This joint Vectra AI and Bastion Security threat briefing, From Valid Credentials to Full Control: The Post-Login Kill Chain, is designed for SOC teams responsible for detecting and responding to active threats in real-world environments. The session breaks down the post-login tactics, techniques, and procedures (TTPs) used by groups such as Scattered Spider and Salt Typhoon, highlighting where visibility commonly degrades across identity, network, and cloud control planes.

‍

We’ll cover:

• Real-world post-auth kill chain behaviors: identity discovery, privilege escalation, lateral movement, token/OAuth persistence, and data staging
• Common blind spots: SSO/session telemetry gaps, SaaS audit log limitations, token visibility, and cross-domain correlation
• What “good” looks like: behavioral baselines, anomaly thresholds, and high-fidelity post-login detections
• MTTD/MTTR improvements: alert consolidation, playbooks, session revocation, MFA method hygiene, and rapid scoping
• Case-based lessons on how dwell time drives operational disruption and extended recovery (e.g., Jaguar Land Rover)

‍