Night mountain valley with illuminated infrastructure labels over distant lights.

Command & Control Intelligence

Explorator

Explorator continuously observes C2 infrastructure so analysts can identify patterns before they appear in commodity feeds.

10.4kCommand & Control servers tracked
244.4kServices identified in C2 tech stacks
170Groups, APTs, or threat actors mapped to C2s
4.2BnIP addresses scanned every week

Explorator carries forward Dendrite's current C2 proof points: active fingerprinting, software stack identification, actor mapping, and internet-scale scanning.

10.4k Command & Control servers tracked

Validates Explorator's active C2 coverage across discovered infrastructure, preserving enriched records for analyst review and correlation.

244.4k services identified in C2 tech stacks

Shows the depth of software and service fingerprinting used to understand how suspected C2 infrastructure is configured.

4.2Bn IP addresses scanned every week

Demonstrates the internet-scale observation loop needed to find new infrastructure and monitor changes before they appear in commodity feeds.

What it is

Command & Control Intelligence

Explorator creates enriched records for discovered C2 servers and continuously observes infrastructure behavior over time.

Data coverage

What data it covers

Workflow

How it works

  1. Scan internet-scale infrastructure
  2. Fingerprint malicious configurations
  3. Match infrastructure to analogous patterns
  4. Monitor changes in services and behavior

Analyst use

How teams use it

Audience

Built for Explorator users.

C2 infrastructure intelligence for enumerating, fingerprinting, and monitoring adversary infrastructure.

Threat hunters

Use C2 fingerprints, service behavior, and infrastructure pivots to surface suspicious systems before they become widely reported indicators.

Malware researchers

Connect malware infrastructure to software stacks, hosting patterns, and historical service behavior for deeper technical analysis.

SOC analysts

Enrich alerts and suspicious connections with C2 infrastructure context, service fingerprints, and related historical observations.

Cyber threat intelligence teams

Track adversary infrastructure patterns, actor mappings, and infrastructure changes that support finished intelligence and proactive reporting.

Features

What the capability supports.

Internet-scale infrastructure scanning

Continuously observe broad network space to identify infrastructure that matches suspicious C2 patterns or warrants deeper fingerprinting.

C2 software stack fingerprinting

Capture service, framework, certificate, and configuration details that help distinguish C2 infrastructure from ordinary internet noise.

Threat actor and group mapping

Associate infrastructure patterns with known groups, tools, campaigns, or analogous activity where supporting evidence is available.

Continuous historical infrastructure observation

Preserve how infrastructure changes over time, including hosting moves, service updates, configuration shifts, and recurring patterns.

Use cases

Operational paths for Explorator.

Identify suspected C2s before they appear in commodity feeds

Surface infrastructure with suspicious fingerprints or behavioral overlap before it is confirmed and distributed through traditional CTI channels.

Track infrastructure as it shifts hosting or configuration

Monitor C2 records over time so analysts can follow migrations, service changes, and reappearing infrastructure patterns.

Connect infrastructure to groups, tools, and TTPs

Use fingerprints, historical behavior, and correlation context to connect infrastructure observations to likely actor or tool patterns.

Data flow

Infrastructure observation to C2 intelligence

Explorator scans, fingerprints, groups, and monitors infrastructure behavior over time.

Explorator scans, fingerprints, groups, and monitors infrastructure behavior over time.

Input

Source data

  • C2 server fingerprints
  • Software stack identifiers
  • Infrastructure groupings
  • Behavioral time series

Processing

Correlation path

  • Scan
  • Fingerprint
  • Group
  • Monitor
  • Attribute

Output

Analyst workflow

  • Identify suspected C2s before they appear in commodity feeds
  • Track infrastructure as it shifts hosting or configuration
  • Connect infrastructure to groups, tools, and TTPs

Delivery

Available where the workflow needs it.

Delivery options for Explorator: API, CLI, Unified Web Platform, Dataset export.

API

API

  • Query C2 records, fingerprints, and infrastructure context programmatically
  • Enrich internal detections, cases, and threat intel workflows
  • Automate pivots across services, hosts, certificates, and related records

CLI

CLI

  • Run targeted C2 lookups from analyst workstations
  • Pull fingerprint and infrastructure context into repeatable workflows
  • Support fast pivots during active hunting or incident response

Platform

Unified Web Platform

  • Explore C2 infrastructure relationships in graph workflows
  • Review software stacks, related services, and historical changes
  • Coordinate findings across hunters, SOC teams, and CTI analysts

Dataset export

Dataset export

  • Receive scoped C2 infrastructure datasets for offline analysis
  • Support model training, detection research, and bulk enrichment
  • Preserve historical observations inside customer-controlled environments

Related

Connected capabilities

Operationalize

Put Explorator into the workflow.

Talk with Dendrite about access, delivery options, and the right starting point for your team.