Clickable statistics cards providing instant security posture visibility.

• Active Incidents: Critical + High severity count with trend %
• MITRE Techniques Detected: Unique technique count
• Correlated Events: Total correlated events with rate %
• Threats Blocked: Blocked count with block rate %
• Click any metric for detailed drill-down modal

Comprehensive threat classification with severity indicators.

• Malware Infections: Virus/malware detections (High)
• Intrusion Attempts: IPS blocked attacks (High)
• Web Threats: Malicious web activity (Medium)
• Suspicious Apps: Unauthorized applications (Medium)
• Data Exfiltration: Data leak detection (High)
• Lateral Movement: Internal scanning (Medium)
• C2 Communications: Command & Control traffic (High)
• Privilege Escalation: Elevation attempts (Medium)

Full MITRE framework integration with detection mapping.

• Reconnaissance, Resource Development
• Initial Access, Execution, Persistence
• Privilege Escalation, Defense Evasion
• Credential Access, Discovery
• Lateral Movement, Collection
• Command & Control, Exfiltration, Impact
• Detection count per tactic with active indicators
• Click tactic for related events drill-down

Real-time threat intelligence integration and IOC database.

• Total IoCs: 150,000+ indicators in database
• Active C2 Servers: 1,400+ known C2 IPs
• Malicious URLs: 5,000+ blocked URLs
• Active Campaigns: 20-50 tracked campaigns
• Automatic update timestamps
• Threat feed correlation with local events

Dynamic 14-column matrix with complete technique mapping.

• 14 tactic columns with color-coded headers
• 201 techniques reference (MITRE framework)
• Interactive technique items with hover effects
• Detection count per technique
• Click technique → Detailed modal with remediations
• Horizontal scrolling for full matrix view

Key MITRE coverage and detection metrics.

• Total Detections: MITRE-mapped alert count + trend %
• Unique Techniques: Distinct techniques detected (X of 201)
• Active Tactics: Tactics with detections (X of 14)
• Critical Alerts: Immediate action required count
• Click any card for detailed breakdown

Comprehensive technique details with threat intelligence.

• T1595: Active Scanning (Reconnaissance)
• T1566: Phishing (Initial Access)
• T1059: Command Interpreter (Execution)
• T1110: Brute Force (Credential Access)
• T1021: Remote Services (Lateral Movement)
• T1071: App Layer Protocol (C2)
• T1486: Data Encrypted for Impact
• + 20 more techniques with full mapping

Real-time AI contextual analysis with web search grounding.

• AI technique analysis button per technique
• Context: technique ID, tactic, detection count
• Web search grounding for latest intelligence
• Provider attribution (Claude, GPT)
• Severity highlighting (CRITICAL, HIGH)
• Formatted markdown response with citations

Drag-and-drop workflow designer with 25+ node types.

• Triggers (4): Alert, Schedule, Manual, Webhook
• Response Actions (5): Isolate, Block IP, Kill Process, Quarantine, Disable User
• EDR Actions (10+): Memory Dump, YARA Scan, Force Reboot, Lock Screen, etc.
• Enrichment (4): IOC Lookup, VirusTotal, WHOIS, Collect Artifacts
• Logic (4): Condition, Loop, Delay, Parallel
• Notifications (4): Slack, Teams, Email, Jira
• Mini-map navigation, Zoom controls, Fit View

Complete incident lifecycle tracking and bulk operations.

• Incident table: ID, Title, Severity, Status, Source, Assigned
• Severity: Critical/High/Medium/Low with badges
• Status workflow: Open → Investigating → Resolved → Closed
• Bulk operations: Status update, Assign, Run playbook
• Filter by Category, Status, Severity
• Select All checkbox with count display
• Recent incidents quick panel (last 5)

Multi-vendor security tool orchestration.

• Firewalls: FortiGate, Palo Alto, Sophos
• EDR: CrowdStrike, SentinelOne, Defender
• SIEM: Splunk, ELK, Datadog
• Ticketing: Jira, ServiceNow
• Integration stats: Total, Healthy, Read-Write, Actions Today
• Filter by category, Add integration, Test connection
• Import from existing devices (bulk)

Key SOAR performance indicators.

• Active Incidents: Count with trend indicator
• Pending Approvals: Workflow approvals queue
• Automation Rate: % automated vs manual
• Avg MTTR: Mean time to remediation
• Recent Executions panel with status
• Active Playbooks list

MITRE ATT&CK mapped threat hunts ready to execute.

• Brute Force (T1110): Multiple failed logins in 5 min
• Password Spray (T1110.003): Same password across accounts
• RDP Lateral (T1021.001): Internal RDP connections
• SMB Lateral (T1021.002): SMB file sharing between hosts
• C2 Beacon (T1071, T1573): Periodic outbound connections
• DNS Tunneling (T1071.004): Long DNS queries
• Large Data Transfer (T1041): Unusual outbound data
• Log Clearing (T1070.001): Security log clearing
• Scheduled Task (T1053): New scheduled tasks
• Phishing (T1566): Blocked phishing attempts

Search for Indicators of Compromise across all logs.

• Search by IP address (e.g., 192.168.1.100)
• Search by domain (e.g., malware.com)
• Search by file hash (MD5/SHA1/SHA256)
• Automatic IOC type detection
• Time range filtering: 1h, 24h, 7d, 30d
• Known threat alert when IOC matches database
• Full event context with timestamps

Full Elasticsearch query support for advanced hunting.

• Elasticsearch query syntax support
• Syntax highlighting (Fira Code font)
• Query templates with examples
• Execute immediately or save for later
• Full JSON result display
• Save custom hunts with metadata

Comprehensive hunt results with evidence preservation.

• Summary Stats: Total Hits, Unique Sources, Alerts, Time Span
• Timestamp tracking per event
• Source → Destination flow display
• Action indicators (deny/allow badges)
• Full JSON data for custom queries
• Device and hostname identification
• Message field (truncated to 200 chars)

Key user behavior and risk indicators.

• Active Users: Currently monitored user count
• ML Anomalies: Machine learning detections
• Failed Logins: Authentication failure count
• Impossible Travel: Geographic anomaly count
• Privilege Escalation: Elevation attempt count
• Insider Threat Score: Overall risk level

Multiple behavioral anomaly detection mechanisms.

• Brute Force: 5+ failed logins in 5 minutes
• After-Hours Activity: 10 PM – 6 AM access
• Sensitive Privilege Use: SeDebugPrivilege, etc.
• Impossible Travel: Mumbai → New York in 30 min
• Unusual Login Times: Out-of-pattern hours
• Severity levels: Critical/High/Medium/Low

Weighted risk calculation per entity.

• 0-100 numeric risk scale
• Critical: Score ≥ 80 (red gradient)
• High: Score ≥ 60 (orange gradient)
• Medium: Score ≥ 30 (amber gradient)
• Low: Score < 30 (green gradient)
• Score trends: Increasing/Decreasing/Stable
• 7-day rolling window calculation

Per-user behavioral baseline with peer group analysis.

• Typical login hours (0-23 array)
• Average daily login frequency
• Average privilege use frequency
• File access patterns
• Resource access baselines
• Minimum 10 data points required

Key endpoint detection metrics.

• Critical Events: Highest severity detections
• High Severity: High priority alerts
• Total Events (24h): All detections today
• Memory Threats: Memory-based attacks
• LOLBin Activity: Living-off-the-land binaries
• Total Endpoints: Managed endpoint count

Advanced memory-based attack detection.

• Process Injections: Code injection detection
• Shellcode Detection: Shellcode pattern matching
• Process Hollowing: Hollowed process detection
• RWX Regions: Read-Write-Execute memory
• Fleet-wide memory scan capability
• Memory threats list with scrolling

Living-off-the-land binary execution tracking.

• certutil: Certificate utility abuse
• mshta: HTML application execution
• regsvr32: COM object registration abuse
• rundll32: DLL execution
• wmic: WMI command execution
• bitsadmin: Background transfer abuse
• cscript: Script host execution
• powershell: PowerShell execution
• Clickable filters for investigation

Advanced ransomware detection and prevention.

• Protected Endpoints counter
• Active Canaries counter (canary files)
• Ransomware Alerts (24h)
• Blocked ransomware attempts
• VSS (Volume Shadow Copy) protection toggle
• Canary file deployment
• ML-based behavior analysis

Honeypots and honey tokens for threat detection.

• Honeypot servers (FAKE-DC01)
• Honey shares (\\SHARES\Finance)
• Honey credential files (admin_backup.kdbx)
• Honey service accounts (svc_backup)
• Trigger alert counter
• Quick deploy buttons
• Active/Inactive status badges

Endpoint-focused threat hunting capabilities.

• Hunt Templates (6): LOLBin, Credential, Persistence, Lateral, C2, Data Staging
• Hunt types: Process, Network, File, Registry, DNS, IOC
• Time range: 1h, 24h, 7d, 30d
• Target scope: All, Servers, Workstations, Critical
• Quick Hunts: Encoded PowerShell, Mimikatz, PsExec, Cobalt Strike
• Hunt results with match counting

Immediate threat response capabilities.

• Isolation: Network isolate (bulk/single)
• Scanning: Full fleet scan, Memory scan
• Collection: Forensics data collection
• Live Response: Command execution
• Export: IOC export functionality
• Prevention mode toggle (Detect vs Block)

Technique mapping for endpoint detections.

• T1059.001: PowerShell execution
• T1003.001: LSASS Memory dumping
• T1547.001: Registry persistence
• T1055: Process Injection
• 14 tactics × 200+ techniques mapped
• Technique badges in detection table

Vulnerability posture metrics.

• Total Vulnerabilities: All CVEs detected
• Critical: CVSS ≥ 9.0 (red badge)
• High: CVSS 7.0-8.9 (orange badge)
• Medium: CVSS 4.0-6.9 (yellow badge)
• Scanned Apps: Applications scanned

Industry-standard vulnerability severity scoring.

• Critical (8.6-10.0): Red gradient badge
• High (7.0-8.5): Orange gradient badge
• Medium (4.0-6.9): Amber gradient badge
• Low (0.1-3.9): Green gradient badge
• Numeric CVSS scores (0-10 scale)
• Color-coded severity visualization

Comprehensive CVE database and tracking.

• CVE ID display (e.g., CVE-2023-38831)
• NVD (National Vulnerability Database) linked
• CVE description with vulnerability details
• Real-world CVEs: WinRAR, PuTTY, Chrome, Adobe
• Affected software ecosystem scope
• Version ranges impacted

Patch management and remediation tracking.

• Update action buttons per vulnerability
• Version path recommendations (e.g., 6.20 → 6.23+)
• Fix version field (minimum patched version)
• Installed version tracking
• Bulk remediation capability
• Patch availability status

Indicator of Compromise database and scoring.

• Add IOC with type classification
• IOC types: IP, Domain, Hash, URL, Email
• Confidence scoring per IOC
• Scoring history tracking
• IOC search across all logs
• Known threat database matching

Known threat actor database and profiles.

• Add Threat Actor entries
• Actor profile management
• Associated TTPs (Tactics, Techniques, Procedures)
• Target industries and regions
• Attribution confidence levels
• Actor activity timeline

Active threat campaign tracking.

• Add Campaign functionality
• Campaign name and description
• Associated threat actors
• Campaign IOCs
• Target victims/industries
• Campaign timeline and status

Automated threat intelligence feed ingestion.

• Total Feeds: Configured feed count
• Active Feeds: Currently polling feeds
• Objects Imported: Total STIX objects
• Refresh Feeds button (force sync)
• Add Feed configuration
• Poll Now (immediate sync)