Background Paths
Background Paths
The Platform

Six engines. One analyst workspace.

Heimdall is built as six interlocking engines. Each runs on its own cycle, feeds the next, and delivers results to the analyst as a single, searchable workspace. Investigate, search, pivot, and generate reports — all without leaving the console.

Autonomous Pipeline · Continuous
01
Ingest
Multi-source feeds
02
Match
Dedup & correlate
03
Score
Confidence weighting
04
Extract
AI-assisted detail
05
Enrich
IOC + MITRE map
06
Alert
Instant escalation
AInside the Platform

Every engine in detail.

01

Ingestion engine

Public, commercial, and partner sources normalised into a single schema. RSS, REST, STIX/TAXII, JSON, CSV, and hidden services — fetched on per-source schedules with health tracking. Egress through hardened proxies for restricted or hidden origins.

RSSSTIX 2.1TAXII 2RESTHidden servicesCustom
02

Correlation engine

Fuzzy matching, content hashing, canonical URL deduplication, and on-premise model-assisted incident matching. Multiple reports of the same event collapse into one verified incident with weighted confidence.

Fuzzy matchOn-prem LLMTrust weightingDedup
03

Extraction engine

Deterministic IOC parsers for structured feeds, on-premise model extraction for unstructured intelligence. Severity validation, victim identification, MITRE technique mapping — all without third-party round-trips.

DeterministicOn-prem LLMTLP-taggedSTIX export
04

Enrichment engine

Indicators are enriched through reputable commercial and public sources subject to your licensing. Domain investigations use permutation analysis to surface typosquats. Credential exposure is checked against authorised breach intelligence partners.

Domain reconWHOISReputationBreach intel
05

Alerting engine

Team-shared rules scan continuously. Critical findings trigger instant notification — never batched into a digest. Per-user read tracking and acknowledgement audit trail.

ContinuousInstant criticalPer-user stateAudit trail
06

Reporting engine

Analysts generate intelligence briefs on any incident, actor, or campaign with one click. Scheduled daily, weekly, and posture reports run on their own cycle. All exportable to your workspace under your retention policy.

StreamedWorkspace exportPer-tenantOn-demand
BMapped to ATT&CK

Every finding, a technique.

Heimdall's deterministic MITRE mapper tags every extracted finding to a real ATT&CK technique. The matrix tells your director — at a glance — where on the kill-chain the organisation is most exposed.

MITRE ATT&CK · Enterprise · IllustrativeSample heatmap
TA00014
Initial Access
TA00027
Execution
TA000312
Persistence
TA00045
Privilege Esc.
TA00059
Defense Evasion
TA000611
Credential Access
TA00073
Discovery
TA00082
Lateral Movement
TA00094
Collection
TA00106
Exfiltration
TA00118
Command & Control
TA00403
Impact
CDeployment

Cloud-managed. Or fully sovereign.

Standard

Heimdall Cloud

Managed by us. SSO, audit logging, regular backups, isolated per-tenant database. Enterprise SLA on request.

Enterprise

On-prem

Container-orchestrated deployment on your hardware, in your network. Image registry access and signed update bundles supplied on a regular release cadence.

Sovereign

Air-gapped

Fully offline deployment. Signed update bundles delivered manually. For SCIFs, classified networks, and national intelligence.