the same attack
before and after mate.
Here is what the Axios attack looks like in a SOC without Mate, and what happens when Mate is in the SOC.
manual hunting
CTI alert lands
Analyst reads the feed. "We should check this."
Manual hunt begins
Splunk, GitHub, Datadog long hunt, no context graph to query.
First hit found
Axios install in CI. Dev team paused to look, no context, no graph to ask.
Incident declared
Dev team confirms it touched prod. War room opens. Scrambling.
Containment shipped
Yank the package, rotate creds. No clean read on blast radius.
Detection authored
Manually written, eventually. No prevention work โ everyone's exhausted.
Survived, but barely. No durable improvement. The next variant catches the same SOC the same way.
full CD/CR Loop over context graph, federated search
CTI lands ยท shields up
Posture tightens against Axios TTPs automatically. No analyst needed
Hunt agent finds it
Referenced search across Splunk, GitHub, Snowflake. Datadog at source.
Blast radius mapped
Agent: 3 services touched, 1 crown jewel downstream, identity exposed.
Gamebook executes
Verdict confirmed: compromise on staging. Prod isolated automatically.
Auto-response taken
Package blocked at registry. Identity rotated. Egress paused on affected hosts.
Incident Commander
Briefly suspends on timeline + blast radius. DFIR reviewing preserves evidence.
New Detection Created
Detection rule ships into supervised tuning.
Posture improved
Lessons learned in the graph. SOC 2 control updated as side effect.
Contained in hours. Detection shipped. Attack class on track to retire. Next Axios-style attack catches a hardened SOC.