A client called. Credential-based anomaly on their VPN, 11pm local time.
// I'd worked this exact pattern three months prior.
Same actor. Same TTP: cached SSO token replay via browser cookie export. We'd documented it. One of our analysts — let's call him Marcus — had written it up completely: actor ID, IOCs, detection logic, recommended hunting path.
// Marcus left for another job the month before.
His notes existed. Somewhere. In a ticket. In an email thread. In his head, when he was here.
I spent four hours re-establishing context that Marcus had already established. I didn't know his notes existed. I didn't know he'd already correlated the VPN log with the AAD sign-in. I didn't know he'd already called the client back with a full brief.
By the time I found the ticket, it was 4am. The client had been sitting with an open incident for five hours.
// We had the answer. It was in someone's memory.
CTI feeds give you facts about the world. TLP markings give you provenance. STIX gives you a data model. What nobody gives you is your team's memory — the institutional knowledge of what you've investigated, what you've found, and what you've decided.
Institutional knowledge walks out the door with whoever generated it. The next analyst starts from zero — or spends hours recreating context that already exists.
Findings are scattered across SIEM alerts, Jira tickets, email threads, Slack messages, and shared drives. Cross-referencing them requires human memory — or hours of manual search.
Every analyst has a different mental model of the threat landscape. When two analysts investigate the same indicator, they reach different conclusions — or never realize they're working the same case.
Every AI agent that touches your SOC starts from a blank slate. It doesn't know what your team found last month. It doesn't know which actor family uses which TTP in your vertical. It doesn't carry context between sessions.
This appears to be an initial investigation. Starting from available CTI feeds only.
Anomalous VPN authentication from external IP — possible credential-based intrusion. Recommend: block IP, rotate tokens, review AAD sign-in logs.
Resolved: 2026-02-14. Same IP range. Actor TTP-4412. Cached SSO token replay. Client brief delivered by Marcus Chen, 2026-02-15. IOCs: 185.220.x.x, vpn-client-export.exe hash.
This is a repeat of incident INC-2026-02-14. Same actor. Same TTP. Update detection rule with actor TTP-4412 and rotate client SSO tokens. Confidence: HIGH — 3 evidence chains, 2 analysts.
ThreatRecall isn't here to tell you what's happening in the world. Feeds do that. MITRE ATT&CK does that. OpenCTI does that.
ThreatRecall is here to give your team a persistent, queryable memory layer — so the next time your AI agent (or your analyst) asks "have we seen this before?" they actually get an answer.