Changelog

Added a "MISP event" button to the export modal on `/try`. After any recall (seed query, IOC paste, or STIX paste-in), analysts can now download a MISP 2.4+ compatible event JSON importable directly into their own MISP instance with a single click. The export maps each recall result to a typed MISP Attribute (ip-dst, domain, vulnerability, threat-actor, etc.), adds TLP tags and MITRE ATT&CK technique tags extracted from node properties, builds Galaxy cluster objects for any threat-actor nodes, groups file-hash IOCs into MISP file Objects, and sets `to_ids: true` on attributes with confidence ≥ 0.7. TLP enforcement is enforced at the DB layer — only TLP:WHITE/GREEN nodes are included; when any results were redacted, `Event.comment` notes the count and links to pilot access. Distribution level maps TLP→MISP codes (WHITE/CLEAR→3, GREEN→2, AMBER→1, RED→0). Filename: `threatrecall-try-demo-{hash8}-{YYYYMMDD}.misp.json`. Endpoint: `GET /try/export/:session_id.misp.json` (email gate, same rate limit as JSON/PDF export). Analytics: `try_export_misp` event with attribute_count, tlp_max, redacted_count; surfaced on `/admin/funnel`. Files: `services/mispExport.js` (builder), `routes/tryExport.js` (route), `db/tryExport.js` (getNodesByIds), `views/try.ejs` (button + CSS), `db/analytics.js` (funnel stage).

Shipped a second input mode on `/try` that lets analysts paste their own IOC list and get evidence-backed recall. Collapsible panel below guided queries, opens on user click only (auto-demo guard). Textarea accepts up to 50 lines; each line parsed with a single regex pass (IPv4, IPv6, domain, URL, MD5, SHA1, SHA256, CVE, ATT&CK ID, email, filepath). Server-side: `tryDemoIocSearch()` runs a per-IOC UNION query against `kg_nodes.value`, `kg_nodes.aliases`, and `evidence_records.raw_content` (TLP:WHITE/GREEN only, active nodes only, read-only, no OpenAI call). TLP:AMBER/RED guard rejects classified markers with inline error + `try_ioc_tlp_rejected` analytics event. Truncation notice shown when >50 lines submitted. Empty results show a CTA card linking to `/pilot?utm_source=try_ioc_empty`. IOC submission counts as one query against the 10 qry/IP/hr rate limit. Analytics: `try_ioc_submitted` event with total_lines, parsed_count, matched_count, and truncated flag. `db/publicTry.js` + `routes/publicTry.js` + `views/try.ejs`.

Published the flagship CTI architecture post: "Context Windows Don't Remember. Agents Need Real Memory." (~1,400 words). Covers the architectural difference between context windows (volatile RAM) and durable agent memory, the three CTI forgetting failure modes (analyst rotation, rediscovered TTP, Slack-to-case gap), token economics and recency bias with citations (Liu et al. 2023, Gamage 2026), the minimum viable capabilities table (provenance, confidence, TLP/CUI, AU-10 signed export, correction & merge, evidence linkage), a worked APT29 cross-session query example with CISA AA25-045A and MITRE ATT&CK T1014/T1562 references, and a stack complementarity table (OpenCTI, MISP, SIEM). Internal links to /try, /compare, /security, /pilot. Full OG + Twitter card meta. References: Liu et al. "Lost in the Middle" (2023), Gamage "Omission Constraints Decay" (2026), NIST 800-53 AU-10, MITRE ATT&CK T1014/T1562, CISA AA25-045A, TLP 2.0 (FIRST). Routes: routes/resources.js + views/resources/agent-memory-vs-context-windows.ejs. ## May 2026

Shipped `/try` — public interactive recall demo. No signup required. Page pre-loads a read-only workspace seeded with APT29, Volt Typhoon, and HAFNIUM intelligence from public sources (apt-campaigns-2025 pack, ~39 nodes). Three clickable guided queries auto-run on page load. Free-form query box with TLP:AMBER/RED guard (10/hr per IP). Full trust surface on each result: evidence chips with IDs, confidence badge with color coding (high/medium/low), TLP badge, source URL, and a warning banner on sub-55% confidence results so the trust UX is visible to evaluators. CTA footer links to /pilot. New endpoint `POST /api/public/try/recall` (keyword search, rate-limited, audit-logged via public_demo_queries). `db/publicTry.js` + `routes/publicTry.js` + `views/try.ejs`. Linked from /pricing hero, /compare top nav, /mssp hero, /pilot above-fold. CSP-clean, no third-party scripts.

Segment-specific landing page at `/mssp` targeting Managed Security Service Providers and Defense Industrial Base contractors. Hero: tenant-isolated threat memory pitch. Pain section covers analyst rotation, cross-tenant memory isolation, and per-tenant audit requirements. Feature section maps existing product capabilities (workspace=tenant boundary, TLP enforcement, write-once audit export, white-label pilot, per-tenant RBAC) to MSSP pain. Compat matrix for TheHive, Cortex, Tines, Splunk, Sentinel, Chronicle. DIB callout with honest FedRAMP phase 4 status and CUI handling controls. Intake form routes through existing pilot_applications pipeline with `source=mssp` tag and new `tenant_count` field. MSSP applicants render with a blue MSSP badge in `/admin/pilot-applications` + segment filter. Touch 2 nurture email swaps to MSSP-specific framing. PT-2 compliant: no Meta Pixel, no Google Fonts.

Meta Pixel and all third-party CDN scripts removed from every authentication surface (`/auth/login`, `/forgot-password`, `/reset-password`, and related flows). Auth pages now load zero third-party assets. A strict Content-Security-Policy is enforced server-side on all `/auth/*` paths as defense-in-depth. CI gate #11 (`scripts/check-auth-trackers.js`) is wired into the Render build pipeline and blocks any re-introduction of trackers on every deploy — the build fails before the change ships if a tracker pattern is detected. FedRAMP Phase 4 finding PT-2 closed.

Phase 4 finding PT-2 remediated. Google Fonts CDN removed from all four auth templates — authentication surfaces now load first-party assets only. Strict Content Security Policy on all `/auth/*` paths blocks tracker domains at the browser layer. CI gate #11 (`scripts/check-auth-trackers.js`) prevents re-introduction on every push. 47 assertions now cover auth surface isolation.

`GET /api/recall/sessions/:id/export.stix` returns a valid STIX 2.1 bundle built from your recall results. Bundle includes identity, TLP marking definitions, SDOs for all KG nodes, and SROs for edges. Confidence scores and TLP markings preserved end-to-end. Round-trip tested with OpenCTI and MISP. Schema validated via ajv — 422 on invalid bundle, not silent corruption. Audit-logged. No-auth demo export at `/api/public/demo-export.stix?q=`.

Public `/integrations` page ships with a compatibility matrix (OpenCTI, MISP, Splunk, Sentinel, Elastic, TheHive, Cortex, Tines, Anomali) and tabbed code samples for REST, STIX 2.1, and webhook integrations. Includes Splunk HEC config, MISP feed subscription, and Sentinel Logic App examples. No login required.

One-click seed of ~120 nodes, ~150 edges, ~45 evidence records across three major threat actor groups. `POST /api/admin/seed/demo-pack` with clean teardown. `demo-public` workspace auto-seeded on startup. Pilot page updated with seven richer recall chips. Pre-computed embeddings included so recall works without an OpenAI call.

Head-to-head comparison page covering evidence provenance, TLP enforcement, STIX 2.1 export, knowledge graph, and FedRAMP trajectory. Written for CTI engineers evaluating agentic memory options — not marketing copy. Includes a downloadable battle card PDF.

Pre-answered procurement questionnaire covering CAIQ-Lite v4 and SIG-Lite. Downloadable as a signed PDF (v1.0, 2026-05-28). Covers 125+ questions across identity, data handling, incident response, and supply chain. No login required — send directly to your CISO or procurement team.

Full security trust page — FedRAMP assessment status, NIST 800-53 control families assessed, CI enforcement gates, data handling boundaries (what goes to OpenAI and what never does), sub-processor list, and performance commitments. Phases 0–3 complete; Phase 4 in progress. No compliance theater — honest about gaps.

Eliminated blocking database calls from the landing page render path. Static assets now served with `Cache-Control: public, max-age=3600, stale-while-revalidate=86400`. Landing page, pricing, and security pages are fully static-renderable with no DB reads. p95 TTFB <100ms on static pages.

Account takeover controls shipped. Four failed login attempts triggers a 15-minute lockout per email+workspace — tracked in `login_attempts`, reset on success. Password reset via Postmark (single-use, 24h expiry, SHA-256 hashed tokens). Google OAuth and GitHub OAuth both live. Audit-logged. Session tracking with per-session revoke and revoke-all.

Dashboard ships with a full evidence panel: expand any recall result to see the provenance chain — source URL, raw content, TLP marking, confidence score, ingested_at. TLP:AMBER and TLP:RED results now render warning badges in the UI so analysts don't accidentally share restricted intelligence. Audit log export as CSV — write-once, tamper-evident, tenant-scoped.

Pricing page updated with Design Partner Pilot terms. Individual Researcher ($49/mo), Pro ($199/mo), Enterprise (contact). Pilot applicants get Pro-equivalent access with direct founder support. No auto-renewal, cancel any time. Clear record caps documented.

`recall_sessions` table captures query context (query, mode, result_count, max_tlp, node_ids) for every recall. Enables the `recall_id → export.stix` round-trip. TLP:RED enforcement: sessions containing RED nodes require explicit analyst acknowledgment before export. Tenant-scoped, user-attributed.

Full memory correction workflow in the dashboard. Analysts can reject false positives (with reason + category), correct node fields, or merge duplicate nodes with field-level decisions. Every correction snapshots the pre-change state in `memory_versions`. 24-hour rollback window — admin rollback at `/api/admin/rollback-correction/:id`. Write-once audit trail.

Batch ingest pipeline with pre-commit staging. Entities are extracted, proposed TLP/confidence assigned, and staged for review before commit to the knowledge graph. Duplicate detection surfaces merge candidates. Analysts accept, reject, or merge per-entity. `ingest_batches` + `ingest_staging` tables track full commit/rollback history.