Private Beta — MSSP & SOC Teams

Your SOC's threat memory.
Finally.

ThreatRecall captures investigations as structured CTI memory — actors, CVEs, TTPs, IOCs — and surfaces exactly what you need when you need it. Stop re-investigating what your team already solved.

threatrecall — query
What do we know about APT29 lateral movement via PowerShell?
INVESTIGATION #47 2 weeks ago · J. Smith

APT29 uses PowerShell remoting for lateral movement targeting Exchange servers. Linked to CVE-2024-1234. Observed across 3 MSSP client environments.

APT29 CVE-2024-1234 T1059.001 Exchange
SYNTHESIS

APT29 favors PowerShell remoting via scheduled tasks for lateral movement. Prefers targeting Exchange and AAD Connect servers. Pairs with Kerberoasting for credential reuse. Recommend hunting T1059.001 across all endpoints.

RELATED CASES 3 other analysts · 6 months
The Problem

Your SOC's most expensive asset walks out the door every day.

01

Tribal Knowledge Loss

Years of investigation context lives in analysts' heads, Slack threads, and personal notebooks. None of it survives turnover.

02

Repeated Investigations

Same adversary, same infrastructure, different analyst. Your team re-investigates what was already solved because there's no way to recall it.

03

CTI Noise Overload

Sub-1% of CVEs are weaponized. Your team drowns in 10,000+ vulnerabilities with no way to filter to what actually matters for your environment.

How It Works

Remember. Recall. Respond.

ThreatRecall captures your team's threat intelligence as structured memory, then surfaces exactly what you need when you need it.

1

Capture

Analysts, agents, and CTI feeds write observations naturally. ThreatRecall automatically extracts entities, relationships, and context.

// Analyst writes:
"APT29 using PowerShell remoting for lateral movement
targeting Exchange CVE-2024-1234"

// ThreatRecall extracts:
Actor: APT29 | TTP: T1059.001 | CVE: 2024-1234
Link: PowerShell ↔ Lateral Movement ↔ Exchange
2

Connect

Entity indexing and knowledge graph construction happen automatically. No manual tagging. No schema to maintain.

APT29
uses
PowerShell Remoting
targets
Exchange Server
CVE-2024-1234 affects
3

Recall

Query in natural language. Get back relevant past investigations, linked entities, and synthesized context — not a raw search dump.

// Analyst asks:
"What do we know about APT29 lateral movement?"

// ThreatRecall returns:
Investigation #47 (2 weeks ago, Analyst: J. Smith)
Linked CVEs, IOCs, and TTPs
Related cases from 3 other analysts
Synthesis: "APT29 favors PowerShell remoting via..."
Why ThreatRecall

Built for the teams that can't afford to forget.

Not another AI wrapper on a SIEM. Purpose-built agentic memory for cybersecurity operations.

Security-Native, Not Generic

Entities are CVEs, threat actors, TTPs, and IOCs — not generic tags. Relationships follow threat intelligence logic, not a generic graph.

vs. Generic AI memory tools that treat everything as unstructured text

Filters the 99%

Sub-1% of CVEs are weaponized. ThreatRecall surfaces what matters for your environment, not the full firehose of KEV noise.

vs. SIEM dashboards that show 10,000 alerts and expect you to triage

Tenant-Isolated & Audit-Logged

Per-tenant data isolation. OCSF-compliant audit logging. TLP classification built in.

vs. SaaS tools where your threat data shares infrastructure with competitors

Agent-Native

Works with human analysts AND AI agents. Your SOC agents can remember across sessions. Your analysts get augmented recall.

vs. Tools that only work when a human is at the keyboard
From the Founder

"I'm Patrick Roland — Navy veteran, former MSSP director. I've built ThreatRecall because every SOC I've worked with loses the same investigations to turnover. This is the memory layer I wanted on day one."

LinkedIn · GitHub
Built on ZettelForge — MIT, self-hostable github.com/rolandpg/zettelforge

Stop re-investigating what you already solved.

ThreatRecall is currently in private beta with select MSSP and SOC teams.

MSSP SOC CTI