Cobalt Strike remains one of the most prevalent attack frameworks used by threat actors and has even grown in popularity. Regardless of the attacker’s motive, it continues to play a reoccurring role in intrusions, due to its wide availability, flexibility, and ability to remain undetected on most victim networks. In this talk, Callum and James discuss proven and effective strategies for detecting Cobalt Strike. This talk is built from insights gained over years of threat detection research, incident response cases, and managed detection and response investigations. They break down recent real-world incidents, identifying and explaining the key detection opportunities in each, and revealing the detection logic and strategies that have continually allowed them to stay one step ahead. They also provide insight into how attackers are leveraging Cobalt Strike, and what can be learnt from their patterns of behavior, to help to develop a robust detection capability.