The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

In the fragmented world of cybersecurity, tools often exist in isolation. We have distinct silos for threat intelligence, detection engineering, and external hunting. But sophisticated defense requires a unified ecosystem—a living organism where intelligence feeds engineering, and engineering empowers the hunt.

Today, we are proud to announce the unification of our platform under a single, cohesive mythological narrative. The ecosystem is no longer just a collection of scripts and apps; it is a triad of capabilities working in concert: HEFAISTOS, KEDALION, and the newly rechristened ORION.

1. HEFAISTOS: The Forge of Detection

The Creator

At the center of our ecosystem lies HEFAISTOS (Hephaestus), the smith god. In our architecture, this is the Enterprise Detection Engineering & Threat Intelligence Platform. Just as the god of the forge crafted armor for the Olympians, HEFAISTOS provides the workbench where raw intelligence is hammered into actionable detection logic.

HEFAISTOS is designed to manage the end-to-end workflow of a modern SOC:

  • The Workbench: A visual, graph-based environment where detection strategies are mapped to MITRE ATT&CK techniques.
  • AI-Augmentation: The platform integrates multi-provider AI (OpenAI, Gemini, Claude) to assist in generating Sigma and KQL rules, deconstructing logic, and identifying blind spots in detection coverage.
  • The Repository: It synchronizes bidirectionally with Git, ensuring that the logic “forged” in the platform is version-controlled and deployable.

HEFAISTOS is not just a repository; it is the engine where hypotheses are tested and validated before deployment.

2. KEDALION: The Guide and Predictor

The Intelligence

If HEFAISTOS is the hand that builds, KEDALION is the eye that sees what others miss. Previously discussed in our research on Integrating D3FEND into the ATT&CK Methodology, KEDALION represents the transition from reactive “heatmaps” to predictive defense.

KEDALION (formerly the internal module for prioritized defense) addresses the fundamental limits of legacy tools like DeTT&CT. With the advent of MITRE ATT&CK v18, the old binary mapping of “Data Sources” is no longer sufficient. KEDALION replaces static checklists with a dynamic, ontology-driven model utilizing three pillars:

  1. Technique Inference Engine (TIE): Utilizing Collaborative Filtering and Weighted Matrix Factorization (WMF), KEDALION analyzes over 6,200 CTI reports to predict the “next move” of an adversary. If an attacker uses Technique A, KEDALION knows they are statistically likely to use Technique B, even if it hasn’t been seen yet.
  2. MITRE D3FEND Ontology: Instead of mapping tools, KEDALION maps Digital Artifacts. It creates a semantic bridge where an offensive requirement (e.g., Access LSASS) is translated into a defensive capability (e.g., Process Code Segment Verification).
  3. Defensive Coverage Score (DCS): A new metric that prioritizes defense based on the probability of a technique occurring versus the business impact of the assets involved.

KEDALION acts as the “Guide,” informing the Forge (HEFAISTOS) where to focus its efforts next.

3. ORION: The Hunter

The External Eye

Finally, we arrive at the third pillar. In our previous post, “Dendrite: Bridging the Synaptic Gap,” we introduced a tool designed for Adversary External Threat Hunting. This application queries external datasets like hunt.io and VALIDIN to uncover adversary infrastructure and pivot points before they touch our perimeter.

However, to align with our vision, “Dendrite” has been renamed ORION.

The choice of name is not merely aesthetic; it is deeply functional. In Greek mythology, there is a profound relationship between the giant hunter Orion and the guide Kedalion.

“Given the existing ecosystem of HEFAISTOS (the forge/builder) and KEDALION (the guide/predictor), the most thematically consistent name for your external threat hunting tool is ORION.

The Perfect Narrative Fit: ORION Orion is the strongest candidate because it completes the specific mythological triad you have already started with Kedalion.

  • The Myth: In mythology, Kedalion was the guide who stood on the shoulders of the giant hunter Orion (who had been blinded) to guide him toward the east to restore his sight.
  • The Logic:
    • HEFAISTOS: The creator/forge (Your Detection Engineering Platform).
    • KEDALION: The intelligence/guide (Your Prediction ML).
    • ORION: The Hunter (Your External Threat Hunting App).
  • Why it works: Your tool is literally a “hunter” (Threat Hunting). Just as Kedalion guided Orion to “see” again, your ML/CTI tool (Kedalion) can guide this hunting tool (Orion) to uncover hidden infrastructure and pivot points.”

The Unified Architecture: How the Triad Works

The true power of this ecosystem lies in the data flow between these three entities.

  1. KEDALION (The Guide) analyzes internal telemetry and global CTI. It identifies a high-probability threat (e.g., a specific C2 framework expected to target our sector) using the Technique Inference Engine.
  2. KEDALION climbs onto the shoulders of ORION. It passes these technical indicators to ORION, guiding the external hunt.
  3. ORION (The Hunter) queries external reservoirs to find the physical infrastructure—the IPs, domains, and pivots—associated with that predicted threat.
  4. HEFAISTOS (The Forge) takes the specific IoCs found by ORION and the behavioral logic predicted by KEDALION. The detection engineers use the workbench to forge resilient Sigma rules that are pushed to the SIEM/EDR.

By moving from distinct tools to a mythological triad, we are not just renaming our stack; we are defining a philosophy. We build (Hefaistos), we predict (Kedalion), and we hunt (Orion).

Welcome to the new era of Threat-Informed Defense.

Resources & Bibliography

Internal Documentation & Project Specifications

  • HEFAISTOS Platform Documentation: README-hefaistos.md (Internal Repository).
  • KEDALION Methodology: Metodika prioritizace kybernetické obrany: Integrace MITRE ATT&CK v18, Technique Inference Engine a D3FEND (Internal Research Paper).
  • ORION (formerly Dendrite) Announcement: Deceiver.io: Dendrite – Bridging the Synaptic Gap between External Intelligence and Internal Defense.

MITRE Frameworks & Ontologies

  • MITRE ATT&CK® (v18): The global knowledge base of adversary tactics and techniques based on real-world observations.
  • MITRE D3FEND™: A knowledge graph of cybersecurity countermeasures and technical artifacts.
  • MITRE Engage™: A framework for planning and discussing adversary engagement operations (Deception & Denial).

Research & Community Contributions

  • MITRE Engenuity / Center for Threat-Informed Defense:
    • Technique Inference Engine (TIE): Research into using Recommender Systems (Collaborative Filtering) to predict adversary behavior.
    • Summiting the Pyramid: Methodologies for creating robust, durable detections that target the apex of the Pyramid of Pain.
  • SpecterOps & Jared Atkinson:
    • On Detection: Foundational research on “Capability Abstraction” and the “Funnel of Fidelity,” which heavily influences modern detection engineering forges.
    • Detection Engineering Methodology: Principles regarding the separation of logic, data, and testing that align with the HEFAISTOS workflow.

Leave a Reply