Reveal the hidden lines of adversary activity.
Free indicators are everywhere. Cloakline connects loose IOCs across sources into explained, scored, correlated adversary intelligence — the infrastructure, campaigns, and context a SOC can trust and defend, faster than building it in-house.
IOCs are commoditized
MISP, OpenCTI, abuse.ch and OTX all give indicators away. Volume isn't the value — and a raw blocklist with no context is a liability, not intelligence.
Correlation & explainability
Cloakline links indicators across sources into non-obvious infrastructure relationships, and scores them transparently — so an analyst can defend a decision to their boss.
Intelligence, not noise
Each indicator arrives with corroborated provenance, a defensible risk score, the CVEs it touches, and the adversary infrastructure it connects to.
From loose indicator to defensible intelligence.
A real intelligence pipeline, not a feed reseller. Every stage normalizes to a STIX 2.1 + MISP-aligned model and adds context the next stage builds on.
Collect & normalize
Commodity and OSINT feeds — MISP, abuse.ch, CISA KEV, NVD — normalized to a STIX-aligned model. Canonical Indicator split from per-source Sighting.
Add context
RDAP/WHOIS, DNS, GeoIP/ASN, Certificate Transparency and reputation — rate-limited, cached, and run through an egress-controlled path for attacker-controlled values.
Connect the lines
Deterministic, evidenced edges: shared infrastructure, registrant, certificate, ASN, hash → family. Written to a graph with evidence and confidence.
Explainable risk
Confidence, severity and exposure combined into a risk score — every value carries its factor breakdown and formula. No black box.
Workflow & export
A pivotable investigation console, a daily intelligence brief, a REST API, and exports to STIX bundle / MISP event / CSV.
Reveal. Connect. Hunt. Defend.
Four things a threat team needs from intelligence — built into the product, not bolted on.
Reveal
Uncover hidden infrastructure, paths, and relationships behind an indicator.
Connect
Link indicators to infrastructure, malware, campaigns, TTPs, and risk.
Hunt
Help analysts find adversary activity faster, and with the context to act.
Defend
Turn intelligence into prioritized, defensible action — recommend-only by design.
A score you can defend.
Every Cloakline risk score is a transparent, weighted function — not a model you take on faith. An analyst can open any score and see exactly why it's what it is.
- Confidence — source reliability (Admiralty A–F), corroboration across sources, and a freshness decay curve.
- Severity — CVSS, the CISA KEV flag for known exploitation, and EPSS probability.
- Risk — a defensible function of severity, confidence, and exposure, shipped with its inputs.
Connect the indicators. Reveal the adversary.
Cloakline builds deterministic, evidenced edges between entities — every relationship carries the evidence that created it and a confidence value. The non-obvious links are where the intelligence is.
- Deterministic first — shared infrastructure, registrant, certificate, ASN, and hash → family. Rules before ML, always.
- Evidenced — open any edge to see exactly what created it.
- Propose, don't publish — named-actor attribution is always held for a human.
Built to fit your stack.
Standards-aligned from day one, so Cloakline slots into the tools your SOC already runs.
Two rules we don't break.
A platform that holds adversary data and customer context has to be trustworthy by design.
Explainability over sophistication
Every score and edge is defensible to a SOC analyst — inputs, weights, and evidence on screen. If it can't be explained, it doesn't ship.
Propose, don't publish
Cloakline recommends; it never auto-blocks and never auto-attributes a named threat actor. A human stays in the loop on the consequential calls.
Put Cloakline in front of your SOC.
We're working with a small set of design-partner SOCs and threat teams — free access, in exchange for honest feedback.