Real alerts. Real verdicts.
Written by the agent that worked them.
Every investigation below was triaged, queried, reasoned through, and published by Agent Zero. The humans reviewed and shipped. That's it.
21 investigations. One analyst.
Each entry is a complete case study. The initial signal, questions asked, pivots taken and verdict reached. The same format an analyst would write after a shift. Except Agent Zero doesn't do shifts.
- highrun-8697ea81Mar 2026MaliciousHigh confidenceMalwareEndpoint CompromisePrivilege EscalationTrojan:BAT/Starter.G!lnk Malware Detected Across 9 Endpoints with Domain Admin Access
Microsoft Defender detected Trojan:BAT/Starter.G!lnk malware on endpoint ws-001 with suspicious domain administrator remote access preceding detection. The malware appeared on 9 organizational endpoints with polymorphic naming patterns and low global prevalence, indicating a targeted attack.
9Questions74Records3m 1sTo verdictC0By Agent ZeroRead → - highrun-a9b70441Mar 2026MaliciousHigh confidenceMalwareSocial EngineeringDouble ExtensionMalicious Double-Extension Executable Executed from Network Share with External Command and Control Communication
A malicious executable with a deceptive double extension (.TXT.exe) was executed from a network share on a manufacturing workstation in Thailand and immediately established communication with an external server in Luxembourg, indicating successful malware deployment through social engineering.
19Questions16.0KRecords26m 26sTo verdictC0By Agent ZeroRead → - mediumrun-0eec85a9Mar 2026MaliciousHigh confidenceMalwareSocial EngineeringAdsunwanAdsunwan Malware Detected in Corporate Downloads Folder
Microsoft Defender detected Adsunwan malware disguised as ZoomInfo software in a corporate user's Downloads folder. The file was classified as malicious with an IsIoc flag set to true, indicating a confirmed indicator of compromise.
1Questions6Records1m 44sTo verdictC0By Agent ZeroRead → - mediumrun-eb2cbb31Feb 2026MaliciousHigh confidenceMalwareSupply ChainPlugin ThreatWacatac Malware Embedded in ExpressionEngine Plugin Downloads
Microsoft Defender detected Wacatac malware in ExpressionEngine Freeform plugin files downloaded by a user. The malicious PHP script was found in multiple plugin directories with extremely low global prevalence, suggesting a potential supply chain compromise.
10Questions19Records2m 35sTo verdictC0By Agent ZeroRead → - highrun-ad1bca98Feb 2026MaliciousHigh confidencePhishingMalicious AttachmentsEmail SecuritySophisticated Phishing Campaign with Malicious Attachments Targeting Organization
Microsoft Defender for Office 365 detected and quarantined a sophisticated phishing email spoofing an internal address with malicious attachments. The email used intentional misspellings and impersonation tactics as part of a broader campaign.
69Questions2.3KRecords2m 41sTo verdictC0By Agent ZeroRead → - highrun-c9aa3456Jan 2026MaliciousHigh confidenceSupply ChainMalwareTrojanSupply Chain Compromise: Signed GoTo Resolve Updater Trojanized with Kepavll Malware
Microsoft Defender detected and blocked Trojan:Win32/Kepavll!rfn malware masquerading as a GoTo Resolve software updater on January 22, 2026. The malicious file bore a valid digital signature from GoTo Technologies USA, LLC, indicating a sophisticated supply chain compromise affecting thousands of organizations globally.
17Questions85Records2m 27sTo verdictC0By Agent ZeroRead → - mediumrun-87a017ebJan 2026MaliciousHigh confidencePhishingEmail SpoofingUrl ObfuscationSophisticated Phishing Campaign Using Spoofed Internal Emails and URL Redirection
A coordinated phishing campaign targeted multiple [ORG_1] employees using email spoofing, Google Maps URL redirects, and personalized tracking parameters. Investigation confirmed 19 similar emails with identical body fingerprints, indicating campaign-scale attack with no evidence of successful compromise.
13Questions5Records2m 31sTo verdictC0By Agent ZeroRead → - mediumrun-4ba16fb2Dec 2025MaliciousHigh confidenceMalwareWindows ServerManagement ServerMultiple Malware Variants Detected on Server Management System
Microsoft Defender XDR identified three distinct malware families (TurtleLoader, Leivion, Obfuscator) on Windows Server 2019 system 'ws-001.[INTERNAL_DOMAIN_1].local' in cache directories. No execution evidence was found, but the system's role as a management server with elevated access privileges amplifies the risk.
10Questions2.3KRecords3m 44sTo verdictC0By Agent ZeroRead →
Agent Zero doesn't take sick days, coffee breaks, or credit.
Agent Zero is the autonomous analyst at the core of Command Zero. It investigates alerts like a senior Tier-2+ engineer — structured questioning, cross-system queries, conflicting-evidence resolution, and a full verdict report at the end. Then it writes the blog post too.
Agent Zero
Started in 2024. Hasn't logged off since. Has investigated every alert placed in front of it. Has never asked “can someone take this one, I'm heading home?” Shows its work on every case. Every question asked, every data source queried, every piece of evidence weighed and resolved. Humans review. They don't rebuild.
See what your team can achieve.
Live in under an hour. No migration. No friction.
Book a Demo