ML-Powered CTI

ML-Powered CTI, Threat Hunting at AI Velocity

Making enterprise-grade threat hunting accessible to every organization. Threat Foundry learns from CTI intake, ranks high-value signals, maps them to ATT&CK, Sigma, and YARA context, and turns reviewed intelligence into SIEM-ready hunt and detection packages.

Request a briefing See the workflow Professional services

ML CTIDaily intelligence learning, source context, relevance gates, and analyst review states.

DecidePlaybooks, coverage, and reporting context help choose what deserves a hunt.

DetectATT&CK packages, attack paths, Sigma candidates, YARA candidates, SIEM queries, and saved evidence.

InvestigateEntity analyzer, timeline, command graph, candidate ranking, triage, and cases.

Auto Triage

The critical workflow starts with ranked CTI.

Auto Triage is the front door of Threat Foundry. It scores newly ingested intelligence, promotes the top configured items for the current day or latest source update, and places each item into a review queue before analysts spend hunt time. The quality gate separates Hunt Ready, Review First, Needs Triage, and Not Actionable work so CTI automation produces accountable analyst decisions.

Threat Foundry ML capability view showing model-assisted CTI and hunt workflow context — ML capability: model-assisted CTI review and hunt workflow context.

Ranked Auto Triage CTI source items with source links and CTI intake actions — Ranked Auto Triage queue: current-day source items with context and intake actions.

Threat Foundry ransomware playbook with analyst goal and hunt steps — Playbooks translate threat themes into hunt goals, TTPs, and analyst steps.

Review Context

Use playbooks and reports to decide what deserves hunting.

Before a hunt exists, analysts can compare CTI against playbooks, program metrics, Sigma and YARA coverage, exposure, telemetry readiness, and recent operational history. This keeps automation accountable to the team's actual detection goals instead of turning every feed item into work.

Threat playbooksOperational steps for ransomware, credential access, lateral movement, and impact scenarios.

ReportsOperational, executive, investigation, and program metric views for review and leadership context.

CoverageSigma and YARA coverage reveal where detection depth already exists and where hunt work is needed.

Reporting and Coverage

Leadership views without losing analyst evidence.

Threat Foundry keeps report views close to operational data: hunt activity, workload, Sigma/YARA coverage, telemetry readiness, evidence packages, and baselines.

Threat Foundry operational reporting dashboard — Operational reporting summarizes hunt work and readiness.

Sigma coverage by ATT&CK tactic shows detection depth at a glance.

Build Attack Paths

Turn approved TTPs into ordered hunt logic.

Attack Path Builder lets analysts seed a path from a threat actor or assemble techniques manually, then generate SIEM-ready hunt logic from the exact sequence. It supports staged thinking instead of one-off query generation.

Drag TTP cards into the investigation order analysts want to test.
Generate review-only tool queries or generic cross-tool recommendations.
Run combined searches only after explicit analyst approval.

Built Attack Path Graph with ordered ATT&CK techniques — Built attack path with ordered TTP nodes, ready for review and generation.

Sigma and YARA Evidence

Create and review the right detection for the evidence.

Sigma captures behavior in logs; YARA captures file, script, document, and malware-content traits. Threat Foundry helps analysts choose the right lane from CTI, review generated rules before use, and keep detection evidence tied to the original intelligence.

Highlighted Sigma evidence shows the log field or token that matched.
YARA drafting uses deterministic feasibility checks before model tokens are spent.
Rule metadata, references, ATT&CK context, and review status stay beside the detection.

Triggered Sigma rule details showing highlighted SIEM log-row matches — Sigma evidence view: exact matched fields and evidence rows are readable before analysts decide next steps.

YARA Rule Workflow

Turn file-focused CTI into reviewed YARA rules.

When intelligence includes hashes, filenames, script traits, payload markers, byte patterns, malware family strings, packer indicators, or document artifacts, Threat Foundry routes it toward YARA instead of forcing a log-only detection path.

Feasibility checks decide whether the source has enough file or content evidence before AI drafting starts.
Generated YARA stays review-first with validation status, metadata, references, severity, and IOC summaries.
Rules can be kept private, manually shared, or auto-shared through the opt-in Detection Exchange workflow.

ImportCurated YARA rulesets refresh into a searchable library with source, metadata, tags, and validation state.

CreateAnalysts can draft from CTI, build custom rules, validate structure, and save only after review.

ShareOpted-in tenants can contribute sanitized autogenerated or custom YARA rules to the community exchange.

Saved Hunt Review

Review the hunt package before triage.

Saved hunts preserve source context, confidence, generated query references, rerun history, entity coverage, and enrichment actions. Triage happens after review, when a human has seen the evidence and decided it deserves follow-through.

PowerShell saved hunt review package with confidence, enrichment, export, and triage controls — Known-good PowerShell saved hunt: review first, then triage if warranted.

Entity Analyzer

Move from SIEM rows to investigation shape.

Entity Analyzer turns returned hunt results into a practical investigation surface. Analysts can see which accounts, hosts, processes, commands, and related observables recur across the evidence, then pivot without losing the original hunt context.

Returned fields are normalized into analyst-friendly entity groups.
Entity pivots keep follow-on hunts grounded in reviewed evidence.
Candidate ranking highlights the accounts, hosts, commands, and processes worth pursuing.

Host Investigation

Move from saved hunt evidence to Fleet-ready host checks.

Host Investigation turns reviewed Sigma, YARA, and hunt artifacts into read-only osquery checks, confirmed Fleet targets, and hash lookup pivots. Analysts can review the generated SQL, select the checks to run, and keep sandbox or reputation work tied to the saved hunt evidence.

Reviewable osquery checks stay visible before Fleet execution.
Hashes and file indicators extracted from Sigma, YARA, CTI, and returned hunt rows become lookup and sandbox pivots.
Execution is gated by Fleet target matching, RBAC, and saved-hunt audit notes.

Host Investigation Reviewable osquery Checks with generated read-only SQL — Reviewable osquery checks: generated SQL remains analyst-approved before Fleet execution.

Host Investigation Hash Lookup and Sandbox Pivots with extracted hashes — Hash lookup and sandbox pivots preserve IOC context from Sigma, YARA, and hunt evidence.

Command Analyzer graph showing PowerShell command relationships — Command Analyzer connects accounts, hosts, processes, and suspicious commands.

Distilled hunt candidates with ranked commands, processes, accounts, and hosts — Distilled Hunt Candidates rank commands, processes, accounts, and hosts for follow-up.

Threat Foundry triage queue for reviewed findings — Triage and case management capture reviewed findings, owners, tickets, and handoff history.

Govern the Workflow

Wire the platforms in without hardcoding the process.

Configuration covers query platforms, vendor integrations, field normalization, assets, baselines, API Connect, source refresh behavior, model settings, and audit trails. The product can start in the lab and grow into live SOC wiring.

IntegrationsSIEM, EDR, vulnerability scanners, CTI feeds, YARA rulesets, identity, SOAR, and ticketing handoff.

PolicyQuery limits, source controls, field mapping, data caps, and telemetry readiness.

AuditSOAR/API requests, AI usage, triage history, saved-hunt notes, and report outputs.

Threat Foundry configuration and integrations page — Governance and integration settings keep automation aligned to the SOC.

Services, security, and field notes around the platform.

Use CasesSee how SOCs, MSPs, CTI teams, IR teams, midsize businesses, and enterprises use Threat Foundry.Explore use cases

How It WorksFollow the CTI-to-action workflow from intake to review, triage, reporting, and optional sharing.View workflow

Professional ServicesOnboarding, configuration, integration, analyst enablement, and operational rollout.Plan onboarding

THaaSRecurring CTI-led threat hunting, evidence review, Sigma/YARA candidates, and reporting.Explore THaaS

Strategic ServicesAssessment-led cyber strategy for threat hunting, SOC maturity, detection engineering, AI security, compliance, and OT/ICS.View assessments

SecurityA SOC 2-style overview of secure SDLC, AWS security, RBAC, auditability, AI governance, and safe execution defaults.Review security

YARA WorkflowsTurn file and malware-focused CTI into reviewed YARA candidates with feasibility checks, rule validation, and optional community sharing.Explore YARA

BlogRead the first post on opt-in community Sigma and YARA sharing for reviewed detection engineering workflows.Read blog

Platform Flow

Fresh intelligence becomes reviewed action.

Auto Triage

CTI feeds, emailed threats, reports, KEVs, EDR alerts, and vulnerability context enter a ranked daily review queue.

Review context

Analysts check source detail, playbooks, reports, coverage, and evidence before spending hunt time.

Generate detections

Approved CTI becomes ATT&CK hunt packages, attack paths, Sigma candidates, YARA candidates, and saved evidence.

Investigate and route

Timelines, entity graphs, candidates, triage, cases, reporting, and tickets close the loop.

Deployment

Built for teams wiring real platforms into accountable hunt operations.

Threat Foundry can start with generic hunts and grow into live SIEM, CTI, EDR, vulnerability management, Sigma, YARA, SOAR, and ticketing integrations.

Talk through deployment