AI-powered Cyber Threat Intelligence

Reveal the hidden lines of adversary activity.

Free indicators are everywhere. Cloakline connects loose IOCs across sources into explained, scored, correlated adversary intelligence — the infrastructure, campaigns, and context a SOC can trust and defend, faster than building it in-house.

Explainable — every score shows its factorsEvidenced — every correlation shows whyRecommend-only — never auto-blocks
The problem

IOCs are commoditized

MISP, OpenCTI, abuse.ch and OTX all give indicators away. Volume isn't the value — and a raw blocklist with no context is a liability, not intelligence.

The moat

Correlation & explainability

Cloakline links indicators across sources into non-obvious infrastructure relationships, and scores them transparently — so an analyst can defend a decision to their boss.

The result

Intelligence, not noise

Each indicator arrives with corroborated provenance, a defensible risk score, the CVEs it touches, and the adversary infrastructure it connects to.

The platform

From loose indicator to defensible intelligence.

A real intelligence pipeline, not a feed reseller. Every stage normalizes to a STIX 2.1 + MISP-aligned model and adds context the next stage builds on.

IngestEnrichCorrelateScoreDeliver
01 · INGEST

Collect & normalize

Commodity and OSINT feeds — MISP, abuse.ch, CISA KEV, NVD — normalized to a STIX-aligned model. Canonical Indicator split from per-source Sighting.

02 · ENRICH

Add context

RDAP/WHOIS, DNS, GeoIP/ASN, Certificate Transparency and reputation — rate-limited, cached, and run through an egress-controlled path for attacker-controlled values.

03 · CORRELATE

Connect the lines

Deterministic, evidenced edges: shared infrastructure, registrant, certificate, ASN, hash → family. Written to a graph with evidence and confidence.

04 · SCORE

Explainable risk

Confidence, severity and exposure combined into a risk score — every value carries its factor breakdown and formula. No black box.

05 · DELIVER

Workflow & export

A pivotable investigation console, a daily intelligence brief, a REST API, and exports to STIX bundle / MISP event / CSV.

Capabilities

Reveal. Connect. Hunt. Defend.

Four things a threat team needs from intelligence — built into the product, not bolted on.

Reveal

Uncover hidden infrastructure, paths, and relationships behind an indicator.

Connect

Link indicators to infrastructure, malware, campaigns, TTPs, and risk.

Hunt

Help analysts find adversary activity faster, and with the context to act.

Defend

Turn intelligence into prioritized, defensible action — recommend-only by design.

Explainable scoring

A score you can defend.

Every Cloakline risk score is a transparent, weighted function — not a model you take on faith. An analyst can open any score and see exactly why it's what it is.

  • Confidence — source reliability (Admiralty A–F), corroboration across sources, and a freshness decay curve.
  • Severity — CVSS, the CISA KEV flag for known exploitation, and EPSS probability.
  • Risk — a defensible function of severity, confidence, and exposure, shipped with its inputs.
Correlation

Connect the indicators. Reveal the adversary.

Cloakline builds deterministic, evidenced edges between entities — every relationship carries the evidence that created it and a confidence value. The non-obvious links are where the intelligence is.

  • Deterministic first — shared infrastructure, registrant, certificate, ASN, and hash → family. Rules before ML, always.
  • Evidenced — open any edge to see exactly what created it.
  • Propose, don't publish — named-actor attribution is always held for a human.
Interop

Built to fit your stack.

Standards-aligned from day one, so Cloakline slots into the tools your SOC already runs.

STIX 2.1MISP eventsMITRE ATT&CKCVSSCISA KEVEPSSREST APITAXII 2.1Sigma / YARASIEM / SOAR apps
Trust by construction

Two rules we don't break.

A platform that holds adversary data and customer context has to be trustworthy by design.

Explainability over sophistication

Every score and edge is defensible to a SOC analyst — inputs, weights, and evidence on screen. If it can't be explained, it doesn't ship.

Propose, don't publish

Cloakline recommends; it never auto-blocks and never auto-attributes a named threat actor. A human stays in the loop on the consequential calls.

Private beta

Put Cloakline in front of your SOC.

We're working with a small set of design-partner SOCs and threat teams — free access, in exchange for honest feedback.

No spam. We'll reach out about design-partner access.