CTI and exposure signals become ranked, reviewable work.
Threat Foundry Platform
Security operations, rebuilt around intelligence.
Threat Foundry connects CTI, EASM, hunt automation, detection engineering, identity exposure, and case workflows into one analyst-controlled operating model.
Approved context becomes hunts, attack paths, Sigma, and YARA.
Queries, evidence, entities, and host checks stay analyst-reviewed.
Findings flow to cases, tickets, coverage, and reporting.
Platform Model
One operating graph from source intelligence to action.
Threat Foundry is not another queue of disconnected tools. It is a workflow fabric for deciding which signals matter, proving what happened, and creating durable detection and response outputs.
Workflow
From signal to reviewed action, without losing context.
Every workflow keeps the original source, analyst decision, generated artifact, execution result, and handoff trail close together. The point is not automation theater. The point is controlled acceleration.
EASM + Identity Exposure
External exposure belongs beside hunt operations.
EASM is not a detached scanner view. It feeds the same operational graph: exposed services, KEVs, DNS/email posture, watched identities, and exposure signals influence hunts, scoring, cases, and reporting.
- Approved scan plans with host caps, liveness checks, protocol modes, and cancel controls.
- Saved scans with folders, search, ownership, and clear lifecycle states.
- HEARTH Watchlist and Signals for VIP, privileged, and alias-mapped identity exposure.
Product Proof
Use screenshots where the story needs evidence.




Deployment Motion
Built for a clean tenant today, deeper wiring tomorrow.
Threat Foundry can start with approved CTI sources and analyst review, then add Splunk/Sentinel/Elastic/LogScale, EASM scope, field normalization, query overrides, ticketing, and professional services onboarding when the customer is ready.
Assets Needed
Drop these screenshots into TF_WEB2/assets/screens/.
The layout already references these filenames. Once you add them, the placeholders become real proof sections.
cti-auto-triage.png- Auto Triage or CTI Operations dashboard with ranked items.hunt-builder.png- Hunt Builder with query platform and generated hunt context visible.easm-dashboard.png- EASM dashboard with Watchlist/Signals or findings visible.entity-analyzer.png- Entity Analyzer showing accounts/hosts/processes relationships.case-workspace.png- Case or triage workspace with handoff/ticket context.sigma-yara.png- Sigma or YARA review evidence, optional for the next pass.