Coming soon.

CISA KEV feed ingests new entry

The scheduled KEV pull picks up the new exploited-vulnerability row on its next cycle.

→ feed=cisa_kev · cve=CVE-2026-04812

AI triage classifies against your tech stack

The triage agent matches the CVE's affected products against your declared stack. If it hits, an alert is opened with severity and reasoning.

→ match=Adobe Acrobat 24.x · severity=critical

Investigation pulls the asset blast radius

The investigation agent queries your asset inventory for assets matching the affected software and links them to the alert.

→ 23 assets in scope

Critical alert lands with action

The alert names the CVE, the matched assets, and the recommended remediation playbook — prioritized by EPSS and KEV listing.

→ alert=ALERT-9817 · sla=4h

Ransomware leak feed catches the post

Tor-routed crawlers monitor leak sites continuously. New victim entries land in the feed within the polling window.

→ leak_site=ransomhub · victim=AcmeBank

Threat hunter pivots to the actor cluster

Hunter pulls the actor's known TTPs from the threat-actor catalogue and queues a hypothesis hunt against your environment.

→ actor=BlackBasta · ttps=12

TTPs cross-checked against your surface

The hunter looks for evidence of the actor's TTPs in your alerts, exposures, and IOC overlap. Findings are narrative, not just IDs.

→ T1133 · external remote services · 1 exposure

Hunt finding ready for SOC

A hunt finding lands in the dashboard naming the actor, the matching TTP, the affected asset, and the recommended fix.

→ finding=HUNT-119 · severity=high

CT log entry observed

With the streaming daemon enabled, CTP247 consumes the certificate-transparency WebSocket feed and scores new issuances against your domain similarity rules within its 30-second flush window.

→ cert=Let's Encrypt · domain=acmebank-secure.com

Similarity scored against your brand

The brand defender computes lexical, visual, and homoglyph similarity. The 0.93 score puts this above the takedown threshold.

→ similarity=0.93 · floor=0.80

Live probe confirms phishing

The agent fetches the new domain and runs the live-probe heuristic — page content, form targets, brand assets — attaching the verdict and screenshot to the suspect record.

→ verdict=phishing · ttp=T1566.002

Takedown drafted — analyst approves

The takedown letter is drafted to the registrar's abuse contact with all evidence attached. The analyst clicks Approve to send.

→ registrar=NameCheap · status=drafted

DMARC aggregate report ingested

The mailbox worker pulls the RUA report and parses every source that sent mail claiming to be your domain.

→ reporter=google.com · 412 messages

Failing source stands out

One source fails both SPF and DKIM alignment at volume — a pattern that doesn't match any of your legitimate senders.

→ source=185.101.94.215 · pass_rate=0%

Alignment failure root-caused

An alignment RCA run separates the misconfigured-legitimate-sender case from the hostile-spoof case, with reasoning attached.

→ verdict=spoof · not_in_spf=true

Policy step recommended

The dashboard shows the failing source, the affected recipients' providers, and the DMARC policy progression that blocks it — evidence attached for the change request.

→ recommend=p:quarantine → p:reject