How Todyl's Detection & Analysis Engine Catches What Traditional Detection Misses

In the previous post, we introduced the Todyl Detection & Analysis Engine: a multi-tier, AI-powered threat detection and investigation system designed to surface, enrich, classify, triage, and escalate the advanced attacks that evade traditional MDR.

This post takes the next step. Instead of walking through the engine's capabilities in the abstract, we are mapping them to the specific attack types they are built to catch: business email compromise (BEC), SSL-VPN compromises, ransomware, and fileless malware on hosts.

Detection & Analysis Engine Use Cases: BEC, SSL-VPN, Ransomware, and Fileless Malware

Traditional MDR struggles to catch these modern attack types, which were made to avoid their detection. The Detection & Analysis Engine, however, was purpose-built to root them out.

Business Email Compromise (BEC)

Though they initially affect emails, BEC attacks are an identity problem first and foremost. They typically involve a compromised or impersonated user, which appears as unusual access patterns and a chain of activity across email, file access, and collaboration tools. Individually, each event may seem benign, more alert fatigue than true positive. It’s only when you see all of it together that the real issue begins to show.

The Detection & Analysis Engine intentionally captures and correlates these activities to quickly identify and stop BEC:

• AI-Powered, Multi-Tier Detection automatically surfaces and triages wide-reaching, identity-related alerts that indicate BEC, which often slip past tools watching only one surface.
• Noise Reduction establishes intelligent "normal activity" baselines per user, including email activity, file access, and Microsoft Teams actions. Low-fidelity alerts like impossible travel get hunted against those baselines so genuine BEC indicators rise above the noise instead of getting lost in it.
• Pivot-Driven Investigation treats a suspicious identity event as the anchor for a full threat hunt across user, host, and cloud, rather than a single alert in isolation.

What makes this work in practice is the breadth of identity and SaaS coverage feeding the Engine. Microsoft 365 is the highest-volume SaaS source in most customer environments, and it gets dedicated focus alongside coverage of other major identity providers and collaboration platforms. That means a BEC investigation has access to authentication context, mailbox-level behaviors, sharing and delegation activity, and the surrounding endpoint and network signals at the same time. Instead of treating a single anomalous login as the whole story, the Engine evaluates it against the user's typical patterns and the activity that follows it across every connected surface.

SSL-VPN Compromises

SSL-VPN compromises are on the rise, affecting multiple major vendors in the space. Like BEC, these involve credential abuse leading to unusual access patterns and follow-on activity that spans identity, network, and endpoint surfaces. And, just like BEC, they often slip past traditional signature-based defenses.

SSL-VPN compromises are a primary target of the Detection & Analysis Engine:

• AI-Powered, Multi-Tier Detection automatically surfaces, enriches, classifies, and triages SSL-VPN compromises specifically, alongside other advanced identity and endpoint attacks.
• Full Context Aggregation pulls relevant event data across identity, endpoint, network, and more, so an SSL-VPN compromise is investigated with the full surrounding picture rather than a single network event.
• Continuous Signal Detection identifies low-level indicators that a typical SOC would overlook, performing rapid threat hunts before damage is done.

The hard part of detecting an SSL-VPN compromise is that the access event itself often looks legitimate: valid credentials, valid endpoint, valid path. The compromise reveals itself in the surrounding context: where the session originated, how it deviates from the user's normal behavior, and what happens after the session is established. The Engine draws on integrated network telemetry from leading firewall, proxy, and gateway sources alongside identity and endpoint signals, so the investigation does not stop at the access event. It follows the chain forward, looking for the lateral movement, internal discovery, or unusual outbound communication that turns a successful login into a confirmed compromise.

Ransomware

Ransomware rarely arrives as a single detectable event. It can instantiate from varied sources, stages, moves, and then can use legitimate admin tooling along the way to obscure its presence. By the time an obvious indicator triggers an alert, the impact is often already in motion.

The Detection & Analysis uses a constantly evolving approach to suss out and stop ransomware:

• AI-Powered, Multi-Tier Detection is built specifically to surface ransomware staging on hosts, including activity that slips past traditional tools.
• Pivot-Driven Investigation surfaces novel TTPs and related compromises even when no single rule covers each step. This matters for ransomware because the chain rarely lines up with a single detection rule.
• 24x7 MXDR Escalation immediately routes confirmed threats to Todyl's expert team for rapid response and containment, which is the difference between catching a staging activity and responding to an encryption event.

Ransomware coverage spans the full attack lifecycle rather than the impact phase alone. The engine draws on a broad catalog of detections covering credential abuse, privilege escalation, defense evasion, persistence, lateral movement, and command-and-control behavior. Each of those stages is an opportunity to interrupt the chain before encryption occurs. Pairing that breadth with Endpoint Security data and network-side telemetry from SASE and other integrated firewalls/gateways means a staging activity does not have to clear every hurdle to surface.

Fileless Malware on Hosts

Fileless malware is another constantly evolving attack vector that is purpose-built to evade detection. It’s so hard to uncover because it leverages legitimate tools and runs in memory, so it leaves a significantly smaller forensic footprint than traditional malware.

These limitations, however, are no barrier for the Detection & Analysis Engine, which catches fileless attacks via:

• AI-Powered, Multi-Tier Detection is designed specifically to catch fileless malware on hosts that slips past traditional tools.
• Noise Reduction establishes baselines for typical process execution and admin tooling per host, so deviations stand out instead of disappearing into normal activity.
• Continuous Signal Detection evaluates low-level indicators that a typical SOC would overlook, which is exactly where fileless malware tends to live.

Detecting fileless malware is fundamentally a behavioral problem. File-based signatures are not enough when the attack does not rely on a file. The Engine pairs file- and event-based detections with behavioral and memory-based analysis designed to catch threats that evade static analysis. That includes attention to suspicious sequences of system-process behavior, the parent-child relationships between processes, and the command-line context surrounding execution. Combined with per-host baselines for normal admin tooling and process execution, this is what allows the engine to surface the kind of low-and-slow activity that fileless malware depends on to stay hidden.

The common thread

Across all four attack types, the Engine relies on the same six core capabilities working together:

• AI-Powered, Multi-Tier Detection
• Continuous Signal Detection
• Pivot-Driven Investigation
• Full Context Aggregation
• 24x7 MXDR Escalation
• Noise Reduction through behavioral baselines

This architectural design makes the Engine so effective, regardless of attack type. With a multi-tiered approach, the Detection & Analysis Engine is not a stack of separate detectors bolted together. Rather, it is a coordinated pipeline that handles identity, endpoint, network, and cloud signals in the same investigation context, regardless of which attack type triggered the initial hunt.

As a Todyl partner or their client, the resulting business outcomes ensure significant impact:

• Fewer missed threats with higher detection accuracy
• Faster response and containment when it matters most
• Operational transparency to demonstrate clear value to end clients

Simply put, the Detection & Analysis Engine helps you detect, respond to, and understand threats faster than ever before, backed by the power of our expert MXDR team.

Digging into the Playing Field

In the final post in this series, we will look at how Todyl's approach to detection and analysis differs from other MDR offerings in the market, and where competing platforms fall short.

Up next in the series: Not all detection is equal: how Todyl's approach compares.