Some of you already got this post. Congratulations. You were part of the pre-drop hype.

In 2025, THOR Collective Dispatch published 80 posts.

That is not a content goal. That is a signal.

It means we showed up consistently to talk about how info sec actually works. The messy parts. The decisions that do not fit cleanly into slides. The tradeoffs teams make every day when the logs are loud and the clock is running.

This year was not about chasing trends. It was about sharpening thinking, pressure-testing ideas, and building things that last.

If you read one post or all eighty, thank you. To close out the year, here are six pieces that best represent what Dispatch stood for in 2025.

Detection-in-Depth

Eliminating detection blind spots through layered visibility
Guest post by Day Johnson

This post put real structure behind a phrase that often gets waved around without substance.

Detection-in-depth reframed detection as a layered, living system instead of a collection of clever rules. It emphasized baselining before tuning, precision over perfection, and continuous validation instead of set-and-forget detections.

Most importantly, it addressed a hard truth. If you are not actively testing your detections, attackers are doing it for you.

This piece helped teams think more clearly about blind spots, redundancy, and why layered detection is the difference between catching an attacker early and discovering them after impact.

The Agentic Threat Hunter

We’re done playing whack-a-mole
By Sydney Marrone

This post drew a line in the sand.

Threat hunting methodology still works. Humans alone do not scale.

The Agentic Threat Hunter argued for a shift in how we hunt. Not AI as a chatbot. Not AI as a vendor checkbox. AI as a collaborator that can hypothesize, investigate, and correlate at machine speed while humans stay focused on strategy and judgment.

It reframed the hunter’s role from query executor to system designer and supervisor. Write hypotheses down. Treat hunts like code. Pair with AI intentionally. Automate repetition and protect creativity.

This post resonated because it named what many teams already feel. The future of hunting is not more dashboards. It is better partners.

From the Fire: Q1FY25

TTPs that sparked, spread, and still burn
By Lauren Proehl

This was threat intel done right.

Instead of chasing zero-day headlines, From the Fire focused on behaviors that kept showing up across incident response and adversary emulation. OAuth consent abuse. Malicious package ecosystems. RMM tooling turned initial access.

Each section broke down what attackers were doing, what telemetry mattered, and what to hunt for right now. This was not theory. This was backlog fuel.

If other posts pushed the craft forward, this one kept it grounded in reality. These are the fires still burning.

Introducing HEARTH

A community-driven threat hunting repository
By Sydney Marrone, Lauren Proehl, and John Grageda

This post turned Dispatch from a publication into infrastructure.

HEARTH addressed a problem every hunter knows. Good hunt ideas live in isolation and disappear. HEARTH gave them a shared home with structure, review, and attribution.

Standard templates. Clear categorization. Community refinement. Real credit for contributors.

It reinforced a belief at the core of THOR Collective. Threat hunting improves when knowledge compounds. Not when it stays siloed.

This was not just an announcement. It was an investment in how the community builds together.

Hunting Beyond Indicators

Why behaviors beat artifacts
Guest post by Sam Hanson

This post tackled one of the most common traps in threat hunting.

Indicators help with known bad. They do not help you find the unknown.

Sam made the case for behavior-first hunting grounded in TTPs, with indicators used as enrichment instead of direction. Cast a wide net. Accept false positives. Automate triage. Let your data access define what you can realistically hunt.

This was not anti-IOC. It was pro-thinking.

It reminded us why threat hunting exists in the first place. To find what has not been named yet.

Red with Benefits: Purple Teaming with Sliver Beacons

Turning post-exploitation into detection signal
By John Grageda

This post showed what collaboration actually looks like.

Instead of using Sliver purely as a red team flex, John demonstrated how to turn beacon activity into shared detection engineering feedback. Map actions to ATT&CK. Pair them with expected telemetry. Capture gaps in VECTR. Fix what did not fire.

This was purple teaming without theater. No gotchas. No scorekeeping. Just learning.

If other posts defined strategy and mindset, this one showed how to pressure-test those ideas with real tooling.

And One More Thing We Loved This Year: Ask-a-Thrunt3r

This Logtoberfest Ask-a-Thrunt3r episode captured the same questions running through Dispatch all year: where is threat hunting actually headed?

With Damien Lewke joining the crew, we talked agentic AI, democratizing threat hunting, and why attackers are already moving faster than most defenders. No polished narratives. No easy answers. Just practitioners working through what’s real, what’s broken, and what still needs figuring out.

If you listened to one Ask-a-Thrunt3r episode this year, make it this one.

What This Year Reinforced

This year made a few things very clear:

• Structure makes hunting stronger, not slower

• Documentation is a force multiplier

• Automation works best when it supports thinking

• Detection improves through testing, not hope

• And threat hunting gets better when we build together

We are proud of what shipped this year. We are even more excited about what comes next.

Thanks for reading.
Thanks for building with us.
And thanks for keeping the fire burning.

Here’s to the new year.

Happy thrunting!