Competitive Analysis

ThreatRecall is memory
for agentic SOCs.

We don't replace OpenCTI, MISP, or your SIEM.
We make sure your AI agents and analysts remember what you already know — with evidence.

Agent memory comparison ↓ CTI/SIEM matrix ↓
Section A — Agent Memory

ThreatRecall vs. general-purpose agent memory

Mem0 (~48K stars), Letta (~21K stars), and Nerve are genuinely good products — for general AI state. None of them have TLP enforcement, evidence provenance, signed audit logs, or a CTI-specific data model. Those aren't missing features. They were never in scope.12

Capability ThreatRecall Mem0 Letta Nerve
TLP / CUI enforcementAMBER/RED never reaches the LLM
Evidence required on recallEvery answer cites source records
Provenance + confidence on every memory ~vector retrieval, no provenance ~memory versioning, no source tracking
Signed audit log export (CSV + JSONL)
STIX 2.1 round-trip (ingest + export)
Deployable on-prem / VPC (air-gapped) ~self-hosted available
FedRAMP-aligned SDLC9 CI gates, Phase 0–3 complete
CTI data model (actor/TTP/CVE/IOC/KILL CHAIN)
Memory correction — reject / merge / correct ~self-editing agents, no correction UI
Multi-tenant RBAC (admin/analyst/readonly/audit) ~basic roles, no memory-level ACLs
Key differentiators

What general agent memory tools don't do — that SOC teams need

  • 🔍No TLP mechanism — AMBER/RED data goes to the LLM like any other
  • 📊No evidence linking — answers lack source records and confidence scores
  • 📋No audit export — analyst actions can't be reconstructed for incident review
  • 🔗No CTI data model — actors, TTPs, CVEs, IOCs require custom adapters
  • 🔒No memory-level RBAC — analyst vs. read-only vs. audit access to memory
  • No memory correction UI — wrong facts can't be flagged, corrected, or rolled back

Sources: (1) mem0.ai/docs — verified May 2026. (2) letta.com/docs — verified May 2026. Nerve: nerve.zone — verified May 2026. ThreatRecall reflects current production capabilities.

Section B — CTI Stack

ThreatRecall complements your existing stack

We are a memory layer — not a replacement. ThreatRecall sits alongside OpenCTI, MISP, and your SIEM to make sure everything you already know is reachable with evidence, not just storable.

OpenCTI Threat Intel Platform
What it does STIX 2.1 graph store, manual analysis, enrichment pipelines, analyst workflows
What we add AI recall interface — "what do we know about APT29's supply chain TTPs?" — backed by evidence. Session history + audit trail per query.
How they connect Integration docs → STIX 2.1 ingest + bidirectional REST. Export recall results as STIX bundle to OpenCTI.
MISP Threat Sharing
What it does Decentralized threat sharing, event feeds, sharing groups, tag-based distribution
What we add Session memory + query history across all shared events. Multi-tenant recall with evidence provenance. Audit log that reconstructs what was shared when.
How they connect Integration docs → Pull-based feed ingest, event publish hooks. STIX export for re-sharing enriched intel.
Splunk SIEM
What it does Log ingestion, correlation searches, alert triage, forensic dashboards
What we add Context on IOCs surfacing in Splunk. "This IP appeared in APT29 intel last month — here's the evidence." Hook into Splunk alerts via HEC for IOC context.
How they connect Integration docs → HEC ingest (beta), webhook on notable events, STIX export for Splunk SIEM enrichment.
Microsoft Sentinel SIEM
What it does Cloud SIEM, Azure-native log correlation, SOC automation (Logic Apps, playbooks)
What we add Recall on incident creation — "what do we know about this anomaly?" Write enriched context back to Sentinel incidents as analyst comments.
How they connect Integration docs → Logic Apps trigger on incident creation, Azure AD auth, incident comment write-back.
TheHive Case Management
What it does Case management, alert triage, analyst assignment, playbook workflows
What we add Memory for each case — "what did we learn in case #1247 about FIN7's beacon infra?" Recall context embedded in case timelines.
How they connect Integration docs → Webhook on case creation (beta), STIX export for case IOCs.
Section C — Honest scope

When NOT to use ThreatRecall

We win by being honest about what we are and aren't. If you need one of the tools below, ThreatRecall is not it. Pointing you elsewhere early earns the trust that closes pilots.

You need a SIEM. ThreatRecall doesn't ingest raw logs, build dashboards, or run correlation searches. For log analysis and detection, use Splunk, Sentinel, Elastic, or Chronicle. ThreatRecall adds context on top — it doesn't replace the data pipeline.
You need a finished intelligence feed. ThreatRecall is a memory layer, not an intel feed. For subscription-based finished intelligence, look at Recorded Future, Mandiant, or Eclypsium. We help you reason over what you've already collected — not replace external expertise.
You need a ticketing / case management system. ThreatRecall doesn't assign tasks, track SLA, or manage analyst queues. Use TheHive, JIRA, ServiceNow, or Defender XDR for workflow. We layer on top: "what do we already know about this case?"
You need compliance automation. ThreatRecall has audit logs and FedRAMP alignment, but it doesn't run compliance checks, produce evidence packages, or automate NIST/CIRC requirements. Use Drata, Vanta, or Secureframe for continuous compliance. ThreatRecall can be queried by your compliance tooling, not run it. Our security posture → is public if you need it for procurement.
You need a knowledge base for general Q&A. ThreatRecall is built for CTI — actors, TTPs, IOCs, CVEs, and the relationships between them. For general internal wiki / HR / IT support Q&A, look at Guru, Notion AI, or Confluence. We are not a general-purpose knowledge base.

See it work in your stack.

Design Partner Pilots run 30 days, no charge. You keep the data.

See it work → Pilot terms Security posture

Questions first? support@threatengram.com