Stairwell Run to Ground is a threat investigation capability that converts a single alert, IOC, or file hash into a comprehensive campaign-level view of an attack. Starting from a single file hash or indicator, Run to Ground fans out across the user's private Stairwell vault and a global malware corpus to map the full scope of an attack. It identifies related files by structure and content (not just exact hash matches), discovers every host that possessed or executed a file, and connects associated artifacts such as domains, IPs, and C2 infrastructure. It also identifies droppers, loaders, and second-stage payloads by analyzing low-prevalence files appearing within 24 hours of each variant. The product is built around Variant Discovery, allowing analysts to expand from one malware sample to all repacked, re-signed, and modified variants. It tracks how each variant spread across hosts over time and surfaces connections to threat reports, YARA rules, and shared infrastructure. For host-level scope, Run to Ground identifies which devices possessed a file even if it never executed, shows on-disk file paths including user directories and staging locations, and detects lateral movement and file reuse patterns across systems. Manual pivots from EDR, SIEM, DNS, and threat feeds are automated and consolidated into a single investigation view. The platform runs YARA at scale and applies structured AI reasoning to artifact analysis. Run to Ground is designed to help security teams prove blast radius, trace infection paths, and close investigations with evidence.