Six engines. One analyst workspace.
Heimdall is built as six interlocking engines. Each runs on its own cycle, feeds the next, and delivers results to the analyst as a single, searchable workspace. Investigate, search, pivot, and generate reports — all without leaving the console.
Every engine in detail.
Ingestion engine
Public, commercial, and partner sources normalised into a single schema. RSS, REST, STIX/TAXII, JSON, CSV, and hidden services — fetched on per-source schedules with health tracking. Egress through hardened proxies for restricted or hidden origins.
Correlation engine
Fuzzy matching, content hashing, canonical URL deduplication, and on-premise model-assisted incident matching. Multiple reports of the same event collapse into one verified incident with weighted confidence.
Extraction engine
Deterministic IOC parsers for structured feeds, on-premise model extraction for unstructured intelligence. Severity validation, victim identification, MITRE technique mapping — all without third-party round-trips.
Enrichment engine
Indicators are enriched through reputable commercial and public sources subject to your licensing. Domain investigations use permutation analysis to surface typosquats. Credential exposure is checked against authorised breach intelligence partners.
Alerting engine
Team-shared rules scan continuously. Critical findings trigger instant notification — never batched into a digest. Per-user read tracking and acknowledgement audit trail.
Reporting engine
Analysts generate intelligence briefs on any incident, actor, or campaign with one click. Scheduled daily, weekly, and posture reports run on their own cycle. All exportable to your workspace under your retention policy.
Every finding, a technique.
Heimdall's deterministic MITRE mapper tags every extracted finding to a real ATT&CK technique. The matrix tells your director — at a glance — where on the kill-chain the organisation is most exposed.
Cloud-managed. Or fully sovereign.
Heimdall Cloud
Managed by us. SSO, audit logging, regular backups, isolated per-tenant database. Enterprise SLA on request.
On-prem
Container-orchestrated deployment on your hardware, in your network. Image registry access and signed update bundles supplied on a regular release cadence.
Air-gapped
Fully offline deployment. Signed update bundles delivered manually. For SCIFs, classified networks, and national intelligence.