Threat Foundry RC2

A threat operations platform built around evidence continuity.

Prioritize the right intelligence, create reviewable work, investigate the result, and carry what matters into detections, cases, remediations, and reporting.

01IngestCTI, exposure, architecture, telemetry
02ReviewQuality, marking, relevance, currentness
03BuildHunts, detections, paths, remediations
04ProveEntities, findings, cases, reports

Threat intelligence

A normalized intelligence library with review gates.

Bring selected MISP and OpenCTI content into a tenant-owned repository through bounded, read-only synchronization. Add STIX 2.x bundles by file when an upstream server is not available.

  • Source-scoped synchronization with explicit limits
  • Lifecycle, marking, confidence, and content-signature controls
  • Searchable entities and navigable relationship graphs
  • Analyst review before hunt or detection handoff
Threat Intelligence Dashboard
Threat Intelligence DashboardOperational CTI counts, entity distributions, and source progression.

Quality and provenance

Promotion is a decision, not a side effect of ingestion.

Currentness and eligibility are checked at every handoff. Revoked, expired, superseded, unreviewed, or distribution-blocked content cannot silently become a hunt or rule.

SourcePreserved
ReviewRequired
CurrentnessRechecked
CTI Quality Gate
CTI Quality GateA review surface for relevance, marking, evidence, and operational disposition.

Threat hunting

From approved context to a completed, defensible hunt.

Hunt Builder combines analyst direction, ATT&CK context, telemetry expectations, and query policy. Completed hunts preserve execution evidence and review state for reuse, handoff, and reporting.

  • Saved hunts, folders, reruns, and bulk operations
  • Query overrides shown only when relevant
  • Review Queue for candidate disposition
  • Provenance carried forward from CTI and Blueprint sources
Completed Hunt
Completed HuntQuery, execution, evidence, entities, and analyst disposition in one record.

Threat Blueprints

Model how systems can be attacked—and what to do about it.

Import bounded offline exports from AWS, Azure, or Google Cloud to seed components and zones. Map differentiated data flows, run a deterministic STRIDE baseline, and add supplemental AI attack-path analysis when configured.

  • Topology signatures prevent stale findings from moving forward
  • Owners, dispositions, remediations, and evidence are required for review
  • Findings route into CTI, hunts, Sigma candidates, and cases
  • AI supplements rather than replaces the transparent baseline
Threat Blueprint Canvas
Threat Blueprint CanvasSecurity zones, components, and color-coded data-flow relationships.

Detection engineering

Keep detection candidates tied to the evidence that justified them.

Threat Foundry drafts Sigma and YARA content from eligible source evidence. Deterministic feasibility checks reduce weak output, while review, validation, versioning, and sharing controls protect the promotion path.

  • Source-to-rule provenance and ATT&CK mapping
  • Review-first generation and validation workflow
  • Severity normalization across imported content
  • Controlled Detection Exchange participation
Coverage Heatmap
Coverage HeatmapATT&CK coverage with Sigma, YARA, and evidence drill-down.

Investigation and cases

Turn returned rows into an evidence story.

Entity Analyzer, timelines, command analysis, host pivots, and relationship graphs help analysts connect behavior. Cases preserve immutable operational events, ownership, signoff, blockers, and explicit override reasons.

  • Entity-aware timelines and graph exploration
  • Case event history separate from triage artifacts
  • Closure blockers and signoff requirements
  • Operational, investigation, and executive reporting
Entity Analyzer
Entity AnalyzerAccounts, assets, processes, and relationships sized for readable exploration.

Supporting workflows

Built to connect what happens around the hunt.

EX

External attack surface

Track assets, services, KEVs, non-KEV findings, watchlists, and retest lifecycle.

CA

Cases and handoffs

Move reviewed evidence into ownership, ticketing, signoff, and auditable closure.

RP

Reporting

Separate analyst, SOC lead, and executive information needs without losing lineage.

Connected views

Explore the relationships, findings, and exposure behind the work.

CTI Relationship Graph
CTI Relationship GraphExplore bounded entity and relationship context without losing readable labels.
Blueprint Remediations
Blueprint RemediationsReview current findings, ownership, recommended action, and disposition.
EASM Command Center
EASM Command CenterExposure inventory, KEVs, findings, owners, and retest state.
Case Workspace
Case WorkspaceEvidence history, ownership, signoff, blockers, and external handoff.

Start with the workflow

See your threat operations workflow as one system.

Bring your current CTI, telemetry, architecture, and analyst process. We will map the fastest path to a useful deployment.

Request a working session