Threat Foundry

Threat Foundry Platform

Security operations, rebuilt around intelligence.

Threat Foundry connects CTI, EASM, hunt automation, detection engineering, identity exposure, and case workflows into one analyst-controlled operating model.

Explore the platform See proof points
01Prioritize

CTI and exposure signals become ranked, reviewable work.

02Generate

Approved context becomes hunts, attack paths, Sigma, and YARA.

03Validate

Queries, evidence, entities, and host checks stay analyst-reviewed.

04Operationalize

Findings flow to cases, tickets, coverage, and reporting.

Platform Model

One operating graph from source intelligence to action.

Threat Foundry is not another queue of disconnected tools. It is a workflow fabric for deciding which signals matter, proving what happened, and creating durable detection and response outputs.

CTI OperationsSource ingestion, review gates, Auto Triage, curation learning, and source-yield modeling.
Hunt AutomationATT&CK-grounded hunt packages, query overrides, live execution, saved hunts, and reruns.
EASMExternal assets, services, findings, DNS/email posture, saved scans, watchlists, and Signals.
Detection EngineeringReview-first Sigma and YARA workflows with evidence, ATT&CK mapping, and exchange controls.
InvestigationEntity Analyzer, command graph, timeline, host investigation, and distilled candidates.
Case & ReportingCase workspaces, handoffs, external tickets, coverage heatmaps, program metrics, and executive views.

Workflow

From signal to reviewed action, without losing context.

Every workflow keeps the original source, analyst decision, generated artifact, execution result, and handoff trail close together. The point is not automation theater. The point is controlled acceleration.

SignalCTI, EASM, identity exposure, CVEs, alerts
ReviewQuality gate, priority, telemetry, relevance
GenerateHunts, attack paths, Sigma, YARA
ValidateRun, enrich, entity analyze, host check
HandoffCase, ticket, report, coverage update

EASM + Identity Exposure

External exposure belongs beside hunt operations.

EASM is not a detached scanner view. It feeds the same operational graph: exposed services, KEVs, DNS/email posture, watched identities, and exposure signals influence hunts, scoring, cases, and reporting.

  • Approved scan plans with host caps, liveness checks, protocol modes, and cancel controls.
  • Saved scans with folders, search, ownership, and clear lifecycle states.
  • HEARTH Watchlist and Signals for VIP, privileged, and alias-mapped identity exposure.
EASM dashboard screenshot placeholder
EASM dashboard: assets, findings, watchlist, Signals, detector coverage, saved scans.

Product Proof

Use screenshots where the story needs evidence.

CTI Auto Triage screenshot placeholder
CTI Auto Triage
Hunt Builder screenshot placeholder
Hunt Builder
Entity Analyzer screenshot placeholder
Entity Analyzer
Case Workspace screenshot placeholder
Case Workspace

Deployment Motion

Built for a clean tenant today, deeper wiring tomorrow.

Threat Foundry can start with approved CTI sources and analyst review, then add Splunk/Sentinel/Elastic/LogScale, EASM scope, field normalization, query overrides, ticketing, and professional services onboarding when the customer is ready.

Clean tenantNo customer secrets or integrations until approved.
Runtime settingsTenant-aware AI, SIEM, CTI, and API Connect configuration.
Policy controlsPrompt sources, field mappings, query overrides, scan caps, and RBAC.
Services readyProfessional services can onboard sources, mappings, reports, and operating cadence.

Assets Needed

Drop these screenshots into TF_WEB2/assets/screens/.

The layout already references these filenames. Once you add them, the placeholders become real proof sections.

  1. cti-auto-triage.png - Auto Triage or CTI Operations dashboard with ranked items.
  2. hunt-builder.png - Hunt Builder with query platform and generated hunt context visible.
  3. easm-dashboard.png - EASM dashboard with Watchlist/Signals or findings visible.
  4. entity-analyzer.png - Entity Analyzer showing accounts/hosts/processes relationships.
  5. case-workspace.png - Case or triage workspace with handoff/ticket context.
  6. sigma-yara.png - Sigma or YARA review evidence, optional for the next pass.