← All use cases

Ransomware & Adversary Techniques

Ransomware operators spend weeks in reconnaissance before detonation, and that dwell time is the defender's window. LimaCharlie is built to use it: wide deployment for early detection, and real-time fleet response if detonation happens anyway.

How it runs on LimaCharlie
01

Instrument widely

Usage-based pricing makes it economical to put sensors everywhere rather than only on crown-jewel systems, which is where reconnaissance activity actually shows up.

02

Detect reconnaissance

All telemetry is normalized to JSON and run through the detection engine, so lateral movement and staging behavior can be correlated across endpoints, network, and cloud rather than spotted on one host at a time.

03

Respond at detonation

Indicators like FILE_TYPE_ACCESSED events catch mass encryption as it starts. Response rules isolate affected machines across the entire fleet in real time while the LimaCharlie channel stays open for command and control.

04

Investigate and remediate

Analysts get every affected machine plus a year of telemetry to establish the intrusion timeline, run remediation scripts, and kill remaining process trees.

EDRSleeper modeIncident response
DOCSStateful detection rulesDOCSDetection logic operatorsBLOGWhen Claude Code Hunts Cobalt Strike

Deploy your first sensor on the free community tier, or walk through it with a solutions engineer.

Start freeBook a demo