Osquery is a lightweight host intrusion detection tool that organizations can use to monitor extremely large production environments as well as smaller corporate environments. In this talk, we will discuss how to get started with osquery and how the way that you manage osquery may change as your organization and objectives evolve. Starting small with an initial PoC, it’s important to exhibit a full detection pipeline as quickly and simply as possible. Over time, as you instrument more environments at your organization, the tools that are available for device configuration and communication will likely change. With many environments to monitor, we will be able to take advantage of more osquery features that allow us to succinctly and dynamically reason about attack surface based on system state. As we talk through this evolution, we will discuss proven strategies and common pitfalls.