Last updated: April 26, 2026
SIGINT (Signals Intelligence) for defenders means analysing communication signals — DNS queries, TLS metadata, network flows — to identify threats. While traditional SIGINT is a nation-state intelligence discipline, defensive SIGINT applies the same techniques to your own network telemetry. This article covers practical SIGINT for SOC teams in 2026.
What defensive SIGINT actually is
Network metadata analysis at scale to identify:
- Compromised internal hosts (beaconing to C2)
- Data exfiltration patterns
- Pre-compromise reconnaissance against your perimeter
- Insider activity (anomalous outbound)
The data sources
| Source | Insight |
|---|---|
| DNS query logs | What hosts/users contacted what domains; DGA detection; tunneling |
| NetFlow / sFlow / IPFIX | Flow-level traffic — source/dest, bytes, duration |
| Zeek logs (full protocol) | Detailed application-layer metadata |
| TLS metadata (JA3/JA4) | Client/server fingerprints; identify tools |
| Cloud VPC flow logs | Same in cloud environments |
The practical analyses
1. DNS DGA detection
# DGA domains have high entropy (random-looking subdomains)
# Splunk:
index=dns
| eval entropy=eval_entropy(query) -- custom function
| where entropy > 4.0 AND len(query) > 15
| stats count by query, src_ip
| where count > 52. DNS tunneling
# DNS tunneling has unusually long queries / responses
SELECT src_ip, query, length(query), query_type
FROM dns_logs
WHERE length(query) > 100
OR (query_type = 'TXT' AND length(response) > 200)
ORDER BY length(query) DESC;3. Beacon detection (RITA-style)
# Identify connections with low standard deviation in inter-arrival time
SELECT src_ip, dst_ip, COUNT(*) connections,
AVG(time_between) avg_interval,
STDDEV(time_between) stdev
FROM (
SELECT src_ip, dst_ip, EXTRACT(EPOCH FROM (timestamp - LAG(timestamp) OVER (PARTITION BY src_ip, dst_ip ORDER BY timestamp))) AS time_between
FROM netflow
) t
WHERE time_between IS NOT NULL
GROUP BY src_ip, dst_ip
HAVING COUNT(*) > 30 AND stdev < (avg_interval * 0.2);4. Data exfiltration sizing
# Outbound asymmetry — many small outbound vs few inbound = exfil
SELECT src_ip, dst_ip,
SUM(bytes_out) total_out,
SUM(bytes_in) total_in,
(SUM(bytes_out)::float / NULLIF(SUM(bytes_in), 0)) ratio
FROM netflow
WHERE timestamp > NOW() - INTERVAL '24 hours'
GROUP BY src_ip, dst_ip
HAVING SUM(bytes_out) > 100*1024*1024 -- 100MB
AND ratio > 10;5. Newly-registered domain queries
# Cross-reference DNS queries with WHOIS data
# Domains registered < 30 days ago + queried by your org = suspicious
# Use DomainTools or Whoisxml API for registration-date enrichmentThe toolchain
- Zeek — comprehensive protocol logs from network mirror
- RITA — beacon and DNS tunnel detection on Zeek logs
- Suricata — IDS/IPS with rule-based detection
- Arkime / Moloch — full packet capture with searchable metadata
- Cloud VPC Flow Logs — analysed via Athena / BigQuery / equivalent
- Splunk / Elastic / Sentinel — SIEM correlation across sources
The threat-intel overlay
Pure metadata analysis is internal-only. Adding threat-intel feeds turns “anomaly” into “anomaly + IoC match”:
- AlienVault OTX, abuse.ch, ThreatFox — free feeds of known-bad domains/IPs
- Mandiant, Recorded Future, CrowdStrike — commercial high-quality feeds
- Sectoral CERTs — RBI-FinCERT, NPCI, SEBI advisories with IoCs
The takeaway
Defensive SIGINT turns network metadata into threat detection. The combination of Zeek + RITA + threat-intel feeds + SIEM correlation catches roughly 80% of post-compromise activity within 24 hours. The investment is in sustained operations — collecting, correlating, and triaging — not in any one tool.
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.