Threat Foundry Platform

ML-Powered CTI, Threat Hunting at AI Velocity

Threat Foundry turns reviewed intelligence into SIEM-ready hunts, EASM findings, Sigma and YARA candidates, entity analysis, and case handoffs without taking analysts out of control.

Explore the platform See proof points

01Prioritize

CTI and exposure signals become ranked, reviewable work.

02Generate

Approved context becomes hunts, attack paths, Sigma, and YARA.

03Validate

Queries, evidence, entities, and host checks stay analyst-reviewed.

04Operationalize

Findings flow to cases, tickets, coverage, and reporting.

Platform Model

One operating graph from source intelligence to action.

Threat Foundry is not another queue of disconnected tools. It is a workflow fabric for deciding which signals matter, proving what happened, and creating durable detection and response outputs.

CTI OperationsSource ingestion, review gates, Auto Triage, curation learning, and source-yield modeling.

Hunt AutomationATT&CK-grounded hunt packages, query overrides, live execution, saved hunts, and reruns.

EASMExternal assets, services, findings, DNS/email posture, saved scans, watchlists, and Signals.

Detection EngineeringReview-first Sigma and YARA workflows with evidence, ATT&CK mapping, and exchange controls.

InvestigationEntity Analyzer, command graph, timeline, host investigation, and distilled candidates.

Case & ReportingCase workspaces, handoffs, external tickets, coverage heatmaps, program metrics, and executive views.

Workflow

From signal to reviewed action, without losing context.

Every workflow keeps the original source, analyst decision, generated artifact, execution result, and handoff trail close together. The point is not automation theater. The point is controlled acceleration.

SignalCTI, EASM, identity exposure, CVEs, alerts

ReviewQuality gate, priority, telemetry, relevance

GenerateHunts, attack paths, Sigma, YARA

ValidateRun, enrich, entity analyze, host check

HandoffCase, ticket, report, coverage update

EASM + Identity Exposure

External exposure belongs beside hunt operations.

EASM is not a detached scanner view. It feeds the same operational graph: exposed services, KEVs, DNS/email posture, watched identities, and exposure signals influence hunts, scoring, cases, and reporting.

Approved scan plans with host caps, liveness checks, protocol modes, and cancel controls.
Saved scans with folders, search, ownership, and clear lifecycle states.
HEARTH Watchlist and Signals for VIP, privileged, and alias-mapped identity exposure.

EASM dashboard screenshot placeholder — EASM dashboard: assets, findings, watchlist, Signals, detector coverage, saved scans.

Product Views

Real screens for the operating model.

The concept uses live platform screenshots as proof points: intelligence triage, hunt generation, entity analysis, case workflow, and detection engineering stay visually connected to the Three.js operations graph.

Threat Foundry CTI Auto Triage dashboard with ranked intelligence — **CTI Auto Triage**Ranked intelligence, source yield, and reviewable work.

Threat Foundry Hunt Builder with ATT&CK context and hunt inputs — **Hunt Builder**ATT&CK context, query policy, and analyst direction.

Threat Foundry Entity Analyzer showing account and host context — **Entity Analyzer**Accounts, hosts, processes, and HEARTH context.

Threat Foundry EASM dashboard with exposure metrics and findings — **EASM Dashboard**External exposure, watchlist, Signals, and findings.

Threat Foundry case workspace with handoff and ticket context — **Case Workspace**Evidence, ownership, ticketing, and handoff state.

Threat Foundry Sigma and YARA review workspace — **Sigma / YARA**Detection review with evidence and exchange controls.

Deployment Motion

Built for a clean tenant today, deeper wiring tomorrow.

Threat Foundry can start with approved CTI sources and analyst review, then add Splunk/Sentinel/Elastic/LogScale, EASM scope, field normalization, query overrides, ticketing, and professional services onboarding when the customer is ready.

Clean tenantNo customer secrets or integrations until approved.

Maturity AssessmentBaseline hunt, SOC, exposure, telemetry, and detection maturity before deeper rollout.

Professional ServicesGuided onboarding, configuration, integrations, analyst enablement, and operating cadence.

Runtime settingsTenant-aware AI, SIEM, CTI, and API Connect configuration.

Policy controlsPrompt sources, field mappings, query overrides, scan caps, and RBAC.

Services readyOngoing services can tune sources, mappings, reports, workflows, and program outcomes.