Design Partner Program

Agentic Memory for
CTI & OSINT.

Persistent, auditable recall across investigations — so your agents and analysts stop re-deriving what they already knew. Complements OpenCTI, MISP, and your SIEM. Doesn't replace them. Evidence-backed recall. Signed audit logs. TLP-aware memory. Export everything on exit.

Start a pilot See what's included
Want to see it first? Try the recall surface → No signup
⬇ Download one-pager (PDF) Security questionnaire ready →
The problem

Why SOC memory fails

  • 🔁 Teams re-derive what they already knew. Every shift, analysts reconstruct context from scratch — the same actor, the same TTP, worked three months ago by someone who left.
  • 🗃️ OpenCTI, MISP, and SIEM don't remember. They store. They don't answer "what do we know about this actor and how confident are we?" without an analyst writing SQL.
  • 📉 Analyst turnover destroys institutional memory. When a senior analyst leaves, their mental model of your threat landscape leaves with them.
  • 🤖 Agents need durable, evidence-backed recall. Agentic SOC workflows stall when the memory layer can't tell them where a claim came from or how confident it is.
First-client scope

What you can do on Day 1

The pilot scope is fixed. These 10 capabilities are live, tested, and ready. No roadmap promises.

01 Natural language recall — ask "what do we know about APT29 lateral movement?" and get structured, evidence-backed results
02 Knowledge graph — visualize actor→TTP→CVE→IOC causal chains with confidence scores and source provenance
03 Structured IR — incident records with severity, status, analyst attribution, and linked evidence
04 Ingest pipeline — import CTI as STIX-compatible nodes with TLP classification, confidence scoring, and duplicate detection
05 Evidence panel — per-recall-result collapsible panel showing source, confidence bar, TLP badge, ISO timestamp, and linked evidence IDs
06 Memory correction — reject, merge, or correct any memory node; full version history; admin rollback within 24h
07 Signed audit log — write-once, export as CSV + JSON; immutable event IDs for every action; ready for incident review
08 TLP-scoped access — AMBER/RED memory never sent to LLM; tenant context bar shows active TLP scope per session
09 MCP server + LangChain adapter — plug ThreatRecall memory into Claude Desktop, Claude Code, or any LangChain agent
10 Full data export on exit — every node, edge, evidence record, and audit log exported as JSON/CSV; you own the data
Trust surface

Built for analyst accountability

This is the part most CTI tools skip. Every claim is traceable. Every action is logged. Nothing sensitive touches the LLM.

🔍 Evidence Panel

Every recall result has a collapsible panel: source URL, confidence bar (0–1), TLP badge, ISO timestamp, linked evidence IDs. Low-confidence (<0.6) and AMBER/RED items get warning badges. Copy-to-clipboard for analyst tickets.

📋 Signed Audit Log

Write-once DB triggers block any UPDATE or DELETE on audit_logs. Export as CSV or JSON with immutable event UUIDs. Every action — recall, ingest, correction, login — is logged with user, IP, user-agent, and TLP context.

🔒 TLP-Aware Memory

TLP:GREEN TLP:AMBER TLP:RED
AMBER and RED nodes are never sent to the LLM for embedding or recall. Strict separation enforced at the query layer, not the UI layer.

✏️ Memory Correction

Reject (with category + reason), correct (snapshot version history — prior state never destroyed), or merge (side-by-side diff, per-field winner selection). Admin rollback queue within 24h window.

🏢 Tenant Context Bar

Persistent header on every page: workspace name + short ID, color-coded role badge, active TLP scope with lock icon for AMBER/RED, environment badge. Cmd+K workspace switcher rotates the session JWT without page reload.

🔑 RBAC + TOTP

FedRAMP roles: admin, analyst, readonly, audit. TOTP second factor with per-tenant enforcement. Per-session revoke and revoke-all. Login lockout after 4 failures.

Compliance posture

FedRAMP Moderate — assessment in progress

We are in active FedRAMP Moderate assessment. Phases 0–3 are complete. We are not authorized — do not represent us that way to your CISO. What we can say: the SDLC Policy v1.2 is enforced via 9 CI gates on every push, and the control implementation work is on a bi-weekly cadence.

Assessment phases
Phase 0 — Initiation ✓ Phase 1 — Documentation ✓ Phase 2 — Testing ✓ Phase 3 — SAR ✓ Phase 4 — Authorization (in progress)
9 CI gates enforced · SDLC Policy v1.2 · bi-weekly cadence · not yet authorized
Pilot terms

What you get. What we ask.

What you get

  • 30 days, no charge (current cohort — the Q3 2026 launch moves new sign-ups to a 90-day / $5,000 paid program; see pilot terms)
  • Design-partner pricing locked at end of pilot
  • Weekly 30-minute sync with the founder
  • Full export of all data + audit logs on exit — no lock-in
  • Direct influence on the roadmap

What we ask

  • 1 named CTI or SOC lead as primary contact
  • Non-sensitive or sample CTI for the first 2 weeks
  • Written feedback at days 7, 14, and 30
Live demo — no signup

Try it now. Ask ThreatRecall anything.

APT29 + FIN7 + Lazarus — ~120 nodes, ~150 edges, TLP enforcement. Evidence-backed answers in under 300ms.

Security posture before applying →

Start a pilot

We review every application personally. You'll hear back within 1 business day.