Use Cases

Nine scenarios. One appliance.

Each use case is a buyer pain mapped to a Zero Hunt workflow. Three per pillar; scenario, pain, solution, outcome, time-to-value. Anchored — link a colleague straight to the one that matches their conversation.

Pillar 1 — Generative Pentest

Continuous offensive validation. AI-generated exploit code per target.

Replace the annual pentest with continuous validation

⌛ 30-day ROI vs annual contractor cost

Scenario: You pay €50-150k/year to a pentest contractor and the report is obsolete within weeks of delivery.
Pain: Manual pentest gives a snapshot. By the time the PDF lands, the attack surface has changed: new IPs on the perimeter, new services, new credentials. The next regulator-facing event is six to twelve months away, and your evidence is already stale.
How Zero Hunt solves it: Schedule continuous campaigns on the appliance — daily, weekly, or change-triggered (new IP, new service, new credential). The 10-agent swarm runs autonomously; every finding is signed and timestamped. Senior pentesters still drive threat-led campaigns through the Interactive Red Team Chat for the judgement calls that humans do better.
Outcome: Replaces 1-2 FTE-equivalent of pentest contractor hours per month. Evidence is current at every regulator-facing event, not just at audit time. Time-to-validate a new asset drops from "next engagement" to "within the hour".

Goes deeper:Finance · DORA Art. 25 →Utilities · NIS2 →NIS2/DORA & the end of the annual pentest →

Validate exposure to a high-severity CVE within hours of disclosure

⌛ Hours, not quarters, per critical CVE

Scenario: A critical CVE drops at 22:00 (CISA KEV addition, vendor advisory, mass-exploitation report). Your stack is on the affected version. Now what?
Pain: The standard answer is "wait for the next scheduled pentest", which can be quarters away. Patching alone tells you the version changed but not whether the path was actually exploitable in your environment. Without proof, the board question "are we vulnerable?" has no defensible answer.
How Zero Hunt solves it: The appliance ingests CISA KEV, NVD, vendor advisories continuously (21 intel sources). When a relevant CVE drops, the 10-agent swarm generates an exploit specific to your environment, runs it in sandbox against your inventory, and produces a signed proof-of-exploit (or proof-of-non-exploitability) artefact. Often before the morning standup.
Outcome: Time from CVE disclosure to defensible exposure verdict drops from quarters to hours. The board question gets a yes/no with evidence attached, not a probability.

Goes deeper:Utilities · NIS2 →Healthcare →CVE-2026-20182 + 31431 case →

Run threat-led TLPT campaigns aligned with TIBER-EU for DORA Art. 26

⌛ Same-quarter TLPT cycle vs 3-year minimum

Scenario: You are a significant DORA entity (bank, insurer, payment institution) required to run threat-led pentests using documented methodology, with signed evidence from threat intelligence input through to closure.
Pain: External TLPT contractor engagements cost €150-400k each, scope is fixed at procurement time, and the methodology audit trail is assembled by hand. A second engagement same year is rare even when the threat landscape changes materially.
How Zero Hunt solves it: The appliance runs TIBER-EU-compatible TLPT campaigns informed by 21 live threat-intel feeds. Methodology phases (TI provisioning → red team test → purple team → closure) are tracked natively; every artefact is ECDSA-signed in sequence, producing a verifiable chain back to the threat-intel input. The RTS 2025 evidence requirement becomes a query, not a project.
Outcome: TLPT-grade evidence on demand, not once every 3 years. Cost per campaign collapses to compute time. The EBA/Banca d'Italia audit conversation moves from "where is the documentation?" to "which window?".

Goes deeper:Finance · DORA Art. 26 →vs Pentera (TLPT) →DORA + NIS2 deep dive →

Pillar 2 — AI Traffic Analysis

Wire-speed detection of the activity that endpoint stacks miss.

Catch ransomware during encryption, not after

⌛ Seconds-to-detect vs hours-to-days

Scenario: You operate a hospital, a manufacturer, or any 24/7 environment where Q1 2026 median time-to-impact is under 48 hours and the encryption phase, once started, is over in 90 minutes.
Pain: Endpoint signals fire during the encryption phase but by then it is too late: files are locked, backups are racing the ransom note, and the next 6 hours are crisis communications. SIEM batch cadence (15-minute windows on 24h queries) misses the burst entirely.
How Zero Hunt solves it: Pillar 2 is a 4-head deep-learning model running on the appliance GPU at 2.7+ Gbit/s baseline. It detects the behavioural signature of in-progress encryption — rapid SMB/NFS write fan-out, predictable lateral patterns, the preceding privilege-escalation traffic — while the activity is happening. Output goes to your SOAR within seconds; the file-share connection can be cut before the encryption completes.
Outcome: Mean detection latency drops from hours-to-days to seconds-to-minutes for the encryption phase specifically. Recoverability window opens before encryption completes.

Goes deeper:Healthcare · ransomware target #1 →vs Cymulate (simulation vs detection) →Encryption-less ransomware 2026 →

Detect mass data exfiltration while it is in progress

⌛ Detection during the burst, not the morning after

Scenario: You are facing the 2026 trend: ransomware affiliates skip encryption entirely and go straight to silent mass exfiltration, then extort on the threat of publication. The endpoint sees legitimate reads. The SOC sees nothing.
Pain: Volume-based DLP misses staged exfiltration (attacker stages inside the perimeter, then moves out spread across hours via legitimate CDN ranges). TLS inspection has retreated under HSTS preload + ESNI + QUIC. Your only durable signal is the network egress — and most defenders are weakest exactly there.
How Zero Hunt solves it: The deep-packet ML model classifies flow metadata (timing, fan-in/out, byte distribution, ASN destination, JA3/JA4 hashes) as packets traverse. A host that flips from net-importer to net-exporter, a sustained outbound burst to a never-seen ASN, an SD-WAN tunnel carrying 10× its usual volume — all light up during the burst, in time to cut the link.
Outcome: Discovery happens during the exfiltration window, not the morning after when the data is gone. Regulator countdowns (GDPR Art. 33, NIS2 Title 13) start at detection, not at "should have known".

Goes deeper:Healthcare · GDPR Art. 33 →Finance · DORA Art. 17-22 →Exfiltration-only ransomware deep dive →

Unmask covert C2 over TLS, DNS tunneling, and domain fronting

⌛ Minutes-to-detect on novel C2 protocols

Scenario: Your EDR is signature-based. Your NDR is rule-based. Both miss command-and-control traffic that mimics legitimate behaviour — HTTPS beacons, DNS-over-HTTPS tunnels, traffic fronted through your own CDN provider.
Pain: AI-augmented affiliates rewrite C2 protocols per campaign. Static signatures expire on first contact. Rule-based detection requires a known pattern. The actual signal — beaconing periodicity, jitter, fan-out, certificate fingerprint anomalies — is not seen by either layer.
How Zero Hunt solves it: One of the 4 inference heads is dedicated to attack-type identification, trained on billions of labelled PCAP sequences including covert C2 traffic patterns. The model classifies on flow metadata alone — works fine against encrypted payloads, no TLS inspection required. JA3/JA4 fingerprint scoring catches the "looks-legitimate-but-isn't" cases.
Outcome: C2 channels surface within minutes of activation, regardless of protocol family or fronting strategy. Threat-hunting team gets a high-confidence shortlist instead of a million alerts.

Goes deeper:Defence supply chain →vs Cymulate →

Pillar 3 — Automatic Compliance

Continuous, signed, regulator-ready evidence by construction.

Produce NIS2 Title 13 incident evidence as a byproduct of operations

⌛ From multi-day per-incident to single-query

Scenario: You are an essential or important entity under the Italian decreto legislativo 138/2024 transposition of NIS2. Every detected incident triggers a 24h early warning + 72h notification + 1-month final report. The clock starts at "should have known".
Pain: Assembling Title 13 evidence by hand is a multi-day exercise per incident: timeline reconstruction, control mapping, signed export, regulator-format conversion. The ACN auditor expects continuous evidence of effective measures, not annual snapshots.
How Zero Hunt solves it: Every action — scan, finding, traffic event, remediation — is ECDSA-signed at write time and auto-mapped against the Title 13 control set. The Trust Center exports a regulator-ready bundle in one click. The 24h / 72h / 1-month timeline becomes a query against signed records, not a fire drill.
Outcome: Notification timeline compliance becomes a queryable workflow. The auditor conversation moves from "show me the documentation" to "select a date range". Personal liability under decreto 138 has documentary defensibility by construction.

Goes deeper:Utilities · NIS2 essential →Italian PA · decreto 138 →NIS2 + DORA deep dive →

Map findings against 32 frameworks in a single pass

⌛ ~70% reduction in cross-framework duplicate work

Scenario: You face concurrent audit regimes — NIS2 + DORA + GDPR + ISO 27001 + PCI-DSS + SOC 2 — that share underlying controls but require their own evidence formats.
Pain: GRC teams maintain parallel evidence chains, one per framework. The same finding gets manually re-mapped 3-6 times. Cross-framework deduplication is theoretical; in practice the work is multiplied by the number of regimes in scope.
How Zero Hunt solves it: The compliance engine auto-maps every finding against 32 frameworks with cross-framework control deduplication built in. Severity-weighted scoring per framework reflects each regulator's materiality model. Reports are generated per framework from the shared signed record store.
Outcome: Redundant audit work drops by up to 70%. One finding satisfies multiple frameworks without manual re-mapping. Multi-regime entities convert from "build evidence for each audit" to "publish slice of the record store per audit".

Goes deeper:Finance · multi-regime →Italian PA · NIS2 + AgID →

Auditor bundle export — signed, verifiable, repeatable

⌛ Single-click export vs multi-day assembly

Scenario: Audit cycle starts. Auditor asks for "all evidence related to control X.Y.Z for the period of Q1". You have 5 days to assemble it from logs across SIEM, SOAR, EDR, GRC, ticketing.
Pain: Manual evidence assembly is the single largest GRC time-sink. Authenticity is questioned (was the screenshot manipulated?). Chain-of-custody is narrative, not provable. Cross-tool reconciliation introduces errors that auditors then dig into.
How Zero Hunt solves it: Trust Center exports a self-contained, ECDSA-signed bundle scoped to controls + period + framework. Bundle includes findings, evidence files, traffic events, remediation logs — every artefact carries its original write-time signature. Auditor can verify cryptographically without trusting our infrastructure.
Outcome: Audit preparation collapses from days to a single export action. Auditor questions on authenticity / chain-of-custody are answered by cryptographic verification rather than narrative.

Goes deeper:Defence · CMMC/TRANSEC →Italian PA · AgID/ACN →

See it against your environment

Pick the use case closest to your current pain and we will scope a 30-minute technical demo against a recorded slice of your stack.

Request a demo Browse industries