Packetman saysWelcome to the discoveries page. I'm Packetman. The honest framing first: we are pre-commercial. This is not a quarterly threat report with cross-fleet statistics — we do not have the customer base for that yet. What this page IS is a catalogue of the recurring diagnostic patterns an agent of this kind reliably surfaces, with one anonymized worked scenario per pattern and the diagnostic interpretation Bill Alderson brings from four decades of network forensics. The five patterns covered: the exposed database, the beaconing executable, the unauthorized AI tool, the sovereignty leak, and the drift binary. Each one is something the agent surfaces from connection metadata alone — no DPI, no proxy, no content inspection. Each one is named with the diagnostic shape behind it, the surface in DataStun where you would see it, and what it usually means when it shows up. As the early customer base grows, this page will gain a quarterly pattern report with real fleet numbers. Today it is the catalogue, not the numbers game.A catalogue of five recurring patterns this kind of agent surfaces from connection metadata alone — no DPI, no proxy, no content inspection. Each pattern named with its diagnostic shape, where you would see it in DataStun, and what it usually means when it shows up.
This is a pattern catalogue, not a quarterly threat report. We are pre-commercial; we don’t have CrowdStrike-scale fleet data to publish cross-customer statistics from. What we have, credibly, is the diagnostic shape of each finding and the four decades of network-forensics experience behind interpreting it. As the customer base grows, this page gains a quarterly pattern report with real numbers. Until then: the patterns are the value.
An internal service that should never answer the public internet does answer the public internet, usually because of an emergency change, a misconfigured cloud security group, or a developer bypass that outlived its window.
A workstation on Acme Corp’s engineering subnet, WIN-DEV-04, opens an outbound TCP connection to a public IP on port tcp/27017 — MongoDB. Catalog match: critical. The flow attribution shows the process is a database client tool an engineer ran from a debugging session.
The fast path: tenant admin alert at flow-open, one-click block propagates to every agent in 60 seconds, the engineer’s session refuses cleanly. The slow path: the same flow gets caught on the next perimeter scan in 24 hours; the connection has already been used by an attacker who portscanned the same destination in the meantime.
The investigation usually finds: a developer setting up a sandbox forgot to scope the security group to the VPN range, then fell through the cracks when the project moved to maintenance mode.
A binary calling out to a destination at suspiciously regular intervals with small, similar payload sizes. The classic command-and-control signature: low-bandwidth, high-regularity, often to a destination grade-D or worse.
A binary at %TEMP%\update_helper.exe on a corporate laptop opens an HTTPS connection to a destination every 240 ± 4 seconds. Each session uploads ~480 bytes and downloads ~16 bytes. The destination resolves to a hosting provider known for low-reputation tenants; rep grades it D. The binary’s SHA-256 has no SIG signature, no NSRL match, no MBZ catalog presence, and shows on three other machines on the same fleet within 48 hours.
The fast path: rep flips the destination to grade F after the third agent reports it, the global blocklist absorbs the IP, every agent on every tenant blocks the destination on the next 60-second poll.
The diagnostic shape that names this: regular timing + unsigned binary + low-rep destination + cross-machine spread. Any one of those four is interesting; all four together is the pattern.
An employee’s personal AI account — ChatGPT consumer, Claude personal, Cursor on a personal license — running on a corporate-managed device, with corporate data going up the upload path under personal terms of service rather than the enterprise agreement legal signed.
The AI Governance dashboard shows that a single sales-team laptop is uploading ~14 GB / month to OpenAI. The corporate ChatGPT Enterprise contract handles the rest of the sales team at <1 GB / month per machine. The 14× outlier traces to chrome.exe on a single machine, on a personal-account browser profile.
The fast path: HR + legal conversation, not an automated block — the data’s already gone for the past month, but going forward the user is moved to the corporate ChatGPT Enterprise account where the data lands under the contract that legal signed.
The detection shape: per-user / per-machine outliers in upload volume to known AI vendor IP ranges. The dashboard does the rollup; the escalation is human.
An EU-tagged agent (or a regulated-subnet-tagged agent, or a HIPAA-clinical-tagged agent) sending bytes to a destination in a country the architecture diagram swore never receives them. Usually because of a SaaS migration, a vendor consolidation, or a CDN regional fail-over the architecture documentation didn’t catch.
The data-sovereignty rollup, filtered to tag=EU AND dest_country NOT IN (EU, EEA), surfaces a finance-team workstation in Germany sending 4.1 GB / month to a Singapore destination. The destination resolves to a vendor’s regional API endpoint — the vendor migrated EU customers onto an APAC cluster six months ago and didn’t notify the customer.
The fast path: the rollup is the evidence on the GDPR Art. 44 transfer-impact assessment. The conversation with the vendor about region migration moves from “we believe” to “we measured 4.1 GB to Singapore last month.”
The detection shape: destination country × agent tag, time-series. Anomalies are findings.
A binary that’s present and signed by Acme Inc on 95% of the fleet is suddenly running unsigned on 5% of the machines, or signed by a different publisher, or with a different SHA-256. The fingerprint of something replaced the binary on a subset of machines — could be a bad patch, could be a malicious overwrite.
The org-wide executable analysis (Enterprise) shows helper.exe with two distinct SHA-256s on the fleet: 419 machines running the Acme-signed v3.2.1 build, 4 machines running an unsigned hash that doesn’t match any known Acme release. The unsigned variant first appeared 11 hours ago. All four affected machines share a software-deployment ring; rollback to the signed version takes one push.
The fast path: rollback by IT operations. The slow path: the four affected machines stay drifting until the next compliance audit catches it (months) or the unsigned binary does something detectable on the network surface (could be never).
The detection shape: cross-machine consensus on a hash that suddenly diverges on a subset. The fleet itself is the baseline.
Every one of the five patterns above shares a structural property: the data behind the discovery was already in the network — agent observability is what makes it visible to a human in time to act. None of these are mysterious; what’s mysterious is that they’re routinely missed by tools that were built to answer different questions.
The discoveries above are what closing that gap looks like in normal operation. The exposed database is in your firewall logs already — just not in a form anyone reads. The beaconing executable is in your DNS logs — just not correlated with process attribution. The sovereignty leak is in your billing receipts — just not aggregated by tag and country. The drift binary is in your patch-management logs — just not cross-checked against the fleet baseline.
The agent doesn’t conjure new data. It puts the data that already exists in the form a working engineer can act on. More on the diagnostic philosophy →
As the customer base grows past the threshold where cross-fleet statistics are statistically meaningful (and ethically defensible — we won’t publish numbers from three customers), this page gains a quarterly “Discoveries Q<N>” section with real fleet numbers: how many exposed databases were found per 1,000 agents, the median time from beaconing detection to global-blocklist propagation, the AI-vendor adoption curve across the fleet, sovereignty-leak destination country distributions, and drift-binary frequency.
The catalogue above — the patterns and the diagnostic shapes — will remain the spine of the page. The numbers layer on top as data permits, and never replaces the diagnostic interpretation behind them.
Sign up free, enroll one agent, and the surfaces above light up on day one. The exposed-services catch is on every tier; the beaconing detector and AI Governance live on Business+; sovereignty rollup and org-wide executable analysis are Enterprise.