ML-Powered CTI + KEV Hunter
Threat hunting and external KEV scanning at AI velocity
Making enterprise-grade threat hunting accessible to every organization. Threat Foundry learns from CTI intake, ranks high-value signals, scans approved external targets for CISA KEVs, maps evidence to ATT&CK, Sigma, YARA, and KEV context, and turns reviewed intelligence into SIEM-ready hunt and detection packages.
KEV Hunter
Built-in KEV scanning for internet-facing risk.
KEV Hunter is Threat Foundry's external scanning and vulnerability hunting workflow for known exploited vulnerabilities. Analysts define approved targets, run scoped KEV checks, review open ports and services, drill into finding evidence, track remediation status, and export the KEVs that matter most.
- Dashboard cards spotlight total external KEV findings, unique CVEs, affected public assets, overdue remediation, due-soon KEVs, ransomware-associated exposure, newly detected items, remediated items, and reopened findings.
- Finding and asset drilldowns preserve public IP, hostname, URL, port, protocol, confidence, scanner source, CISA metadata, remediation status, and raw evidence.
- One-click detector updates and scheduled daily refreshes keep the managed KEV check library current without asking customers to manage backend templates.
Auto Triage
The critical workflow starts with ranked CTI.
Auto Triage is the front door of Threat Foundry. It scores newly ingested intelligence, promotes the top configured items for the current day or latest source update, and places each item into a review queue before analysts spend hunt time. The quality gate separates Hunt Ready, Review First, Needs Triage, and Not Actionable work so CTI automation produces accountable analyst decisions.



Review Context
Use playbooks and reports to decide what deserves hunting.
Before a hunt exists, analysts can compare CTI against playbooks, program metrics, Sigma and YARA coverage, KEV scan findings, exposure, telemetry readiness, and recent operational history. This keeps automation accountable to the team's actual detection goals instead of turning every feed item into work.
Reporting and Coverage
Leadership views without losing analyst evidence.
Threat Foundry keeps report views close to operational data: hunt activity, workload, Sigma/YARA coverage, telemetry readiness, evidence packages, and baselines.


Build Attack Paths
Turn approved TTPs into ordered hunt logic.
Attack Path Builder lets analysts seed a path from a threat actor or assemble techniques manually, then generate SIEM-ready hunt logic from the exact sequence. It supports staged thinking instead of one-off query generation.
- Drag TTP cards into the investigation order analysts want to test.
- Generate review-only tool queries or generic cross-tool recommendations.
- Run combined searches only after explicit analyst approval.

Sigma and YARA Evidence
Create and review the right detection for the evidence.
Sigma captures behavior in logs; YARA captures file, script, document, and malware-content traits. Threat Foundry helps analysts choose the right lane from CTI, review generated rules before use, and keep detection evidence tied to the original intelligence.
- Highlighted Sigma evidence shows the log field or token that matched.
- YARA drafting uses deterministic feasibility checks before model tokens are spent.
- Rule metadata, references, ATT&CK context, and review status stay beside the detection.

YARA Rule Workflow
Turn file-focused CTI into reviewed YARA rules.
When intelligence includes hashes, filenames, script traits, payload markers, byte patterns, malware family strings, packer indicators, or document artifacts, Threat Foundry routes it toward YARA instead of forcing a log-only detection path.
- Feasibility checks decide whether the source has enough file or content evidence before AI drafting starts.
- Generated YARA stays review-first with validation status, metadata, references, severity, and IOC summaries.
- Rules can be kept private, manually shared, or auto-shared through the opt-in Detection Exchange workflow.
Saved Hunt Review
Review the hunt package before triage.
Saved hunts preserve source context, confidence, generated query references, rerun history, entity coverage, and enrichment actions. Triage happens after review, when a human has seen the evidence and decided it deserves follow-through.


Entity Analyzer
Move from SIEM rows to investigation shape.
Entity Analyzer turns returned hunt results into a practical investigation surface. Analysts can see which accounts, hosts, processes, commands, and related observables recur across the evidence, then pivot without losing the original hunt context.
- Returned fields are normalized into analyst-friendly entity groups.
- Entity pivots keep follow-on hunts grounded in reviewed evidence.
- Candidate ranking highlights the accounts, hosts, commands, and processes worth pursuing.
Host Investigation
Move from saved hunt evidence to Fleet-ready host checks.
Host Investigation turns reviewed Sigma, YARA, and hunt artifacts into read-only osquery checks, confirmed Fleet targets, and hash lookup pivots. Analysts can review the generated SQL, select the checks to run, and keep sandbox or reputation work tied to the saved hunt evidence.
- Reviewable osquery checks stay visible before Fleet execution.
- Hashes and file indicators extracted from Sigma, YARA, CTI, and returned hunt rows become lookup and sandbox pivots.
- Execution is gated by Fleet target matching, RBAC, and saved-hunt audit notes.





Govern the Workflow
Wire the platforms in without hardcoding the process.
Configuration covers query platforms, vendor integrations, field normalization, assets, baselines, API Connect, source refresh behavior, model settings, and audit trails. The product can start in the lab and grow into live SOC wiring.

More From Threat Foundry
Services, security, and field notes around the platform.
Platform Flow
Fresh intelligence becomes reviewed action.
Auto Triage
CTI feeds, emailed threats, reports, KEVs, EDR alerts, external KEV scan findings, and vulnerability context enter a ranked daily review queue.
Review context
Analysts check source detail, playbooks, reports, coverage, and evidence before spending hunt time.
Generate detections
Approved CTI becomes ATT&CK hunt packages, attack paths, Sigma candidates, YARA candidates, and saved evidence.
Investigate and route
Timelines, entity graphs, candidates, triage, cases, reporting, and tickets close the loop.
Deployment
Built for teams wiring real platforms into accountable hunt operations.
Threat Foundry can start with generic hunts and grow into live SIEM, CTI, EDR, KEV Hunter scanning, Sigma, YARA, SOAR, and ticketing integrations.