exchange.
M365 Exchange
What search queries were performed against Microsoft 365 SharePoint or OneDrive by this user?
The search queries performed by a specific user in Microsoft 365 SharePoint or OneDrive to identify any unusual or potentially malicious activity.
SharePoint
What groups were updated in Microsoft Entra ID?
Which groups have been updated in Microsoft Entra ID during a specific investigation timeframe.
Microsoft Entra ID
What properties of this group were updated in Microsoft Entra ID?
The specific properties of a user group that were updated in Microsoft Entra ID to assess the security implications of those changes.
Microsoft Entra ID
What previously deleted users were restored in Microsoft Entra ID?
Which user accounts that had been previously deleted have been restored in Microsoft Entra ID, in order to identify potential security issues.
Microsoft Entra ID
What resource access requests were denied in Microsoft 365 SharePoint or OneDrive?
Identify denied access requests to SharePoint or OneDrive resources to uncover potential security risks and user behavior anomalies.
SharePoint
What users were added in Microsoft Entra ID?
The new users added to Microsoft Entra ID to identify any unusual or potentially malicious activity.
Microsoft Entra ID
What users were created by this user in Microsoft Entra ID?
The user accounts created by a specific user in Microsoft Entra ID, to investigate potential security issues.
Microsoft Entra ID
What users were removed from a group in Microsoft Entra ID?
Which users have been removed from a group in Microsoft Entra ID, which could signal a security breach.
Microsoft Entra ID
What members were removed from this group in Microsoft Entra ID?
The members who were recently removed from a specific Microsoft Entra group.
Microsoft Entra ID
What groups was this user removed from in Microsoft Entra ID?
The specific Microsoft Entra groups from which a user has been removed, which could indicate malicious activity.
Microsoft Entra ID
What files were emptied from the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific files a user has deleted from the recycling bin in Microsoft 365 SharePoint or OneDrive.
SharePoint
What emails were sent by a delegate from this user's Microsoft 365 Exchange mailbox?
The process of identifying emails sent by a delegate from a user's Microsoft 365 Exchange mailbox to assess potential security risks.
M365 Exchange
What service principals were added in Microsoft Entra ID?
Detect potential security breaches and understand the context of new service principal additions in Microsoft Entra.
Microsoft Entra ID
What files were uploaded to Microsoft 365 SharePoint or OneDrive by this user?
The details of files uploaded by a specific user to SharePoint or OneDrive in the context of a cybersecurity investigation.
SharePoint
See It In Action
Watch a two-minute interactive demo of guided threat hunting.
See how junior analysts run enterprise-wide hunts in minutes.
Watch DemoGuided hypothesis workflowsReusable hunting assetsNo query syntax required