CTP247PRE-LAUNCH

Coming soon.

CTP247 is cyber threat protection that never clocks out — autonomous agents watching your attack surface, brand, and the dark web 24/7. Leave your email and we'll let you know when it's live.

One email at launch. No newsletters, no marketing dripfeed.

CTP247
Get a demo

Platform

Six pillars.
One Postgres.

CTP247 is a single application surface backed by one database — not a SOAR plus a TIP plus an ASM strung together. The fewer the boundaries, the fewer the places state can rot.

Modules

Six modules, each with a deep-dive.

Every module is a full subsystem with its own collectors, scoring, and agent — and they all write into the same alerts, cases, and evidence store.

CAM-01REC

Attack Surface

Subdomain discovery, port and service scans, TLS posture, and CVE matching against what you actually run — continuously, from the outside in.

VIEW MODULE ↗
CAM-02REC

Brand Protection

Certificate-transparency and WHOIS watch catch typosquats at registration time. 1,500+ TLD permutations, logo abuse by perceptual hash, takedowns drafted.

VIEW MODULE ↗
CAM-03REC

Dark Web Monitoring

Crawlers inside Tor, I2P, Telegram, and Matrix. Ransomware leak sites, stealer markets, and phishing forums watched continuously for your name.

VIEW MODULE ↗
CAM-04REC

Data Leakage & Fraud

Leaked card detection with Luhn validation and BIN matching, custom DLP policies, and breach-notification SLA tracking from first sighting to closure.

VIEW MODULE ↗
CAM-05REC

Email Security

DMARC, SPF, and DKIM aggregate reports parsed and scored. Spoofing analytics, phishing classification, and sender governance in one view.

VIEW MODULE ↗
CAM-06REC

Threat Intelligence

27 live feeds normalized into one IOC store with enrichment, MITRE ATT&CK mapping, and a TAXII 2.1 server your other tools can read from.

VIEW MODULE ↗

Pipeline

From feed item to takedown.

One pipeline owns the journey. No hand-offs between products, no context lost at the seams.

01Ingest27 feeds · CT logs · crawlers
02Normalizededupe · IOC extraction
03Triageagent classifies vs your stack
04Alertseverity · owner · SLA
05Casetimeline · evidence · MITRE
06Takedowndrafted, sent on approval

Ingest

27 default feeds — abuse.ch, dshield, OTX, MISP, CISA KEV, GreyNoise, urlhaus, phishtank, ransomware leak sites — plus a normalised STIX/TAXII pipeline for your commercial subscriptions. Feeds dedupe, expire, and enrich on the way in.

Triage

An LLM agent reads each new entry against your declared tech stack and brand. Hits become alerts with reasoning and recommended action; misses get dropped without burning analyst time.

Investigate

Every alert can be handed to an investigation agent that pivots through actor, asset, IOC and case history. Output is a final assessment, a tool-call trace, and findings ready to promote into a case.

Hunt

A weekly hypothesis-driven hunt picks an active threat-actor cluster, cross-checks their TTPs against your environment, surfaces gaps. Ad-hoc hunts run from the dashboard.

Brand

Continuous typosquat detection, certificate-transparency stream watch, AI similarity scoring. When a hit is high-confidence, the agent drafts the takedown but stops at human approval.

Cases

Alerts and findings escalate into cases with state machine, SLA tracking, assignee, comments, and a copilot that updates the timeline as you work. Closing a case generates the report.

Stack

Boring tech, deliberately.

We didn't pick a vector DB just to have one. Postgres holds the indicators, the cases, the agent traces, the audit log. JSONB where shape is fluid, schemas where it isn't.

The whole platform is one Compose stack. Spin it up locally, in your VPC, or on bare metal. The same code paths run in dev as in your production.

DashboardNext.js 16, React 19, server actions
APIFastAPI, async SQLAlchemy, Pydantic v2
WorkerPython asyncio, every-N-second loops, supervisor-style health
DatabasePostgres 16, JSONB for traces, pgvector + GIN
Object storeMinIO (S3-compatible) for evidence, screenshots, exports
Cache + queueRedis 7 for rate limits, ephemeral state
SearchPostgres-native queries across alerts, cases, IOCs
LLMOllama (local), Anthropic, or any OpenAI-compatible endpoint

Integrations

Speaks the protocols you already use.

CTP247 is a polite citizen in a SOC. STIX/TAXII feeds in, STIX feeds out. IOCs to your detection stack, alerts to the channels your teams actually watch.

Standards

  • STIX 2.1
  • TAXII 2.1
  • MITRE ATT&CK
  • MISP
  • OpenCTI

Open feeds

  • abuse.ch
  • dshield
  • OTX
  • CISA KEV
  • GreyNoise
  • urlhaus

Detection

  • Wazuh
  • Suricata
  • GreyNoise
  • Shodan

Notify & page

  • Slack
  • Teams
  • PagerDuty
  • Opsgenie
  • SMS
  • webhooks

One stack. Your perimeter. Your call.

Talk deployment with us