Letta vs ThreatRecall
Use Letta for building stateful agent applications where you own the runtime. Use ThreatRecall when memory is evidence and analysts will be deposed.
Letta is a platform for building stateful AI agents with memory blocks that live inside the agent runtime. It's excellent for developer-facing agent frameworks where you control the whole stack. ThreatRecall is purpose-built for CTI: every memory record carries evidence provenance, TLP enforcement, a confidence score, and a write-once audit log — designed for the legal and compliance reality of SOC work.
| Dimension | ThreatRecall | Letta |
|---|---|---|
| Evidence schema source_url, timestamp, file_hash, linked_evidence_ids | ✓ |
~
Memory blocks are agent-owned — no standard evidence schema |
| TLP enforcement AMBER/RED blocked from LLM at ingest and query | ✓ | ✗ |
| Audit log export CSV / JSONL, cryptographically signed | ✓ | ✗ |
| Confidence scoring Score + provenance chain + correction UI | ✓ |
✗
No confidence scoring — content is agent-written |
| Tenant isolation Row-level RLS + dedicated connection pool per tenant | ✓ |
~
Agent-scoped, not tenant-scoped by default |
| Correction / merge / reject UX Reject, correct, or merge memory via UI with 24h rollback | ✓ | ✗ |
| CTI data model Actor / TTP / CVE / IOC / ATT&CK / OSINT / Tool / Vulnerability | ✓ | ✗ |
| FedRAMP / compliance Phase 4 in progress, public /security page with CAIQ-Lite v4 | ✓ | ✗ |
| Compliance questionnaire Downloadable CAIQ-Lite + SIG-Lite PDF at /security/questionnaire | ✓ | ✗ |
| STIX 2.1 round-trip Ingest + export — structured CTI bundle standard | ✓ | ✗ |
| Multi-tenant RBAC admin / analyst / readonly / audit roles, TOTP-enforced | ✓ |
~
Basic roles, no memory-level ACLs |
When Letta is the better choice
Building custom stateful agent applications
If you're building a vertical AI product where you control the agent runtime end-to-end, Letta's server-side agent framework gives you the infrastructure primitives without the CTI-specific overhead.
Custom agent workflows with full runtime control
If you need to own the agent runtime, define custom memory block structures, and control the full agent lifecycle — Letta's developer-facing API is built for that. ThreatRecall is not an agent runtime; it's a memory API.
Apps where memory is agent-internal
If your product's memory is written and consumed entirely by the agent (not by human analysts reviewing it), Letta's in-agent memory model is the right abstraction. ThreatRecall is designed for human-in-the-loop SOC workflows.
Ingest API comparison
// Every record carries full provenance POST /v1/evidence { "content": "APT29 used FoggyWeb to exfiltrate...", "source_url": "https://microsoft.com/apt29-report", "observed_at": "2025-05-28T12:00:00Z", "file_hash": "sha256:abc123...", "linked_evidence_ids": ["ev_jira_123", "ev_crowd_456"], "tlp_marking": "AMBER", "confidence": 0.87 } // AMBER/RED never reaches the LLM. // Confidence + provenance chain on every recall.
// In a Letta agent runtime — memory lives // inside the framework as agent-owned blocks letta.messages.create(agent_id, { role: "system", content: "APT29 used FoggyWeb..." }) // Evidence is whatever the agent writes. // No source_url, no hash, no TLP, no confidence. // Provenance is agent-responsibility.
Need evidence-backed memory?
Design Partner Pilots run 30 days, no charge. You keep the data.