The Platform

The Correlation Engine for Mid-Market SOCs

Built on the insight that real threats live in the sequence across three sources, not the individual alert. See exactly how the correlation engine works — from EDR telemetry ingestion to kill-chain escalation.

Start Free Trial Talk to Sales

Cross-Source Correlation

Cross-Source Correlation Across EDR, Cloud, and Identity

Your EDR sees the endpoint. Your SIEM sees individual events. Neither connects the credential dump on the workstation to the AssumeRole call in CloudTrail four minutes later. ThretVyn's correlation engine ingests all three source types simultaneously and matches the event sequence that, together, completes a kill chain.

EDR telemetry normalization across CrowdStrike Falcon, SentinelOne, Defender for Endpoint, Carbon Black
Cloud audit log ingestion from AWS CloudTrail, Azure Activity Log, GCP Audit Logs
Identity provider event correlation: Okta System Log, Microsoft Entra ID, Active Directory
Entity resolution across sources — the same user, IP, or host tracked as one entity across all three
MITRE ATT&CK technique mapping on every correlated event
ThretVyn is not a SIEM — it does not replace long-term log retention or compliance archiving

Noise Suppression

97% Alert Noise Suppressed

False-positive rates above 95% are the operational reality for most mid-market EDR deployments. ThretVyn's suppression layer evaluates every event against three criteria before it reaches your analysts: known-benign behavioral baselines, environmental context for the specific entity, and correlation completeness across all three source types. An event that does not participate in a multi-stage kill-chain sequence does not reach your queue.

Per-entity behavioral baseline: endpoint, user identity, and cloud service account
Cross-source completeness check — partial sequences are held, not escalated
Kill-chain pattern library covering 200+ known attack sequences
Full suppression audit trail — every dismissed alert logged with suppression rationale
What reaches analysts: 15–20 high-confidence escalations per day, not 500

Kill-Chain Detection

Three-Event Kill-Chain Pattern Detection

Modern intrusions are multi-stage and multi-source. A LSASS credential dump on an endpoint. An unusual AssumeRole call in CloudTrail against an S3 bucket. A privilege escalation in Okta seven minutes later. Each event looks low-severity in isolation. As a sequence across three sources and one shared identity, it is a confirmed breach in progress. ThretVyn detects the sequence, not the individual events.

MITRE ATT&CK technique codes on every stage of the detected chain (T1003, T1078, T1548)
Configurable kill-chain detection window: 5 minutes to 24 hours
Full correlated event timeline with source attribution and timestamps
Recommended Tier-1 response actions per pattern type
ThretVyn does not replace your EDR — it reads EDR telemetry to find the sequences your EDR reports independently

Endpoint Detection & Response

CSCrowdStrike Falcon MDMicrosoft Defender for Endpoint S1SentinelOne CBVMware Carbon Black

Cloud Audit Logs

AWAWS CloudTrail AZAzure Activity Log GCGCP Cloud Audit Logs

Identity Providers

OKOkta System Log ADAzure Active Directory DUDuo Security

SIEM Connectors

SPSplunk (bidirectional) MSMicrosoft Sentinel QRIBM QRadar (via REST)

Deployment

Deploy in 15 Minutes

ThretVyn uses API-based ingestion — one agent on a single host collects EDR streaming events; cloud sources connect directly via REST API with read-only credentials. No changes to your existing EDR policy, SIEM forwarding rules, or firewall configuration. Your first correlated results appear within minutes of connecting your first source.

Single agent install on any Linux host — not per-endpoint deployment
Cloud sources (CloudTrail, Azure Activity Log, GCP) connect via read-only API credentials — no agent
Identity sources (Okta, Entra ID) connect via System Log API read-only tokens
Zero changes required to existing EDR, SIEM, or network configuration
ThretVyn does not perform incident response — it escalates confirmed sequences to your analysts for action

~/setup — ThretVyn agent install

# 1. Install the ThretVyn agent
$ curl -fsSL https://thretvyn.com/install.sh | sudo bash
Downloading ThretVyn agent v0.9.4...
✓ Agent installed to /opt/thretvyn/agent

# 2. Connect to your workspace
$ tvn init --api-key TVN_KEY_xxxxxxxxxxxx
✓ Connected to workspace: acme-corp

# 3. Start ingestion
$ tvn start --sources edr,cloudtrail,okta
Ingesting from CrowdStrike Falcon... connected
Ingesting from AWS CloudTrail...    connected
Ingesting from Okta System Log...   connected
✓ Correlation engine active. First results in ~60s.

Run It Against Your Own Alert Queue

Connect your first source in 15 minutes. No credit card. No professional services engagement required.