Tenant-isolated threat memory.
One platform, N customers.
Your analysts manage multiple customer environments. ThreatRecall keeps each tenant's threat memory isolated at the row level — while letting each tenant's knowledge compound over time. Complement OpenCTI / MISP per-tenant. Not replace.
Three failure modes that cost MSSPs clients
- Analyst rotation destroys per-tenant context. Your Tier 1 analyst spends weeks building a mental model of Client A's environment — their unique threat profile, recurring actor patterns, past incidents. They leave. The next Tier 1 re-learns everything from scratch. Every time. The client notices.
- Cross-tenant memory sharing is legally untenable — but siloing everything wastes institutional knowledge. You can't share Client A's threat context with Client B. But you can let each tenant's own memory compound across your analysts — so the new hire picking up Client A's queue inherits everything the previous analyst built.
- Audit exports must be per-tenant, signed, and defensible to the customer's own auditors. When Client C's CISO asks for an audit trail of every action taken on their data, you need a per-tenant, cryptographically immutable export — not a screen recording and a prayer.
Concrete mappings to shipped product features
Workspace = Tenant Boundary
Every customer gets a workspace. Row-level security enforces tenant isolation at the DB layer — not the UI layer. A malformed query cannot leak cross-tenant data. Each tenant's knowledge graph, audit log, and recall index is fully scoped to their workspace.
TLP Enforcement as Defense-in-Depth
TLP:AMBER and TLP:RED memory is never sent to the LLM — enforced at the query layer, not the UI. Even if an analyst runs a recall query scoped to the wrong workspace, AMBER/RED content is stripped before the LLM sees it. Zero cross-tenant leakage even under misconfiguration.
Per-Tenant Audit Export
Write-once audit logs (DB triggers block UPDATE/DELETE). Export as CSV or JSON with immutable event UUIDs. Every recall, ingest, correction, and login is logged with user, IP, user-agent, and TLP context. Scoped per tenant — Client A's auditor gets Client A's log only. See audit API endpoints →
White-Label Pilot Available
Your customer sees your brand, not ours. White-label is available on all MSSP pilot agreements — your logo, your domain, your customer relationship. Bring it up in the intake call and we'll scope it.
Per-Tenant RBAC + TOTP
Each workspace has independent role assignments (admin, analyst, readonly, audit). TOTP second factor with per-tenant enforcement. Your lead analyst can be admin in Client A's workspace and readonly in Client B's — no config bleed.
Compounding Memory, Not Reset
Each new analyst on a client account inherits the full recall history built by previous analysts. Natural language recall + knowledge graph means institutional memory survives rotation. Client A's threat context compounds over years, not resets every 6 months.
Tools MSSPs actually run
ThreatRecall sits next to your existing stack — it's a memory layer, not a replacement. Full integration docs →
| Platform | Integration method | MSSP pattern |
|---|---|---|
| TheHive | REST + STIX 2.1 export | Export recall results as STIX bundles; import TheHive observables as KG nodes |
| Cortex | Responder webhook | Push Cortex analyzer results into ThreatRecall as evidence records |
| Tines | REST API + webhook events | Tines story → ingest CTI nodes on new case; recall results → enrich Tines payload |
| Splunk | HEC + STIX 2.1 | Push Splunk notable events as evidence; export recall as Splunk-ingestible STIX bundles |
| Microsoft Sentinel | Logic App + REST | Sentinel incident trigger → recall query → enrich incident with structured memory |
| Chronicle / Google SecOps | REST API | Pull IOCs from ThreatRecall recall API; push Chronicle detections as KG edges |
FedRAMP posture + CUI handling
🛡️ FedRAMP Phase 4 in progress. Honest: no ATO yet.
We are in active FedRAMP Moderate assessment. Phases 0–3 are complete. Phase 4 (Authorization) is in progress. We are not yet authorized — do not represent us that way to your CISO or contracting officer. Post-Seed milestone. Full compliance posture →
CUI handling: No CUI, TLP:AMBER, or TLP:RED content is ever sent to OpenAI. This is enforced at the query layer — AMBER/RED nodes are stripped before any LLM call. Documented in the CAIQ-Lite v4 + SIG-Lite questionnaire.
SDLC Policy v1.2 is enforced via 9 CI gates on every push. Bi-weekly cadence. 9 CI gates · FedRAMP-aligned roles (admin/analyst/readonly/audit) · write-once audit logs · TOTP-enforced sessions.
MSSP pricing is per-tenant with volume tiers
Pilot terms
- 90 days, no charge
- Same terms as our direct pilot — no MSSP surcharge
- White-label optional — your brand, your customer
- Design-partner pricing locked at close
- Full data export on exit — no lock-in, per tenant
Production pricing
- Per-tenant pricing with volume tiers at 5+, 20+, 50+ tenants
- Enterprise contract for 20+ tenants — contact us
- See full pricing →
Start an MSSP pilot
90 days, no charge, white-label optional. We review every application personally. You'll hear back within 1 business day.