Nebulock

What is it?

Nebulock is an autonomous threat hunting platform that uses AI agents to continuously test for malicious activity hiding in your environment. It pulls raw telemetry via API from EDR and identity platforms, runs behavioral hunts across that data, surfaces findings to human analysts, and can translate successful hunts into detections for your CICD pipeline.

The platform focuses on post-exploitation and actions-on-objectives behavior, the stuff that sits below alert thresholds or doesn’t trigger detections at all.

Why did they build it?

EDR was built around anti-malware and exploit prevention. To avoid alert fatigue, vendors set thresholds that filter out low and informational findings. But there’s enormous value in that data: statistical anomalies, unusual applications, suspicious protocol usage. Real APTs masquerade in existing telemetry, throwing only low or no alerts until exfiltration.

Most organizations want threat hunting but lack headcount for dedicated hunters. The actual need is clarity and repeatability: understanding what’s happening in the environment without relying solely on brittle detections or vendor promises. Nebulock provides continuous hunting capability for a fraction of an FTE cost.

How does the hunting actually work?

Hunts focus on behavior, not IOCs. The platform uses statistical analysis to identify anomalies, then AI agents gather context and enrichment to determine if anomalies represent actual threats. External threat intelligence feeds new hunt hypotheses alongside organic hypotheses developed from running hunts across customer data.

Users can take a threat intelligence report, click a button, and generate a hunt hypothesis plus detection rule in plain English. Select the OS (Windows, Mac, Linux coming), run a retroactive hunt, get a validated detection ready to push to production.

What has it found in real deployments?

One design partner believed they blocked Tor via policy. Nebulock found Tor was misconfigured in the policy. Browsers were running, and employees had downloaded risky remote access tools through Tor. One employee was violating the company’s code of ethics. This was on a CrowdStrike dataset.

Another customer suspected remote sharing tool issues. Nebulock mapped the full footprint across thousands of endpoints: standard collaboration apps, admin remote control utilities, and several exceptionally risky tools. The customer expanded their deployment by several thousand endpoints after seeing the results.

What’s Core Sigma for MacOS?

MacOS has been a second-class citizen in endpoint security despite growing enterprise adoption. Sigma detection rules have good Windows coverage, some Linux, but an 85% gap across MITRE ATT&CK tactics for MacOS. The problem: no consistent signal mapping from MacOS events to Sigma’s detection language.

Nebulock built Core Sigma, a framework that maps MacOS telemetry to Sigma rules. They’ve released 50 production-ready detections including: unsigned kernel extension loads, SIGKILL sent to security tools, and other fundamentals that weren’t previously available. The framework is open-source on GitHub; they want every organization to have the same MacOS visibility, not keep it proprietary.

Who’s buying it?

Sweet spot is enterprises with 500-5,000 employees: late-stage VC-backed tech companies, early public companies, banking and financial services, retail, and expanding into healthcare. Teams need at least 5-6 security people to get value. If you have two people, this isn’t the right fit. The target buyer can’t afford JP Morgan’s 24x7 threat hunting team but faces the same adversaries.

Onboarding is fast: 3,000 endpoints in five minutes is their current record.

Risky Business appearances

Sources

Disclosure: Patrick Gray is an advisor to Nebulock and holds share options in the company.