One operator console. End to end.
Search the indicator catalogue, run hunts against your own telemetry, manage detection portfolios as code, subscribe to advisories — all from a single console with single sign-on, role-based access, and an audit log on every action.
Built around four operational primitives: search, hunt, detect, brief. No bolt-on integrations, no second login, no learning a new query language.
Five sub-pages, deep documentation
Each area has its own detailed page with screenshots from the user guide, workflow walkthroughs, and field references.
Platform Architecture
End-to-end data flow across seven stages — sources, ingest, enrich, catalogue, Intelligence Cluster Analytics (ML), outputs, and your stack. Full diagram with every component named, every flow path labelled, and a written walkthrough of every stage.
Intelligence Overview
The day-one situational view. Headline counters, severity distribution, top actors, IOCs by day, IOCs by source, IOCs by geography — refreshed every page load.
Threat Actors
The canonical view of every named adversary observed across the platform. Searchable grid of actor cards with per-actor detail, indicators, target geography, time-series.
C2 Operations
Dedicated view of command-and-control infrastructure. C2 indicators behave differently — perishable, frequently reused, central to active campaigns — so they get a dedicated triage page.
Knowledge Graph
Three lenses on relationship structure. IOC Clusters groups actors by observable similarity. CIDR Clusters surfaces shared /24 infrastructure. Network View shows the C2 graph.
What the platform does
Built around four operational primitives: search, hunt, detect, brief.
Indicator search
Atom-level search across IPs, domains, URLs, hashes, emails, processes. Pivots via adversary, campaign, MITRE technique, geography, industry, CVE. Sub-second response on the full catalogue.
Hunt execution
Run hunt definitions against connected log sources — VPC Flow, CloudTrail, K8s audit, EDR. Results land in an analyst queue with triage workflow.
Detection-as-code
Manage your detection portfolio in version control. Metrics, backtests, and review history per rule. Promote hunts to continuous detections via PR.
Briefing delivery
Weekly threat advisories delivered via email, webhook, or platform UI. Indicator delta packs ready for SIEM ingest.
Where the platform connects
SIEM ingest
Streaming export of indicator deltas — JSON, STIX 2.1, CSV. Cursor pagination, change feeds.
AWS log sinks
Attach S3-stored VPC Flow Logs, CloudTrail, and Kubernetes audit logs. Athena-backed query plane.
SOAR webhooks
Forward enrichment results into your SOAR. Lookup-on-demand or push-on-publish modes.
Detection-as-code
GitOps integration for rule lifecycle. Promote a hunt to a continuous detection via PR.
