§ Platform / IntelGraph

Intelligence analysis with provenance attached

IntelGraph is a governed graph over live threat intelligence — every entity, relationship, and assessment carries its origin, so the analysis you ship can survive the question that always follows: how do you know?

Open the Platform ↗Threat Intelligence Solutions

§ 01

Live, mapped, and measured

The graph runs in production today — ingesting dozens of live feeds, resolving entities, and mapping observed activity onto the ATT&CK framework continuously.

36,000+

entities under analysis

700+

ATT&CK techniques mapped

export formats

TAXII 2.1

standards-native interchange

Dozens of live feeds — vulnerability databases, malware and C2 trackers, phishing and URL intelligence, multi-source IOC exchanges — are ingested, deduplicated, and resolved into a single governed graph. Nothing enters anonymously: every node knows which feed it came from and when.

§ 02

Ask in English, answer from the graph

Analysts should not need a query language to interrogate their own intelligence. IntelGraph translates natural-language questions into governed graph queries — and shows its work.

Analyze

Natural-language querying

Ask "which actors touched this infrastructure in the last quarter" and get a graph answer — the generated query is visible, reviewable, and repeatable.

Frame

ATT&CK-mapped activity

Observed techniques map onto the ATT&CK matrix as a living heat map — 700+ techniques tracked against the entities and campaigns in your graph.

Govern

Entity resolution

Duplicate observations across feeds resolve to single entities with merged lineage — the graph stays clean and the provenance stays complete.

§ 03

Standards in, standards out

Intelligence that cannot leave your platform is a liability. IntelGraph speaks the formats your tools — and your partners' tools — already understand.

Interchange

TAXII 2.1 server↗

A standards-compliant TAXII 2.1 endpoint serves STIX 2.1 bundles directly from the graph — point any compatible client at it and pull.

Interchange

Seven export formats

STIX 2.1, CSV, YARA, Snort/Suricata rules, OpenIOC, and MISP — export the slice of the graph you need in the format your downstream tooling expects.

Operationalize

SIEM integrations

Push indicators and context into Splunk, QRadar, Elastic, and Sentinel — so detections fire where your operations already live, with graph provenance intact.

Put your analysis on the record.

Open the platform and query the live graph, or connect a TAXII client to the public endpoint. When the assessment matters, the provenance is already attached.

Open the Platform TAXII 2.1 Endpoint ↗