Cyberange

Cyberange · TAW · Threat Analyst Workbench

Where have you seen this IOC before? In every case you have ever opened.

One workbench across threat intel, IR cases, and hunt notebooks. Type a hash, an IP, a domain, a TTP — and see every alert, case, and hunt where it surfaced, across the entire history of your SOC. Native MISP/STIX 2.1, native SIEM connectors, native case workflow.

Request a demo Tour the workbench
MAP · EQUIRECTANGULAR geolocation · MaxMind GeoIP2 · ±25km CLUSTER THRESHOLD ≥ 3 IOCS CITIES LIVE · ALL LAYER FLOW · CONFIRMED Moscow, RU → Washington, US GOVERNMENT · 14 IOCs · 3 cases CAMPAIGN · GHOSTWRITER · APT28 ATTRIB FLOW · INFERRED Beijing, CN → Mumbai, IN FINANCIAL · 8 IOCs · 1 case CAMPAIGN · MUSTANG-PANDA · LOW CONF. FLOW · CONFIRMED Pyongyang, KP → Tokyo, JP CRYPTO · 22 IOCs · 5 cases CAMPAIGN · LAZARUS · TRADERTRAITOR $ $ $ LEGEND Attacker origin · APT Attacker origin · cybercrime Attacker origin · state Target · sector glyph inside Flow · confirmed attribution Flow · inferred / low conf. PROJECTION Equirectangular SCALE 2000 km TRACKING 12 ACTIVE
IR CASES / ACTIVE / IR-3F08A2 IR CASE · INVESTIGATING CRIT DURATION · 2D 09H 51M + TIMELINE EVENT MARK CONTAINED VMware-Infra ransomware — encryption underway LIFECYCLE APR 28 · 04:11 Detected EDR alert APR 28 · 06:02 Investigation Priya APR 30 · 11:40 Containment Priya Eradication pending Closure pending SLA 02:14:38 contain SLA · 68% used ATT&CK KILL CHAIN · 4 TECHNIQUES MAPPED EDIT MAPPING RECONNAISSANCEINITIAL ACCESSEXECUTIONPERSISTENCEPRIVILEGE ESC.LATERAL MVMT.IMPACT T1190 Exploit Public App vCenter CVE- 2025-···· T1059 PowerShell enc-payload.ps1 T1078 Valid Accounts admin@maruti T1490 Inhibit Recovery T1486 Encrypt for Impact FORENSIC TIMELINE · 12 EVENTS FILTER + EVENT APR 28, 2026 · 4 events 04:11 CRIT EDR Detection CrowdStrike alert: bulk encryption activity on vmw-prd-02 05:48 HIGH PN Investigation start Pulled EDR timeline · identified PS payload enc-payload.ps1 06:18 HIGH RK Forensic image Imaged vmw-prd-02 → evidence-04.dd · sha256 372c3c… 09:41 MED AM Account audit 2 domain-admin accounts logged anomalous vCenter access APR 29, 2026 · 3 events 09:01 HIGH RK C2 traffic captured Beacon to malware-c2-beacon.noxfall.tk every 47s 14:23 MED AM Customer notification CISO + CEO briefed; 14-day comms plan agreed
01 Geolocation tracker

The SOC problem

The IOC you are looking at right now probably crossed your perimeter eighteen months ago.

And the analyst who saw it then is on a different shift, a different team, or a different employer. The case notes are in a ticketing system. The IOC is on a threat-intel feed. The hunt that found it the first time is in someone's notebook. None of them are talking to each other.

01

IOC silos

Intel feeds in one tool. SIEM in a second. Case notes in a third. Hunt journals in a fourth. The IOC lives in all of them but no single view ties them together.

02

Context loss across shifts

Tier 1 hands off to Tier 2 hands off to the next-day team. Case-notes drift. The reason this IP was deprioritised yesterday gets lost — and re-prioritised tomorrow.

03

Manual enrichment overhead

Every IOC is a copy-paste tour of VirusTotal, OTX, AbuseIPDB, the SIEM, the case log, the hunt notes. Twelve tabs per alert. Burnout is built in.

How it fits

The one pane between your intel, your SIEM, and your incidents.

TAW ingests from upstream intel and your detection stack, normalises everything to a common IOC + entity model, and exposes a workbench UI to your analysts. Case state and hunt notes write back. SOAR and ticketing pick it up downstream.

TAW architecture: upstream intel and detection sources flow into the workbench core, exposing a unified analyst UI and downstream SOAR integration. INGESTTAW CORECONSUMERSTHREAT INTELMISP · STIX/TAXII · commercialSIEMSplunk · Elastic · QRadar · SentinelEDR / NDRendpoint + network telemetryEMAIL · TICKETSabuse mailbox · ITSMOSINTVT · OTX · AbuseIPDB · MalShareCORE MODULESIOC + ENTITY GRAPHunified data modelCORRELATION ENGINEcross-event pivotCASE WORKFLOWIR + SOC tier escalationHUNT NOTEBOOKShypothesis · journal · shareANALYST UIworkbench · webSOARXSOAR · Tines · ShuffleTICKETSJira · ServiceNowREPORTINGCISO + audit + regulatorCONNECTORS · STIX 2.1 · TAXII 2.1 · OPENAPI · WEBHOOKDEPLOY · ON-PREM · PRIVATE CLOUD · AIR-GAPPED

Capabilities

What an analyst opens in the morning. What an IR lead closes at night.

Unified IOC + entity graph

Hashes, IPs, domains, URLs, email addresses, users, hosts, mutexes, registry keys — all first-class. Search any, see every event it ever appeared in.

Cross-event correlation

The same IOC in an alert today and an IR case eighteen months ago show up as one node in the graph. The dots connect themselves.

Case workflow built for IR

Tier 1 → Tier 2 → Tier 3 escalation states. Containment, eradication, recovery, lessons-learned phases. Audit-grade timeline for every change.

Hunt notebooks

Hypothesis-driven hunts with a notebook UI. Queries, results, screenshots, IOCs, conclusions — versioned, shareable, indexed forever.

Native intel ingestion

STIX 2.1, TAXII 2.1, MISP, RSS, commercial feeds. Bidirectional with MISP. Tag, score, and age intel without leaving the workbench.

Air-gapped or cloud

Deploy on-prem behind an air gap, in a private cloud, or as a managed service. Same workbench. Same connectors. Same model.

The pivot

One IOC. Every place it has lived.

Click an IOC in any alert, any case, any feed. TAW pivots to every event that ever touched it — across years of telemetry, every IR case opened against it, every hunt that hypothesised about it, every external intel record that ever scored it.

IOC203.0.113.45first seen 2023-04-11ALERT · IDS · 2023-04-15first IDS hit · low confidenceCASE · IR-2023-1027phish triage · closed FPHUNT · HUNT-Q2-2024-08C2-beacon hypothesis · validatedINTEL · MISP · uuid…tagged as C2 · score 75ALERT · EDR · 2024-09-02beacon detected · auto-quarantinedCASE · IR-2024-0143true positive · containmentHUNT · HUNT-Q3-2024-02retro-hunt · 7 new hosts foundINTEL · OTX · pulse…attributed APT-group profileALERTCASEHUNTEXTERNAL INTELSAMPLE PIVOT · ACTUAL DEGREE VARIES BY IOC

Sample workflow · Tier-2 analyst, 09:14

A new alert. An old IP. Five clicks instead of fifty.

The SIEM raises a beacon-like anomaly. The destination IP is one your SOC has never paid much attention to — except, it turns out, it has. Here is what the workflow looks like in TAW.

  1. 01

    Click the IP in the alert

    TAW resolves the IOC to its entity record and opens the pivot view. Without leaving the alert, you see every prior alert, case, hunt, and intel record that touched this address.

  2. 02

    See the prior false-positive case

    IR-2023-1027 closed as a false positive in April 2023. The case timeline is right there. The analyst who triaged it left a note: "low-volume, looks like a misconfigured monitoring agent."

  3. 03

    See the validated hunt from last quarter

    HUNT-Q2-2024-08 hypothesised the same address was a low-and-slow C2 beacon. The hunter found three other internal hosts beaconing to it. The hypothesis was confirmed but no case was opened — only a hunt journal.

  4. 04

    See the external intel score escalation

    MISP picked up the address from a partner six weeks ago. Score went from 40 to 75. The tags now read "C2 · beacon · APT-attributed."

  5. 05

    Open a case with the chain attached

    You promote the alert to an IR case. The previous case, the validated hunt, and the escalated intel score are linked automatically. Tier 3 inherits the full chain without you typing a single summary.

  6. 06

    Trigger SOAR containment

    TAW fires a SOAR playbook: isolate the host, query the EDR for every endpoint that has beaconed to the IP in the last 90 days, open a parallel hunt journal for the retro-sweep. Total wall-clock from alert to containment: four minutes.

Same workflow runs without changes for hashes, domains, URLs, mutexes, user accounts, or any other entity in your data.

What changes in the SOC

Triage time down. Context loss gone.

Mean time to triage

Per-alert context retrieval drops from minutes to seconds. The pivot is one click.

Cross-shift continuity

Case state and hunt notes are first-class. The next shift inherits the whole picture, not a summary.

Retro-sweep capacity

New intel scores trigger automatic retro-hunts. Threats sleeping in your logs surface themselves.

Audit + regulator readiness

Every IOC, every case, every escalation — timestamped, immutable, exportable on demand.

Speaks

  • CERT-In TLP & advisory ingestion
  • NCIIPC sector intel feeds
  • STIX 2.1
  • TAXII 2.1
  • MISP
  • MITRE ATT&CK
  • SIGMA · YARA
  • OpenAPI · Webhook

Practice

"Every IOC that ever crossed your perimeter is still in your logs. The question isn't whether you have it. The question is whether you can find it again, fast enough."
SOC operating principleThe case for unified intel + case + hunt — and against tabbed-browser SOC ops.

Put one IOC in the workbench. See the rest of the story.

Pilot deployment scoped to a single tenant. Connectors to your SIEM and intel feeds in week one. First retro-sweep on your data in week two.

Request a demo Scope a pilot