Threat Foundry RC2
A threat operations platform built around evidence continuity.
Prioritize the right intelligence, create reviewable work, investigate the result, and carry what matters into detections, cases, remediations, and reporting.
Threat intelligence
A normalized intelligence library with review gates.
Bring selected MISP and OpenCTI content into a tenant-owned repository through bounded, read-only synchronization. Add STIX 2.x bundles by file when an upstream server is not available.
- Source-scoped synchronization with explicit limits
- Lifecycle, marking, confidence, and content-signature controls
- Searchable entities and navigable relationship graphs
- Analyst review before hunt or detection handoff
Quality and provenance
Promotion is a decision, not a side effect of ingestion.
Currentness and eligibility are checked at every handoff. Revoked, expired, superseded, unreviewed, or distribution-blocked content cannot silently become a hunt or rule.
Threat hunting
From approved context to a completed, defensible hunt.
Hunt Builder combines analyst direction, ATT&CK context, telemetry expectations, and query policy. Completed hunts preserve execution evidence and review state for reuse, handoff, and reporting.
- Saved hunts, folders, reruns, and bulk operations
- Query overrides shown only when relevant
- Review Queue for candidate disposition
- Provenance carried forward from CTI and Blueprint sources
Threat Blueprints
Model how systems can be attacked—and what to do about it.
Import bounded offline exports from AWS, Azure, or Google Cloud to seed components and zones. Map differentiated data flows, run a deterministic STRIDE baseline, and add supplemental AI attack-path analysis when configured.
- Topology signatures prevent stale findings from moving forward
- Owners, dispositions, remediations, and evidence are required for review
- Findings route into CTI, hunts, Sigma candidates, and cases
- AI supplements rather than replaces the transparent baseline
Detection engineering
Keep detection candidates tied to the evidence that justified them.
Threat Foundry drafts Sigma and YARA content from eligible source evidence. Deterministic feasibility checks reduce weak output, while review, validation, versioning, and sharing controls protect the promotion path.
- Source-to-rule provenance and ATT&CK mapping
- Review-first generation and validation workflow
- Severity normalization across imported content
- Controlled Detection Exchange participation
Investigation and cases
Turn returned rows into an evidence story.
Entity Analyzer, timelines, command analysis, host pivots, and relationship graphs help analysts connect behavior. Cases preserve immutable operational events, ownership, signoff, blockers, and explicit override reasons.
- Entity-aware timelines and graph exploration
- Case event history separate from triage artifacts
- Closure blockers and signoff requirements
- Operational, investigation, and executive reporting
Supporting workflows
Built to connect what happens around the hunt.
External attack surface
Track assets, services, KEVs, non-KEV findings, watchlists, and retest lifecycle.
Cases and handoffs
Move reviewed evidence into ownership, ticketing, signoff, and auditable closure.
Reporting
Separate analyst, SOC lead, and executive information needs without losing lineage.
Connected views
Explore the relationships, findings, and exposure behind the work.
Explore complete workflows
See the operating model from intake through evidence and reporting.
These full-page views show how modeling, hunting, investigations, identity exposure, and reports retain context across the analyst workflow. Select any image for the full-resolution capture.
Start with the workflow
See your threat operations workflow as one system.
Bring your current CTI, telemetry, architecture, and analyst process. We will map the fastest path to a useful deployment.