Engines Reference

Real-time behavioral endpoint protection that catches living-off-the-land tooling (PowerShell, certutil, rundll32, mshta), IOC and LOLBin activity, and maps detections to MITRE ATT&CK. XDR correlates endpoint signals with identity and network telemetry so a cross-domain attack reads as one incident. Includes a replayable Threat Storyline — process graph, kill-chain arc and timeline.

Query alerts, detections and live telemetry in one place with the Kaimz Query Language (KQL) — facets, time-ranges and saved searches. Global search hands off directly into SIEM for investigation.

An ATT&CK coverage matrix that validates each technique against the live detection stream — showing what's validated (seen live), covered (a detector exists) or a gap, each with a copyable atomic test.

Fusion-class automation — a visual playbook builder plus a real trigger → condition → action execution engine. Automate the first moves (isolate-on-canary, notify-on-new-admin) so response happens in the seconds that matter.

Folds a flood of raw alerts into a handful of actionable incidents, each with a reconstructed process tree, ATT&CK kill-chain, timeline, IOCs, a plain-English narrative and a recommended response — acknowledge or resolve from the API or console.

Live shell, process kill, host isolation, file quarantine, forensics and scans — dispatched fleet-wide as ECDSA-signed tasks so a compromised channel can't forge commands. Every action is logged to a response history.

Built-in TOTP MFA, conditional access, granular RBAC and endpoint step-up MFA (prompt at the host for RDP, sensitive processes, mapped drives). The ITDR view surfaces identity threats — brute force, multi-IP, behavioral anomalies.

Inventories keys, tokens, service accounts, certificates and secrets from the endpoint — the over-privileged, MFA-less identities attackers use for lateral movement — and flags exposure.

Learns per-user behavioral baselines and flags anomalies statistically — off-hours activity, source-IP novelty, concurrent sessions, brute force (robust MAD z-score) and rare commands — with a maturity gate to avoid cold-start false positives.

Tells you which CVEs are actually running and network-reachable — not a raw CVSS list of everything installed — so you fix what an attacker can really reach first.

Explainable, Tenable-VPR-style scoring that blends CVSS + EPSS + CISA KEV with asset context (in-memory, internet-facing, criticality) to produce a 0–100 score, band and a PATCH_NOW / STAGED / DEFER decision with the factors that drove it.

Grades each host on hardening — Secure Boot, TPM, BitLocker, ASR rules, Credential Guard — so you can drive measurable improvement across the fleet.

Decoy tripwire files detect encryption early; an opt-in playbook can auto-kill and isolate the moment a canary trips — buying back the minutes that decide an incident.

Genuine secret/PII detection — Luhn-validated card numbers, a Shannon-entropy sweep for unknown secrets, and ~13 signature detectors (AWS/GCP/GitHub/Slack/Stripe/JWT/private-key/DB-string/SSN) — each finding with confidence and method.

A runtime LLM firewall (prompt-injection + data-leak inspection for AI traffic) and shadow-AI discovery that surfaces unsanctioned AI usage from the endpoint. See the AI security guide.

Active ping-sweep + ARP + TCP port-probe + OUI vendor lookup across your subnets to classify devices and flag shadow / unmanaged assets against your managed inventory.

Live NVD + CISA KEV and IOC feeds pulled on a schedule and cached locally — used by the correlator and risk engine. Nothing about your environment is sent out to enrich a vendor model.