Marketing reference. Each feature includes what it does, who it's for, and what business outcome it delivers. Pull from this for landing pages, datasheets, pitch decks, sales conversations, and competitive positioning.
ThreatScout is an enterprise federated threat hunting and response platform purpose-built for security operations centers (SOCs). It collapses the daily friction of working across a fragmented security tool stack: rather than learning five query languages, switching between five consoles, and manually correlating five sets of results, analysts use one platform to hunt, investigate, and respond across every connected source. AI handles the repetitive triage; the analyst focuses on the decisions that matter.
The platform is SaaS-delivered with per-tenant isolation (each customer gets their own deployment, database, encryption keys, and SSO configuration), Single Sign-On for the analyst experience, and over 25 native integrations to the security tools enterprises already run.
The core value of the platform. Write queries using a single language, then run them against your data sources. The platform translates the queries to their native languages on the backend.
Analysts write hunt queries in KQL (Kusto Query Language), the syntax popularized by Microsoft Defender and Azure Sentinel. ThreatScout's federated query engine translates that single query into each backend's native dialect at execution time. The analyst never has to context-switch between KQL, Lucene, SPL (Splunk), S1QL (SentinelOne), Falcon Query Language, or proprietary EDR APIs.
Business outcome: New analysts are productive on day one. Existing analysts who know one query language can hunt across the entire stack. Time-to-hunt for cross-tool investigations drops from hours to minutes.
A single KQL query reaches:
Business outcome: Procurement decisions about underlying tools become independent of analyst workflow. Customers can keep their existing SIEM and EDR investments while gaining a unified hunting layer.
The longer-term vision is multi-source joins in a single query (e.g., Defender.DeviceProcessEvents JOIN OpenSearch.firewall_logs ON src_ip). The query parser, parallel execution engine, and OCSF field resolver are in place; the join planner is the next major addition.
Business outcome (when shipped): Capabilities that today require manual export-and-pivot in Excel become single-query operations. Investigations that span a SIEM and an EDR collapse from a half-day to seconds.
Every incoming alert can be investigated automatically by an AI agent that thinks like a senior SOC analyst.
When an alert arrives, ThreatScout's AI agent (we call it Scout) takes over the first-pass investigation. Scout is built on Anthropic's Claude API and uses a tool-use loop with eight specialized tools:
Scout reasons iteratively: each finding informs the next query. A senior analyst's workflow ("let me check if this IP has been seen before, then look at adjacent processes, then check that user's normal behavior") is what Scout is trained to emulate.
Business outcome: Triage time on routine alerts drops from 15-30 minutes per alert to under 60 seconds. SOC capacity multiplies without adding headcount.
Scout doesn't just say "looks bad." Every investigation produces:
Business outcome: Analysts spend zero time formatting; they read a finished report. Auditors and compliance teams get full reasoning chains. Detection engineers get rule recommendations from real investigations.
Before any alert data is sent to to Scout, ThreatScout's PII Sanitizer tokenizes every identifiable entity: usernames become [USER_1], IPs become [PUBLIC_IP_1] or [PRIVATE_IP_1], hostnames become [HOST_1], hashes become [HASH_1], etc. The AI reasons about the tokenized text and returns its analysis. ThreatScout then detokenizes the response server-side and presents the analyst with the real values, color-coded by entity type.
Real values never leave the customer's tenant. This is enforced at the data-mapping layer, audited by property-based testing, and validated against thousands of test alerts.
Business outcome: Customers in regulated industries (finance, healthcare, energy, government) can use AI investigation without violating data-residency or privacy contracts. CISOs can sign off on AI usage with confidence.
When a chatty detection rule fires 50 times in a minute, traditional SOCs run 50 investigations. ThreatScout fingerprints each incoming alert by its source backend, normalized detection identity, and entity set. The second alert with the same fingerprint inside the dedup window (default 24 hours) is automatically parked against the first; the third, the fourth, all 50 inherit the canonical investigation's verdict at zero AI cost.
Business outcome: Storm scale becomes a status indicator (duplicate_count: 47) instead of a triage backlog. AI spend per burst is constant regardless of alert volume. The analyst sees one row to act on instead of 50 rows to dismiss.
When five different detection rules fire on the same host in the same hour, that's not five separate things to investigate; that's one incident with multiple symptoms. ThreatScout's clustering engine identifies alerts that share high-signal entities (host, user, file hash) inside a configurable time window and groups them under a canonical investigation. Cluster members inherit the canonical's verdict and link back to it; the analyst's queue shows one actionable item.
This is conceptually similar to Microsoft Defender's incident correlation, but operates across every connected backend simultaneously (not just within the Defender ecosystem).
Business outcome: Incident-level visibility for environments that span multiple security tools. Reduces the "five tabs open, same incident" pattern that wastes senior analyst time.
Scout can be configured to automatically close alerts it grades as high-confidence false positives, subject to operator-set guardrails (severity allowlist, category blocklist, minimum evidence-chain depth, minimum false-positive likelihood). Auto-closed alerts include full audit trails: who (Scout), when, what verdict, what evidence supported it, what the analyst can do to reopen.
Business outcome: Tier-1 false positives stop hitting the analyst queue at all. SOC capacity reallocates to the actual incidents.
When ThreatScout closes a deduplicated alert as benign, it also closes the alert in the customer's source EDR portal (Defender currently; SentinelOne, CrowdStrike, Sentinel sequenced) with a back-link comment pointing to the canonical investigation in ThreatScout. The analyst on the EDR side never sees a stale alert.
Business outcome: Eliminates the "I closed it in ThreatScout but it's still open in Defender" cleanup work. EDR-side dashboards stay accurate.
A second AI surface, distinct from Auto-Investigation. Scout Assistant is a conversational interface for hunting, querying, and analysis. In addition, Scout is "page aware" meaning it knows what page the user is on when the user is starting a conversation. An example use case is when a user is on an Alert page, they can ask Scout to re-investigate an alert, dig deeper, and build out timelines and attack graphs all within the conversational interface.
Analysts can ask Scout Assistant questions in plain English ("show me PowerShell encoded commands across all my devices in the last 24 hours"), and it constructs the KQL query, runs it against the right backend, and returns formatted results inside the chat interface.
Business outcome: Hunting is no longer gated on KQL fluency. Junior analysts and managers can run sophisticated queries; senior analysts use it as a faster keyboard.
Scout Assistant is aware of every connected backend's schema. When an analyst asks for data, it knows which backend has the relevant tables, what fields each table exposes, and how to translate the analyst's intent into a valid query.
Business outcome: No more "what's the field name for username in Defender vs. Wazuh." Schema discovery becomes conversational.
Results from any connected backend render inline in the chat as filterable tables, charts, or entity graphs. Analysts can pivot from a result row directly into an investigation, or follow up with refining questions ("filter this to only the last hour").
Business outcome: Investigation workflows happen in one window. The "copy this entity to that search bar" friction disappears.
Every Scout Assistant conversation is preserved. Analysts can revisit prior hunts, share them with colleagues, archive completed ones, and resume in-progress threads. The viewer mirrors the pattern of Claude.ai, ChatGPT, and Copilot.
Business outcome: Investigations become institutional knowledge instead of one-off chats. Cross-shift handoffs preserve context.
Operators set per-session and per-customer token budgets for AI usage. Analysts see live spend, get warned as they approach the limit, and starting a new chat resets the budget cleanly.
Business outcome: Predictable AI cost at the customer level. No surprise bills from a runaway investigation.
ThreatScout ingests alerts from the customer's full security tool stack via native APIs (Defender, SentinelOne, CrowdStrike, Sentinel, OpenSearch, Wazuh, and others) plus a generic webhook receiver for any source that can POST JSON. Alerts are normalized to OCSF on ingestion and stored with full source-trace metadata.
Business outcome: Every alert from every tool ends up in one place, with one schema, one queue, and one workflow.
Every alert ingested above the configured severity threshold is automatically routed through the AI Auto-Investigation pipeline. Verdicts appear in the analyst queue within seconds of arrival.
Business outcome: Mean-time-to-triage (MTTT) measured in seconds, not hours.
Analysts can rerun any investigation (e.g., after new threat intelligence arrives), override the AI's verdict with their own, or request a deeper investigation with an expanded token budget. Override decisions become training feedback for future AI behavior.
Business outcome: Analyst expertise improves the system over time. The AI doesn't make the same mistake twice on similar alerts.
Analysts can act on hundreds of alerts in one operation: close all dups of a verified false positive, escalate every alert tagged with a specific MITRE technique, assign a queue range to a tier-2 analyst.
Business outcome: Backlog cleanup operations that previously took hours take minutes.
Every alert and investigation is mapped to MITRE ATT&CK techniques pulled from the full local database (500+ techniques). The mapping appears in the investigation report, the alert queue, and the analyst dashboards.
Business outcome: Threat-actor and campaign attribution becomes a search-by-technique operation. Coverage gaps surface as missing technique IDs in the customer's detection portfolio.
Alerts that warrant follow-up are escalated into Incidents with tier-based ownership (Tier 1 → Tier 2 → Tier 3), assignment, status tracking, and resolution metadata. Every incident carries its full alert chain, investigation reports, evidence, MITRE mapping, and audit history.
Business outcome: Incident response becomes auditable and measurable. SLAs are tracked at the workflow layer, not in a separate ticketing tool.
For complex incidents that span days and multiple analysts, ThreatScout offers Hunt Workspaces: persistent investigation spaces with shared notes, query history, attached evidence, timeline tracking, and inline AI assistance. Workspaces are accessible across shifts and roles.
Business outcome: Multi-day investigations don't lose context at shift change. Senior analysts can hand off context-rich workspaces instead of writing handoff documents.
Each investigation report includes explicit escalation criteria (when this should move to Tier 2/Tier 3), containment steps, IOCs to block, hunt patterns for similar threats, and the rationale for each recommendation. These become semi-automated playbooks the customer can codify.
Business outcome: Tier-1 → Tier-2 handoffs carry actionable next steps, not just "this looks bad."
Analysts build, save, and share hunt queries. The library tracks who wrote what, when it last ran, what it found, and which incidents it produced. Customers build institutional knowledge as the SOC matures.
Business outcome: Detection content compounds. Hunt patterns that found something once are easy to schedule for ongoing monitoring.
Any saved query can be scheduled to run on a cron-like cadence (every 5 minutes, hourly, daily). Results that match trigger criteria become alerts that flow through the standard pipeline (AI analysis, queue, dedup, etc.).
Business outcome: Custom detection rules ship without requiring detection-engineering capacity in the underlying SIEM/EDR. Faster threat coverage updates.
A successful hunt query can be promoted to a detection rule with one click. The rule then runs on schedule and emits alerts when matching events appear. Rule performance (true-positive rate, false-positive rate, time-to-detection) is tracked over its lifetime.
Business outcome: Hunting and detection engineering become a single workflow. The bottleneck of "we found this manually but never automated detection for it" disappears.
Hunt queries are graded for cost, run time, and selectivity before execution. The analyzer suggests rewrites that produce the same results faster or cheaper.
Business outcome: Cost-aware hunting at enterprise scale. Avoids the "ran a $5,000 query by accident" failure mode that plagues cloud SIEMs.
ThreatScout ships with 25+ native integrations organized into five categories. All credentials are encrypted at rest using Fernet with PBKDF2-derived keys (independent of the application's master secret, so rotation never destroys data).
Business outcome: Customers don't replace their existing tooling. ThreatScout sits above the stack and amplifies the value of what they already pay for.
ThreatScout speaks STIX 2.1 and TAXII 2.1 natively. Customers can subscribe to community or commercial threat-intel feeds, ingest indicators, enrich alerts against the local TI store, and contribute back upstream.
Business outcome: Strategic threat intelligence becomes operational. Indicators that arrive Monday morning enrich investigations Monday afternoon.
Indicators from VirusTotal, AbuseIPDB, AlienVault OTX, GreyNoise, and proprietary feeds are aggregated, deduplicated, and scored by source confidence. Investigations automatically check every entity against every connected TI source in parallel.
Business outcome: Enrichment quality scales with the customer's TI subscriptions. Adding a feed adds value system-wide; no separate integration work per investigation type.
A dedicated dashboard surfaces emerging threats: indicator volume by source, indicator overlap across sources, recent IOCs that appeared in customer alerts, MITRE technique trends in the customer's traffic.
Business outcome: Strategic visibility for SOC managers and CISOs. Board reporting becomes a screenshot, not a week of preparation.
Real-time and historical metrics on the SOC's performance: alerts per hour, mean-time-to-triage, mean-time-to-resolution, true-positive rate, false-positive rate, AI auto-close rate, analyst load distribution, peak-hour patterns.
Business outcome: Data-driven SOC management. Coaching, staffing, and tooling decisions become defensible with numbers.
Every detection rule's lifetime performance is recorded: how often it fires, what fraction of its alerts are true positives, mean MTTT for its alerts, mean dwell time before detection. Underperforming rules surface as candidates for tuning or retirement.
Business outcome: Detection portfolio becomes a managed asset, not a forgotten dump of rules.
ThreatScout integrates with the customer's identity provider:
SSO configuration is per-tenant (set in the admin UI, stored in the customer's encrypted database; not shared across instances).
Business outcome: Day-one provisioning. Analysts use the same credentials they use everywhere else. No password resets at the SOC level.
Custom RBAC with fine-grained permissions across every feature surface: alerts (read/write), hunting (read/write/schedule), incidents (escalate/close), API management (read/issue/revoke), system admin (audit/config). Roles are tenant-customizable.
Business outcome: Tier-1 analysts can triage without seeing the audit log; tier-3 can do everything; SOC managers get reporting without write access. Least-privilege at scale.
Built-in MFA support:
Business outcome: Compliance-grade authentication on every account. Even an SSO compromise requires the second factor.
Programmatic access via per-customer API keys with full lifecycle management: issue, rotate, revoke, scope by permission set, rate-limit per key, audit every call. Keys are stored hashed (SHA-256) and compared timing-safe (hmac.compare_digest) to prevent timing attacks.
Business outcome: SOAR, automation scripts, and third-party tools integrate cleanly. Compromised keys can be revoked instantly without affecting other integrations.
Every privileged action is recorded: who did what, when, from where, with what device fingerprint, what threat intelligence the source IP matched, whether the action succeeded. Audit exports are available as CSV and JSON.
Business outcome: SOC 2, ISO 27001, FedRAMP, and HIPAA audits are screenshot-and-go. Insider threat detection has a credible data source.
Concurrent session limits per user, automatic timeout on inactivity, forced logout on permission changes, session-hijacking detection via device fingerprint changes.
Business outcome: Stolen-laptop and credential-theft scenarios are bounded by the platform, not by analyst diligence.
Failed-login attempts trigger configurable account lockouts with administrative unlock. Lockout events feed the audit log and can trigger automated alerts to the SOC manager.
Business outcome: Credential-stuffing attacks against ThreatScout itself are detected and stopped at the platform layer.
Each customer's ThreatScout instance runs in its own deployment: own database, own encryption keys, own SSO configuration, own integration credentials. No cross-tenant data exposure is architecturally possible.
Business outcome: Procurement, legal, and security review questions about multi-tenancy go away. Data residency questions have a one-line answer.
Three independent encryption layers:
Each key is independent. Rotation of one does not destroy data encrypted with another. Key rotation is a documented operational procedure with a dry-run mode.
Business outcome: Compromise of one secret does not cascade to total system compromise. Key rotation is a routine operational task, not an incident.
See AI-Powered Auto-Investigation. Critical to highlight in any AI / privacy / compliance conversation.
Even though Scout is prompted to produce clean output, ThreatScout never trusts it: every AI prose response is run through bleach.clean with a tag/attribute/protocol allowlist before reaching the analyst's browser.
Business outcome: A prompt-injection attack that gets Scout to echo <script> cannot escape into the analyst's session.
CSV exports of audit data and investigation history neutralize formula-injection prefixes (=, +, -, @) so an attacker who controls a logged field cannot execute formulas when an admin opens the export in Excel or Sheets.
Business outcome: Spreadsheet-based reporting is safe. CWE-1236 is closed at the export layer.
Every redirect that consumes user-supplied input (HTTP_REFERER, return-to parameters) is validated against the customer's allowed hosts before execution.
Business outcome: Phishing chains that try to use ThreatScout as a redirect hop are blocked.
CI pipelines run multiple independent SCA scanners (pip-audit, Safety) against the dependency tree, SAST scanners (Bandit, Semgrep) against the source, secret scanners (Gitleaks) against every commit, and container scanners (Trivy) against every built image. Findings block deployment. Docker images are pinned by SHA256 digest; runtime pip installs in CI are pinned by version and SHA256 digest to prevent compromised PyPI releases from running with deploy credentials.
Business outcome: Supply-chain attacks that hit upstream packages (Trivy, Axios incidents in 2025) cannot reach ThreatScout's production builds.
ThreatScout is fully OCSF-aligned. Investments in OCSF tooling (parsers, schemas, mapping libraries) work in ThreatScout. Findings exported from ThreatScout work in any OCSF-compatible downstream tool.
Business outcome: Vendor lock-in is structurally avoided. OCSF is the security industry's direction; ThreatScout invested early.
The full ATT&CK technique database (500+ techniques across enterprise, mobile, ICS) is mapped and searchable. Every investigation, detection rule, and threat-intel indicator references ATT&CK by technique ID.
Business outcome: Coverage gaps, threat-actor TTPs, and red-team reporting all share the same vocabulary as the analyst's daily work.
See Threat Intelligence section.
Every action is logged with full context. Exports are available in the formats auditors expect (CSV, JSON). Encryption-at-rest is verifiable. Access controls are RBAC-documentable.
Business outcome: SOC 2 Type II audits become a one-week engagement, not a one-quarter project.
Six background workers process scheduled hunts, alert fetches, AI investigations, health monitoring, and cleanup tasks in parallel. Tasks are retry-safe, idempotent, and survive worker restarts.
Business outcome: AI-investigated alert backlogs from a burst do not block real-time triage. Workers scale horizontally as customer load grows.
The alert ingestion → AI investigation → queue → fan-out path is real-time on the worker side; investigations complete within 30-180 seconds of arrival under typical load.
Business outcome: MTTT in seconds, not hours.
The platform self-monitors: database response time, cache response time, worker queue depth, AI API health, integration health. Health dashboards surface degradations before they become outages.
Business outcome: Predictable operational reliability. SLAs are observable and defensible.
Use these in competitive positioning conversations.
Most "AI SOC" products send raw alert data to the LLM provider. ThreatScout's PII Sanitizer tokenizes every identifying entity before any AI call. Privacy is enforced at the data-mapping layer, not at the prompt layer. We can prove (with property-based tests against thousands of alerts) that real entity values never leave the customer's tenant.
Competitors either lock you into one vendor's query language or expose a lowest-common-denominator subset that can't express real hunts. ThreatScout translates the full KQL surface into each backend's native dialect (Defender's KQL, OpenSearch's DSL, SentinelOne's S1QL, Splunk's SPL planned, Wazuh planned). Customers keep their hunt skills regardless of underlying tool changes.
Most platforms treat noise reduction as a per-rule tuning exercise (suppress alert X for hours Y). ThreatScout handles bursts and correlated incidents at the platform layer with fingerprint dedup and entity-overlap clustering. The analyst sees one item per incident regardless of how the underlying tools fire.
No shared multi-tenant database. Every customer's deployment is structurally isolated. Eliminates an entire category of compliance, procurement, and security-review friction.
Hunt queries become detection rules with one click. Detection rules feed alerts back into hunts. The same analyst can ask Scout Assistant "find me this pattern," promote the finding to a detection, and watch the dashboard for the detection's first alert — all in a single window.
Scout's evidence chain shows every tool call, every finding, every step of reasoning. No black-box "the AI said it's bad." Auditors, compliance teams, and senior analysts can follow the same path Scout took.
Tier-based pricing on a per-analyst basis. Use as a guide for sales conversations; final pricing is per-customer negotiation.
AI usage is bundled (not metered per token) at every tier; ThreatScout absorbs cost variance through cache architecture and dedup.
Reference data point: Recommended Wolf Midstream quote was $30K/year (Starter, 3 analysts).