Attribute
From raw observables to a defensible assessment of who is behind them.
Attribution Engine
Select observed techniques and rank threat groups by naive-Bayes posterior over ATT&CK group–technique mappings — with confidence banners that push back against over-attribution.
APT Profiles
A dossier for every tracked group: aliases, tactic footprint, associated software, attributed campaigns, and its rarest — most diagnostic — techniques.
Compare Actors
Jaccard overlap analysis for 2–3 groups. See shared tradecraft versus the unique techniques that actually tell confusable actors apart.
Ingest
Live collection from public reporting, vulnerability data, and open indicator feeds — sources curated with the awesome-threat-intelligence list.
Intel Feed
30+ credible RSS sources (CISA, Talos, Unit 42, Mandiant, DFIR Report, Trend Micro, JPCERT…) auto-enriched with extracted TTPs and IOCs, filtered to your sector, flagged against your PIRs.
Vulnerability Radar
Live CVEs from NVD scored into a composite 0–100 risk using CVSS, CISA-KEV exploitation status, EPSS probability, and sector relevance.
IOC Feeds
Fetch open blocklists — IPsum, ThreatFox, URLhaus, Feodo Tracker, SSL Blacklist, OpenPhish, CINS, Emerging Threats — then look up any indicator or cross-check your whole case against them in one click.
Extract & Map
Turn unstructured reporting and raw scan output into structured ATT&CK data.
Report Extractor
Paste text, fetch a URL, or load a PDF. Four extraction layers — explicit IDs, technique names, ~55 analyst-phrasing patterns, TF-IDF semantics — with a sentence-level evidence map.
Scan → TTP
Import a Nessus export or paste CVEs; every CVE resolves to ATT&CK techniques via the cve2capec database and renders as a CVSS-weighted heatmap.
Hunt Plan
A data-component radar shows how your technique set maps to host collection, interrogation, network, and memory telemetry — and an optimizer picks the tactic mix closest to the ideal hunt profile.
Operate
The connective tissue that turns nine tabs into one workflow.
Active Case Spineworkflow
One live case collects everything you touch — TTPs, IOCs, CVEs, reports — from every tab, automatically. IOCs are first-class: typed, deduplicated, and exported as STIX indicators.
Guided Workflowsworkflow
Steppers that walk an investigation end-to-end — Report Triage, Scan → Hunt, Actor Assessment — switching tabs for you and carrying context between steps.
Send-to Busworkflow
Every artifact — technique, IOC, CVE, report, group — carries one consistent menu that routes it anywhere: Attribution, case, Hunt Plan, Profile Match, Compare, or straight to an export.
Match & Ship
Score hypotheses and hand results to the rest of the stack.
Profile Match
Build reusable threat profiles from APT footprints (or import .pir files) and score any selection or scan against them with precision, recall, and F1.
Detection Handoff
Generate candidate Sigma rules from any TTP set, with process-image and command-line heuristics per technique family — starting points to tune, not black boxes.
Standards Exports
STIX 2.1 bundles for MISP/OpenCTI, ATT&CK Navigator layers (including CVSS-weighted scan heatmaps), IOC lists, and shareable profiles.