// PLATFORM STATUS: ONLINE

The Unified Security Engineering & Intelligence Platform

Threat intelligence, detection engineering, adversary attribution, and attack simulation — unified, and built for you to move fast.

// live_feed
// establishing_uplink…
// live_proof

The corpus is the argument.

// hydrated_live_from: /api/v1/stats
0+
curated_threats
0+
detections · spl / kql / sigma
0+
indicators_of_compromise
0
mitre_techniques_mapped
0
threat_actors_attributed
0+
cross_threat_correlations
// attribution spans 32 nations of origin — tracked inside actor_attribution, not shown as a headline counter here.
// severity_mix — live sample from the current feed
n = —
critical high medium low
// secos_preview_release

SecOS — the security desktop, in your browser.

A full desktop-OS shell for security work: windows, widgets, an intel-wired VM sandbox, and every Threadlinqs instrument one launcher away. Watch the preview, then get in line.

// status: preview_release

// join_the_waitlist

SecOS access opens in waves. Join with your Threadlinqs account email and we’ll notify you when your slot is ready.

// members only — uses your platform account email. not registered yet? the free tier takes 30 seconds.
// already have access? open secos →
// unified_platform

Three pillars.
One platform.

Intelligence without detection is research.
Detection without intelligence is noise.
We build both.

01 // threat_intelligence

Intelligence that arrives enriched.

Continuous monitoring of the live threat landscape — every entry lands with attribution, indicators, and exploit context already attached.

  • continuous_enriched_monitoring + daily_debriefs
  • automated_ioc_feeds
  • cve_enrichment: cvss · epss · cisa_kev · pocs
  • adversary_attribution: 166_actors / 32_nations
02 // detection_engineering

Detections you deploy, not translate.

Every threat ships with production-ready rules in all three languages — mapped to MITRE ATT&CK, weighed against your coverage gaps.

  • production spl · kql · sigma per_threat
  • mitre_attack_mapping: 465_techniques
  • coverage_gap_analysis
  • cross-threat correlation_engine
03 // adversary_operations

Think like the operator you're hunting.

Run the attack before it runs on you — scripted simulations paired to detections, with live tracking of real C2 infrastructure in the wild.

  • attack_simulations paired_to_detections
  • live_c2: cobalt_strike · sliver · brute_ratel · mythic
  • cross-threat_correlation
// how_it_works

From a new threat to a deployed detection in minutes.

No translation layer, no copy-paste archaeology. The pipeline runs from intake to export in one motion — and every step leaves an artifact you can ship.

new_threat intake enriched cve · ioc · mitre detections spl · kql · sigma simulated validate deployed export
// threadlinqs_cliintel.threadlinqs.com
// flagship_surfaces

The surfaces you'll live in.

Not dashboards for the sake of dashboards — each one answers a question analysts actually ask, and shows its work.

// correlation_engine

Six channels of similarity, in a glass box.

Every correlation decomposes across six weighted channels — you see exactly why two threats are related, never just a score.

shared_infrastructure · shared_capabilities
ttp_overlap · ioc_intersection
actor_lineage · temporal_proximity
// intel_graph

The threat galaxy, force-directed.

Actors, threats, CVEs and infrastructure as one navigable graph — pull a thread and watch the blast radius resolve.

force-directed relationship_map
blast_radius from any node
filter by actor · sector · technique
// mitre_coverage

692 techniques, one honest heatmap.

Corpus coverage across the full ATT&CK matrix — dense where adversaries actually operate, and unflinching about the gaps.

coverage across 14 tactics
weighted by detection_depth
gap_analysis feeds blind_spots
// actor_attribution

357 actors, mapped to motive and origin.

A radial attribution map across 32 nations — confidence-ranked, lineage-aware, and tied back to every threat and detection in the corpus.

nation_state · criminal · hacktivist
confidence rings: high → emerging
lineage + tooling overlap
// wild_c2_center

Live C2, watched so you don't have to.

Cobalt Strike, Sliver, Brute Ratel and Mythic infrastructure tracked in the wild — rotating servers mapped, correlated, and ready to block.

live infrastructure_tracking
operator + campaign correlation
export blocklists per framework
// enterprise

Your organization's threat intelligence, in a private workspace scoped to exactly what you defend.

command_center
The scoped dashboard — what changed for you, first.
// intelligence_profile
sectors
financehealthcare+ 1
threat_actors
APT29FIN7Scattered Spider
vendors / stack
microsoft_365fortinetvmware+ 4
alerts
Severity-routed pushes to Slack, Teams, email, webhooks.
feeds
STIX / TAXII / MISP feeds filtered to your profile.
intel_graph
The relationship galaxy, centered on your stack.

Set it once. Every dashboard, alert, feed and graph re-scopes to it, live.

We only store references to public catalog entities — never your assets, logs, or regulated data.

command_center

The scoped dashboard your team's morning starts on.

intel_graph

An interactive relationship galaxy of everything that touches you.

saved_library

Shared collections the whole tenant builds on.

shortcuts

A one-click launcher for the workflows you repeat.

// the_gold_suite

Eleven apps. One question each.

// included with every enterprise workspace
01
crosshairs

Live threats, actors and KEV CVEs targeting your exact tech stack.

02
red_mirror

Who targets organizations like yours, and the detections to catch them.

03
nightwatch

What changed for your sector and stack since yesterday — with SIEM/SOAR pull.

04
blind_spots

Your riskiest detection gaps, weighted by real-world exploitation.

05
triage

Paste indicators and learn who's behind them — nothing stored.

06
war_room

War-game a real adversary with a facilitator-ready exercise.

07
proving_ground

Emulate a real threat with each step paired to a validating detection.

08
breach_wire

SEC-disclosed peer breaches cross-referenced to our corpus, plus board briefs.

09
doppelganger

Brand-impersonation and phishing-domain early warning.

10
tracer

Follow a Cobalt Strike operator and auto-block its rotating infrastructure.

11
trust_card

A scan-free, shareable exposure narrative for questionnaires and boards.

// alert_connectors

Alerts where your team already lives.

Native Slack, Microsoft Teams, Email and signed-webhook connectors — routed by severity and sector, so the right channel wakes up and the rest stay quiet.

slack microsoft_teams email signed_webhooks

// organization_ai · byok

Your AI, your key — or ours.

Keep the platform model (TL-Research-70B-1.2 — tuned for TLQL, intel and MCP) or bring your own NVIDIA, OpenAI or Anthropic key — stored encrypted, injected server-side, members never see it.

tl-research-70b-1.2 byok: nvidia · openai · anthropic
// enterprise_access

Stand up your private workspace this week.

A tenant-scoped corpus, the full Gold Suite, and a profile that re-scopes everything to what you actually defend.

// 14 days free, no credit card — then a Gold workspace scoped to your team. email contact@threadlinqs.com to get started.
already onboarded?
// works_with_your_stack

Plugs into the stack you already run.

Standards-native in, standards-native out. No agents to install, no schema to invent.

SPLUNKMICROSOFT SENTINELSIGMAMITRE ATT&CKSTIX 2.1TAXII 2.1MISPOPENCTIMCPSIEM / SOAR

// standards_native

Exports that speak fluent standard.

STIX 2.1 export, a TAXII 2.1 server, and a MISP feed — pipe the corpus into the TIP you already trust, filtered to what matters.

stix_2.1taxii_2.1misp_feedopencti

// siem_soar_pull

Your pipeline pulls, we answer.

A Nightwatch delta endpoint your SIEM/SOAR polls for what changed, plus signed webhooks pushed by severity and sector.

nightwatch_deltasigned_webhookssplunksentinel

// mcp_server · v7.1.0

Threat intelligence inside your AI agents.

54 read-only tools over the corpus — remote Streamable-HTTP or local npx intelthreadlinqs-mcp, OAuth or Bearer key.

54_toolsstreamable_httpoauth / bearer
// live_platform

See it in action — Latest 3 threats.

The three newest entries in the corpus, straight from the live feed — expand one and read the detections it shipped with, the MITRE mapping, indicators, timeline and references.

// endpoint: /api/v1/threats · no api key required
// connecting to intel feed…
// choose_your_tier

Plans built for security teams.

Start free on the full feed. Upgrade when you need the values, the simulations, or the private workspace.

[ blue ]
analyst
Free
forever · no card
  • full threat_feed + filters
  • detection_library: spl · kql · sigma + copy
  • tlql_ai_search
  • my_feeds + saved_library
  • daily_debriefs: view + email
  • mitre_map + statistics
  • api: 50_calls / day
[ red ]
professional
$4.99$11.99
per month
  • everything in blue, plus
  • full ioc_values + correlation
  • threat_actor_attribution
  • research_lab: ai_research + chat
  • intel_graph + blast_radius
  • transcripts + related_threats
  • api: 500_calls / day
private_workspace
[ gold ]
enterprise
By inquiry
scoped to your org — email contact@threadlinqs.com to inquire
// 14-day free trial · no credit card
  • everything in purple, plus
  • intelligence_profile + command_center
  • gold_suite: 11_apps
  • alert_connectors: slack · teams · email · webhooks
  • org_ai / byok
  • stix · taxii · misp feeds
  • admin_console + team_management
  • dedicated_support
  • api: 25,000_calls / day
[ start_14-day_trial ] [ book_a_demo ]
already onboarded?
// full_comparison
capability [ blue ] free [ red ] $4.99 [ purple ] $11.99 [ gold ] custom
// intelligence
threat feed + filters
daily debriefs (view + email)
full ioc values + correlation
threat-actor attribution
intel graph + blast radius
wild c2 intelligence
dns + ioc enrichment1k / day1k / day
// detection & simulation
detection library: spl · kql · sigma
mitre map + statistics
advanced correlations
attack simulations
deploy custom threats
// ai & research
tlql ai search
research lab: ai research + chat
transcripts + related threats
org ai / byok
// enterprise workspace
intelligence profile + command center
gold suite (11 apps)
alert connectors: slack · teams · email · webhooks
stix / taxii / misp feeds
admin console + team management
dedicated support
// api & automation
mcp server
api calls / day505005,00025,000
// faq

Frequently asked questions

The short answers. Still stuck? Email contact@threadlinqs.com.

What is Threadlinqs?
A unified security engineering & intelligence platform: curated threats, ready-to-deploy detections in SPL, KQL, and Sigma, indicators of compromise, MITRE ATT&CK coverage, adversary attribution, CVE/CWE enrichment, and attack simulations — scoped to exactly what you defend.
Is there a free tier?
Yes — Blue is free forever. Create an account in about 30 seconds and start browsing the corpus and core intelligence, no card required.
What do the plans include?
Blue (free): the corpus + core intel. Red ($4.99/mo): higher limits and more surfaces. Purple ($11.99/mo): full access including the REST API and MCP server. Gold (Enterprise): SLAs, SSO, volume licensing, and dedicated support — email contact@threadlinqs.com to inquire.
What detection formats do you ship?
Every threat ships production-ready detections in Splunk SPL, Microsoft Sentinel KQL, and Sigma — copy them straight into your SIEM.
Do you have an API and an MCP server?
Yes. Purple and above unlock the REST API and a Model Context Protocol (MCP) server, so you can wire Threadlinqs intelligence directly into Claude and other MCP clients. See the MCP & API docs.
Which feeds and standards do you support?
STIX 2.1, TAXII 2.1, and native MISP feeds, plus signed webhooks — export intelligence into your existing stack without copy-paste.
Where does the intelligence come from?
Threats are curated and enriched from primary reporting and public sources, with CVE/CWE enrichment, MITRE ATT&CK mapping, and adversary attribution. Our editorial standards explain the process and how AI is used.
How current is the data?
The corpus updates continuously — nightly ingestion plus hourly landscape briefings and a daily debrief. The counts on this page are pulled live from the platform.
How do I get enterprise access?
Email contact@threadlinqs.com and the threadlinqs team will scope a Gold workspace — SLAs, SSO, volume licensing, and dedicated support — to your organization.
Can I cancel anytime?
Yes. Paid plans are month-to-month with no contracts — cancel anytime from your profile settings.
// final_transmission

See what's already pointed at you.

The corpus is live, the detections are written, and the free tier is real. Open the platform.