Attack campaigns begin weeks or months before an alert fires. By the time a detection tool has something to work with, a threat actor has already registered domains, provisioned servers, configured DNS records, and tested infrastructure. That groundwork is the preparation phase, and it sits almost entirely outside the coverage of conventional threat intelligence tooling.
What Is the Preparation Phase?
The preparation phase is the period during which a threat actor builds and stages the infrastructure they intend to use in an attack. It covers domain registration, server provisioning, DNS configuration, certificate issuance, and pre-deployment testing. It ends when the campaign goes live.
Because no malicious events have occurred yet during this phase, the infrastructure being assembled appears indistinguishable from legitimate activity. There’s no endpoint behavior to flag, no connection to a known-bad indicator, and no log entry to correlate. Conventional detection tools have no signal to act on. Traditional threat data, as a result, captures roughly the final 5% of the offensive lifecycle, the point at which infrastructure is already operational and a malicious campaign is already running.
Where the IOC Timeline Actually Starts
When an Indicator of Compromise (IOC) surfaces in your stack, the threat actor behind it has often been working for weeks, and in many campaigns, months, before that point. Domains were registered and often deliberately left dormant to avoid new-registration scrutiny. Servers have also been provisioned, configured, and tested well before the campaign launched.
Security platforms built around SIEMs, EDR, and blocklists were designed around event-driven logic: something needs to happen at the endpoint, in the logs, or against a known-bad indicator before a rule can fire. That design reflects a deliberate architectural choice about where in the attack lifecycle those tools were intended to operate. The preparation phase sits upstream of all of it, which is why those tools don’t see it, and why expecting them to is asking them to do something they were never designed for.
What Happens During the Preparation Phase
The preparation phase follows a recognizable operational pattern across campaigns, even as specific assets rotate.
Some preparation-phase activities are generic, with infrastructure being built before a target is even selected. Other campaigns involve highly tailored staging, with domains that spoof a specific organization, or certificates that mimic their services. In either case, the behavioral patterns identified by the Silent Push Context Graph remain consistent.
Why Standard Threat Intelligence Arrives Late
SIEMs, EDR platforms, blocklists, and standard threat intelligence feeds share a common dependency: something has to have happened before they can act. A blocklist entry requires an indicator that has already been used maliciously. An EDR alert requires observable endpoint behavior. A SIEM correlation rule requires log data from an event that has already occurred. Threat intelligence feeds document what has been observed, meaning campaigns that have run, infrastructure that has been weaponized, and victims who have already been hit.
The data collection cycle works like this: an incident occurs, it generates data, which is processed into indicators, and those indicators eventually reach your stack. By the time that cycle completes, the preparation phase for the follow-on campaign may already be done. Traditional security tools are processing accurately and at pace, but they’re focused on activity that has already happened.
Where Defenders Have the Most Leverage
During the preparation phase, staged infrastructure can still be blocked before any breach occurs, and campaigns that have not yet launched can be disrupted without incident. Once a campaign goes operational, defensive options narrow significantly because the attacker is already inside the timeline.
Silent Push Preemptive Cyber Defense was built to operate during the preparation phase. The platform continuously maps internet infrastructure across DNS, WHOIS, certificate data, and host configurations, analyzing both known-bad assets and the behavioral patterns that appear when infrastructure is being built and managed in ways consistent with adversarial Tactics, Techniques, and Procedures (TTPs). When those patterns match the operational signatures of how campaigns are staged, our proactive technology generates Indicators of Future Attack® (IOFA): verified signals of staging environments that exist before they have been used against anyone.
The average early-detection lead time from that process is 104 days ahead of a traditional SIEM alert. For Advanced Persistent Threat (APT) campaigns, the lead time has exceeded 300 days.
What This Looks Like for Each Team
- SOC managers working from IOC-based feeds are responding to activity that is already running. The infrastructure has been live for weeks, the campaign is operational, and alert volume is climbing. Integrating IOFA from the Context Graph into your existing stack gives your team lead time to push verified indicators into blocklists and validate staging infrastructure before that volume spike happens. Your analysts are working from current adversary data rather than reacting to events already in motion.
- IR leads arriving at an active breach begin with a single known indicator. What that indicator rarely provides is a complete picture of what the attacker has staged and is ready to use. Adversaries build infrastructure with redundancy, so if your remediation only covers the assets identified during the active investigation, there is a real chance the attacker has left themselves a route back in. Silent Push tracks infrastructure relationships, DNS history, and WHOIS lineage so that a single starting indicator can be expanded into the full cluster of adversary-controlled assets, including fallback infrastructure the attacker intended to rely on if their primary domains or IPs were discovered.
- CTI analysts delivering post-breach briefs are documenting what has already happened, which limits what a SOC can do with the output. Delivering IOFA for infrastructure that is now being staged, before it becomes an IOC anywhere, changes the operational value of that brief considerably. The Context Graph pre-correlates across 200+ behavioral parameters so that when you run queries in SPQL, the clustering is already complete, and the pivot work starts from a much earlier position.
See the Preparation Phase Before It Becomes an Incident
Silent Push IOFA are built on pre-breach infrastructure data. Our platform gives security teams visibility into adversary staging environments before weaponization and before alerts begin.
- Block staging grounds before campaigns deploy. Silent Push pushes IOFA into your existing blocklists and SIEM, so your team can act on current adversary infrastructure rather than last month’s IOC feed.
- Ingest earlier, more accurate indicators via automated feed exports. IOFA feeds are updated continuously with the latest research from our analyst team.
- Track APT campaigns from the infrastructure up. Pre-built IOFA feeds give your team visibility into the staging patterns of APTs, an average of 104 days before those indicators appear elsewhere.
Getting Started
Request a demo to see how Silent Push surfaces the preparation phase in your environment.
