Our Story

Built by Security Practitioners, for Security Practitioners

ThretVyn was built by SOC practitioners who spent years watching kill chains get missed because EDR, cloud-trail, and identity tooling had no way to correlate across source boundaries. They built the tool they needed and couldn't find.

The Origin

Why We Built ThretVyn

James Halevi spent years running SOC operations at financial services firms in the DC metro area. The pattern was consistent: 400 to 600 alerts per day, Tier-1 analysts spending six-plus hours on false positives, and the same tools surfacing the same noise with no way to connect the endpoint compromise in CrowdStrike to the AssumeRole call in CloudTrail to the Okta privilege escalation that followed. Three separate alerts. Zero correlation. One missed breach.

When James met Priya Sundaram in 2024 — a machine learning engineer who had spent several years building real-time event correlation pipelines at a data infrastructure company — the product architecture took shape quickly. The insight was straightforward: kill-chain patterns don't live in one tool. They live in the sequence across three. Build the engine that finds the sequence, and 97% of the noise disappears.

ThretVyn was founded in 2025 in Reston, Virginia — the center of the DC metro cybersecurity community and proximate to the financial institutions, defense contractors, and government-adjacent mid-market companies that constitute our target market. Marcus Webb, a former SOC analyst and security architect, joined as Head of Product to ensure the operator experience was built by someone who had run a triage queue under pressure.

We are independently built with no external investors. Our roadmap is set entirely by what mid-market SOC teams need — not by a portfolio strategy or a growth mandate from a funding round.

Small focused security team collaborating in a modern office environment, dark evening lighting
The Team

The Founding Team

Three practitioners who know alert fatigue from the inside.

James Halevi, CEO and Co-Founder of ThretVyn
James Halevi
CEO & Co-Founder

Security practitioner with a background in enterprise threat operations and SOC management at financial services firms in the DC metro area. Spent years watching multi-stage intrusions get missed because EDR, cloud-trail, and identity tooling had no way to correlate across source boundaries. Founded ThretVyn in 2025 to solve that structural problem. ThretVyn is not a replacement for experienced analysts — it gives them 20 signals instead of 600.

Priya Sundaram, CTO and Co-Founder of ThretVyn
Priya Sundaram
CTO & Co-Founder

Machine learning engineer with a focus on anomaly detection and large-scale event stream processing. Previously at a data infrastructure company where she built real-time correlation pipelines handling tens of millions of events per day. At ThretVyn she designed the three-source entity resolution and kill-chain pattern matching engine that underpins the core product.

Marcus Webb, Head of Product at ThretVyn
Marcus Webb
Head of Product

Former Tier-1 and Tier-2 SOC analyst turned security architect. Spent several years at an enterprise security consultancy advising mid-market organizations on detection coverage gaps. Joined ThretVyn to own the operator experience — the interface a Tier-1 analyst uses at 2 AM is his responsibility, and that specificity drives every product decision he makes.

How We Work

Precision Over Noise

We build for the understaffed, over-alert-ed SOC. No bloat. No enterprise-ware. Just the signal that matters.

🎯
Precision Over Volume

Every feature is evaluated by one question: does this help a Tier-1 analyst detect the kill chain faster? Features that serve dashboard aesthetics or compliance checkbox requirements without improving detection do not ship.

Operator-First Interface

Analysts at 2 AM need immediate triage clarity, not pivot tables. Escalated events surface with source timeline, MITRE ATT&CK technique codes, and the full corroborating evidence chain — no additional context lookups required.

🔗
No Silos. No SIEM Dependency.

Attacks cross tool boundaries because tools don't talk to each other. ThretVyn's sole purpose is connecting EDR, cloud-trail, and identity into one correlated event stream. That's the product — not a feature, not an add-on.

Where We Are

Based in Reston, Virginia

Reston is the center of the DC metro cybersecurity community — close to federal agencies, defense contractors, and the financial institutions that make up our target market.

ThretVyn
1861 International Drive, Suite 200
Reston, VA 20190
[email protected]
+1 (703) 291-4058
🏢
Reston, VA
Northern Virginia · DC Metro Cybersecurity Hub