

Testing TAT as a forensic triage engine on MedSec-25 ranking incident windows and IP chains
I tested TAT on the MedSec-25 network-flow dataset.
The dataset had 554,534 flow records labelled as benign, reconnaissance, initial access, lateral movement, and exfiltration.
Instead of only scoring single rows, I ran it in two layers:
- Dataset-wide drift detection
TAT compressed the full dataset into 118 five-minute review windows and ranked where the whole system shifted into a coherent incident state.
The strongest repeated incident window was:
17 Apr 2025, 15:38–15:54 — Initial Access
It also surfaced broader staged activity:
15 Apr — Reconnaissance
17 Apr — Initial Access
24 Apr — Lateral Movement
- Endpoint chain detection
Inside the strongest drift windows, TAT ranked the IP-to-IP paths most worth reviewing.
The top endpoint chain was:
192.168.1.101 → 192.168.1.108
17 Apr 15:38 — Initial Access
1,849 rows | 1,617 destination ports
The same endpoint pair appeared again at 15:40, with 1,176 rows and 1,061 destination ports.
TAT scoring combines:
threat possibility, forensic usability, chain coherence − noise penalty
The score is converted into a Priority Index, where 100 = strongest review target in the run.
What I found useful is that TAT connected:
when the dataset shifted
what incident stage dominated
which IP pairs were active inside that window
Would this kind of time-window + endpoint-chain ranking be useful as a DFIR / network-forensics triage layer?