BTB Security's

Designed to identify adversaries on endpoints, it is a series of behavioral indicator “traps” set along various phases of an attack.

By creating various behavior indicator patterns on endpoint operating systems, Minefield serves as a warning system for potential anomalies triggered by adversaries or compromised accounts by interacting with operating systems or software on the endpoints. Minefield not only incorporates current tactics and techniques from the MITRE ATT&CK framework, but it also focuses on core operating system and 3rd party software patterns to pinpoint potential malicious behavior patterns.

Minefield covers a wide variety of core operating system processes, including but not limited to popular built-in binaries, commonly referred to as LotL (Living off the Land) binaries and development tools leveraged in BYOL (Build Your Own Land) tactics. Minefield does not leverage traditional IOCs such as hash values and IP addresses, instead, it relies on behavior patterns of users and processes on the endpoints. This approach was selected because traditional IOCs are too easy to modify unlike tactics and techniques used by adversaries. Think how easy it is to change a hash value of a file by simply recompiling it but something like lateral movement always relies on predetermined processes and protocols that cannot be easily avoided or substituted. This approach has proven to be successful against modern adversaries and resulted in what is currently 500+ behavioral patterns for the endpoints. This number continues to grow as new attack vectors and operating system features are introduced and assessed.

How Minefield works

Many traditional monitoring techniques heavily rely on the identification and creation of Indicators of Compromise (IoCs) that the tool/solution/MSSP then "look for" within the data they collect and evaluate. These IoCs often include very specific data-elements that can be easily defeated (i.e., bad guys can evade detection) by slightly changing their contents. For example, the hash value of a malicious executable, or target URL. Minefield expands upon RADAR’s existent behavior-based detection techniques and considers over 500 unique endpoint behavior patterns that encompass tools, techniques, and procedures associated with the ATT&CK framework, Living off the Land (LOLBins and GTFOBins) projects, and 20 years of BTB Security red teaming and evasion experience.

IoCs have a place in security monitoring, including RADAR, but Minefield dramatically changes the how BTB Security detects threats, adding resolution and confidence to identified malicious behaviors. Minefield ensures we deliver better outcomes for RADAR clients.



BTB Security red teaming and evasion experience.



Frequently Asked Questions


How is Minefield different from what RADAR has been doing?

BTB Security's RADAR continually evolves to stay ahead of the adversaries. Having been designed, developed, and built by Information Security practitioners, RADAR has always considered HOW an adversary behaves. Minefield expands upon this approach to define key behavioral patterns on endpoints along the attack trajectory and notifies BTB Threat Operations to enable an effective response process.

What tool does Minefield use?

Minefield is proprietary to BTB Security, having been developed 100% in-house by our RIOT Labs group. It's data. It's experience. It's expertise. We hack, we defend, we learn.

How do I benefit from Minefield today?

As a BTB Security RADAR customer, you're already protected. There's nothing to do, nothing to configure, nothing to install.

IOC Focus vs Predictive Intelligence

IOC/Threat Intelligence

  • Mostly rely on easily modifiable values such as hashes, IP address and domains
  • Requires constant updates due to volatile nature of indicators
  • Volume of indicators can be substantial and not easy to manage
  • Quality of indicators varies, resulting at times in mixed results and false positives

Predictive Intelligence

  • Built into the RADAR platform and curated internally by BTB
  • Endpoint and network pattern identification via Minefield and Shield
  • Mostly static nature of patterns and data makes it easy to maintain
  • Patterns can be easily tailored to unique client environments
Chris, one of BTB's founders smiling


Our all-in-one service for managed detection and response helps keep your organization secure.

Request a Demo