Analyst field observations, infrastructure anomalies, methodology lessons, and threat hunting findings.