Run-to-Ground Overview

Run-to-Ground (RTG) is a pivotal workflow in Stairwell that turns a single suspicious hash into a full picture of related activity across your environment.

What is Run-to-Ground

Run-to-Ground takes a file hash and finds every object that entered your environment around the same time, then highlights what Stairwell considers interesting about those objects. Specifically, RTG:

Finds all sightings of your reference object.
Identifies variants of the reference object up to two levels deep.
Discovers any other objects that entered your environment within 24 hours of any variant sighting.
Filters results by prevalence, surfacing only uncommon objects that co-occurred with the suspicious file.

A maximum of 200 objects per variant are displayed.

When to Use It

RTG is most valuable during the early stages of incident response and threat hunting:

Triage a new alert -- Start from a single hash flagged by a detection rule and quickly see what else arrived alongside it.
Scope an intrusion -- Determine whether a confirmed malicious file was part of a broader toolset or campaign.
Hunt proactively -- Feed hashes from external threat intelligence into RTG to check for related activity you may have missed.
Validate clean-up -- After remediation, confirm no related variants or co-deployed tools remain in your environment.

Access Run-to-Ground

From the Stairwell UI:

Locate any file hash in Stairwell -- in a search result, object detail panel, threat report, or any other view.
Right-click the hash to open the Stairwell context menu.
Under Workflows, select Run to ground.

Bulk selection (up to 5 hashes):

In any list view that supports multi-select (search results, threat reports, etc.), select the checkboxes next to up to 5 hashes.
Right-click any of the selected hashes.
Choose Run to ground from the context menu.

From the Chrome Extension:

Install the Stairwell Chrome Extension.
When browsing any webpage, recognized hashes are highlighted with an orange gradient.
Right-click a highlighted hash and select Run to ground from the Stairwell context menu.
Stairwell opens in a new tab and displays the RTG results.

Working with large RTG graphs

RTG can return up to 200 objects per variant, and with multiple variants across multiple sightings, the result set can become large quickly. A large graph is not a problem -- it means Stairwell found significant related activity -- but it does require a prioritization strategy.

Start with the reference object's sightings. Before analyzing co-occurring files, confirm how widely the original hash spread across your environment. A hash seen on 200 assets is a different investigation than one seen on a single endpoint.

Filter by Mal-Eval score first. Stairwell's Mal-Eval score reflects the automated probability of maliciousness. Prioritize objects with high Mal-Eval scores before investigating low-scoring or unscored objects.

Look for clusters, not individual files. Attackers rarely deploy a single file. In RTG results, look for groups of unfamiliar objects that arrived within the same narrow time window -- these clusters often represent toolsets or installer packages and are more diagnostic than any individual file.

Treat high-prevalence objects as noise. RTG already filters by prevalence, but if you're still seeing common system files or widespread legitimate software, apply an Opinion of TRUSTED to those objects and re-run RTG. The filtered result set will be cleaner.

Spawn separate investigations for unrelated threads. When RTG reveals a file that warrants its own investigation but is tangentially related to the original alert, open a new RTG from that hash rather than trying to hold both threads in the same graph. This keeps each investigation scoped and documentable.

When RTG reveals nothing significant: A clean RTG result is a meaningful finding. It means the suspicious file arrived alone, with no co-deployed toolset and no variants present elsewhere in your environment. Document this outcome -- it narrows the scope of a potential incident and reduces response effort.