The difference between a bored analyst and a dangerous one is not access to better data. It's the ability to see the data that's already there.
Marco Cremonini's work on data visualization in R and Python is not a data science textbook in the usual sense. It is a framework for making the invisible legible — a skill that matters more in 2026 than at any previous point, because the volume of data has outpaced the ability of any rule-based alert system to interpret it. The SIEM fires on signatures. The human who visualized the underlying distribution three weeks ago noticed the distribution was moving.
Traffic Timing Side-Channels
The rootkit that a standard monitor misses is not loud. It doesn't generate unusual network volume or trigger rate-limiting. It maintains a heartbeat — a regular, low-amplitude communication with its command and control infrastructure. The signature of that heartbeat is not in the packet content. It's in the timing.
Inter-arrival time analysis is how you find it.
import matplotlib.pyplot as plt
import numpy as np
from scipy import stats
def plot_packet_timing(timestamps: list[float], label: str = "traffic") -> None:
"""
Visualize inter-arrival times for a packet capture.
Normal HTTP traffic: irregular, bursty, human-shaped.
C2 beacon traffic: suspiciously regular intervals.
The heartbeat is visible before you know what it's connected to.
"""
intervals = np.diff(sorted(timestamps))
fig, (ax1, ax2) = plt.subplots(1, 2, figsize=(12, 4))
# Distribution of inter-arrival times
ax1.hist(intervals, bins=50, color='#1a1a2e', edgecolor='#16213e')
ax1.set_xlabel('Inter-arrival time (seconds)')
ax1.set_ylabel('Count')
ax1.set_title(f'{label} — Timing Distribution')
# Autocorrelation — regularity shows up as peaks at beacon interval
autocorr = [np.corrcoef(intervals[:-k], intervals[k:])[0, 1]
for k in range(1, min(50, len(intervals)))]
ax2.plot(range(1, len(autocorr) + 1), autocorr, color='#e94560')
ax2.axhline(y=0, color='gray', linestyle='--', alpha=0.5)
ax2.set_xlabel('Lag')
ax2.set_ylabel('Autocorrelation')
ax2.set_title(f'{label} — Periodicity Check')
plt.tight_layout()
plt.savefig(f'{label}_timing.png', dpi=150, bbox_inches='tight')
# Human traffic: no autocorrelation peaks, irregular histogram
# C2 beacon at 300s: spike at lag corresponding to 300s interval
# That spike is the process the EDR logged as normal
The histogram tells you the shape of the traffic. The autocorrelation tells you whether it has rhythm. Rhythm in network traffic that shouldn't have rhythm is a question worth asking.
The Attacker's Geography
A coordinated state-sponsored campaign doesn't look like a single source. It looks like a dozen login attempts distributed across time zones, each individually below the alert threshold, collectively forming a pattern that only becomes visible when the log entries are plotted as geography and time simultaneously.
import seaborn as sns
import pandas as pd
import matplotlib.pyplot as plt
def plot_login_heatmap(auth_logs: pd.DataFrame) -> None:
"""
auth_logs columns: timestamp (datetime), country_code (str), success (bool)
Visualize failed authentication attempts by hour-of-day and origin country.
'Follow-the-Sun' campaigns appear as diagonal bands — handoffs between
attacker teams in different time zones maintaining continuous pressure.
Single-operator campaigns appear as a geographic cluster with gaps.
"""
auth_logs['hour'] = auth_logs['timestamp'].dt.hour
failed = auth_logs[auth_logs['success'] == False]
pivot = failed.pivot_table(
index='country_code',
columns='hour',
values='success',
aggfunc='count',
fill_value=0
)
plt.figure(figsize=(16, 8))
sns.heatmap(
pivot,
cmap='Reds',
linewidths=0.5,
linecolor='#1a1a1a',
cbar_kws={'label': 'Failed Attempts'}
)
plt.title('Authentication Failures by Origin and Hour (UTC)')
plt.xlabel('Hour of Day (UTC)')
plt.ylabel('Country')
plt.tight_layout()
plt.savefig('login_geography.png', dpi=150, bbox_inches='tight')
# The diagonal band across three country rows is the handoff.
# The gap between 02:00 and 06:00 UTC is when the team sleeps.
# The spike at 09:00 UTC from a new country code is the morning shift.
# These are operational patterns. They are invisible in a log file.
# They are obvious in a heat map.
Visual Injection
The attack on the dashboard is not theoretical.
An attacker with write access to the telemetry pipeline — or with the ability to manipulate what the monitoring agent reports — can make an active exfiltration look like normal operation. Smooth the spike. Truncate the outlier. Shift the baseline. The analyst sees green. The database is leaving.
