Digital Risk Protection & Threat Intel
Roadmap — a threat-intelligence pipeline (ingest, normalize, dedup, enrich, score, age, correlate, disseminate) plus outward-facing digital risk protection for leaked credentials, look-alike domains, and brand impersonation.
Digital Risk Protection & Threat Intel
Roadmap — not yet available. DRP and TIP are planned capabilities documented here for direction. They extend the shipped IOC/feed/actor/hunt store; the new pipeline stages and DRP monitors are not yet available.
Two pillars on one substrate. TIP (Threat Intelligence Platform) turns scattered intel into a real ingest → normalize → dedup → enrich → score → age → correlate → disseminate pipeline. DRP (Digital Risk Protection) is the outward-facing footprint monitor that produces external findings and consumes TIP enrichment. Neither builds a parallel store, and collection is passive and authorized only — no unauthorized access, no scraping behind auth, no offensive action.
TIP — threat intelligence pipeline (planned)
| Stage | What it does |
|---|---|
| Ingest | STIX 2.1 / TAXII 2.1 collections plus authorized OSINT feeds, polled incrementally |
| Normalize | Canonicalize indicators (lowercase punycode domains, canonical IPs, defang→refang) |
| Dedup | Merge the same indicator across feeds, keeping per-source provenance |
| Score | Confidence from feed reliability, corroboration, recency, and enrichment; actionability from confidence × freshness |
| Age | Exponential decay per indicator type; expired indicators are excluded from dissemination but retained for history |
| Enrich | Geo/ASN, WHOIS, passive DNS, reputation, related campaigns (fail-open on enricher timeout) |
| Map | Indicator → campaign → threat actor; TTP → ATT&CK |
| Correlate | Match live indicators against your assets, findings, and telemetry |
| Disseminate | A one-directional pull view consumed by SecOps (real-time IOC match), Package Firewall, and Red Team |
The Indicator model extends the existing IOC record rather than forking a new store, and dissemination is pull-only — TIP never writes into a consumer's store.
DRP — digital risk protection (planned)
DRP will continuously monitor your external footprint through authorized sources and emit drp findings:
- Leaked credentials — dark-web, paste-site, and public-repo exposure, with rotation recommended.
- Look-alike domains — typosquat, homoglyph, TLD-swap, and combosquat candidates, confirmed via passive DNS and certificate-transparency logs.
- Brand impersonation — spoof pages, fake mobile apps, and impersonating social accounts.
- Exposed documents — sensitive documents leaked publicly.
- Actor chatter — org-targeted discussion from authorized feeds.
Secret redaction (planned invariant)
A raw secret value never enters the store, a log, an export, or a finding. On any leaked-credential or exposed-document hit, DRP computes a non-reversible fingerprint (for dedup and re-detection), stores redacted evidence only (type, masked preview, source, timestamps), and recommends rotation. A collector that cannot redact a value drops it rather than storing it.
Takedown (planned, gated)
Takedown will prepare and submit authorized, human-approved requests only — never automated attacks. A request cannot advance to submitted without a policy pass, a human approver, and non-empty authorization evidence; a kill-switch halts all submissions and every transition is audited.
When it ships
DRP findings will land in the single findings store (drp), with sensitive findings under elevated ACL. Gated by the ff.drp and ff.tip feature flags, with on-prem/air-gap parity via self-hosted feeds.
Related
- SecOps (SIEM) — consumes TIP indicators for real-time IOC matching.
- Package Firewall — consumes malicious-package intel.
- Red Team — consumes adversary TTPs for emulation.
- Secrets Scanning — internal secret detection.
- Unified Findings & Feature Flags — where DRP findings land.
Identity Threat Detection (ITDR) & DLP
Roadmap — identity-attack detection (MFA fatigue, impossible travel, token theft, privilege escalation) with approval-gated response, plus data-loss prevention that reuses the DSPM classifier at the AI gateway, API, and export paths.
Vulnerability & Exposure Management
Roadmap — a single-pane management layer over the unified findings store, adding a deduplicated risk-ranked backlog, SLA policies, ownership routing, bi-directional ticketing, expiring risk exceptions, campaigns, and metrics.