Security Concepts

Detection to Resolution

Detection to Resolution

To best understand the lifecycle of identifying and responding to threats within our platform, it's helpful to use an analogy of a bank audit. An auditor begins by gathering all of a bank's documents (assets), reviews them thoroughly (discovery), and flags any unusual findings. Our platform follows a similar, structured path.

This guide explains what happens after the initial discovery process is complete.

:::success This is journey of a potential threat in wild west internet to mitigation of that threat.

:::

0. Discovery

  • A Discovery is scheduled on the platform.
  • The Discovery generates detections with an expected false positive rate of 50–60% (Ideal 99% Accuracy).

Discovery Frequency

The frequency of this entire process (e.g., Daily Discovery, Monthly Discovery) is configurable. A higher frequency of discovery and audit leads to a higher quality of results and allows for the earlier identification and mitigation of potential issues.

1. Detections: The Initial Findings

A Detection is the first result of the discovery process. Think of it as the "interesting information" or potential issue that the system uncovers when analyzing your assets. It is the starting point for any further action.

  • What it is: A raw finding or a piece of information that flags a potential risk or anomaly.
  • Analogy: An auditor reviewing a bank's records and identifying a potentially fraudulent transaction.
  • Responsibility:
    • The CX team downloads the generated detections.
    • They review and remove false positives.
    • The cleaned set of detections is then uploaded back into the platform.

2. Intelligence: Enriching the Data

A raw detection alone is often not enough to act upon. The next crucial step is to enrich it with more context. This is handled by the Intelligence layer.

  • What it is: The process of adding more facts, evidence, and related data to a detection. This step validates the finding and builds a more complete picture of the potential threat.
  • Analogy: The auditor gathers more evidence and supporting documents related to the suspicious transaction to confirm its nature.
  • Responsibility (SOC):
    • The uploaded detections appear in the Triage Page.
    • These detections are marked as requiring classification.
    • The SOC team reviews detections in the Triage Page.
    • They classify detections into appropriate categories.
    • Based on the classification, detections are routed to respective modules:
      • Attack Surface Module – for detections related to exposed assets, vulnerabilities, or risks to the organization's external attack surface.
      • Brand Protection Module – for detections related to impersonation, fraud, phishing, or brand misuse.

3. Classified : Alerting the Customer

Once a detection has been enriched and verified by the Intelligence layer, the client is formally notified.

  • What it is: The platform sends a notification to you, the customer, to alert you that a new, verified detection has been found and requires your attention.
  • Analogy: The auditor officially presents their findings and the supporting evidence to the bank's management in a formal report.

4. Incidents: Acknowledging and Acting

When you, the customer, decide to take action on a verified detection, it is formally converted into an Incident.

  • What it is: An incident represents a confirmed issue that the organization has committed to addressing. It is the official start of the response and remediation process.
  • Analogy: The bank's management accepts the auditor's report of fraud and officially opens a case to deal with it.

5. Mitigation: Immediate Response (Takedown)

For critical incidents that pose an immediate threat, the platform allows for swift mitigation actions. The primary action here is a Takedown.

  • What it is: A direct, immediate action taken to neutralize a threat and mitigate risk. This could involve taking a malicious site offline, removing a fraudulent app, or blocking a user.
  • Analogy: Upon confirming fraud, the bank immediately fires the responsible employee and freezes the affected accounts to prevent further damage.

6. Investigation: Deeper Analysis

Some incidents are part of a larger, more complex threat. The Investigation Mode is a feature designed to uncover these hidden connections.

  • What it is: A tool that allows you to explore the relationships and correlations between multiple detections and incidents. It helps identify the root cause, find other associated people or assets, and understand the full scope of the threat.
  • Analogy: The bank launches a full-scale internal investigation to see if other employees or branches were involved in the fraud.

7. Reporting: The Complete Record

The entire lifecycle, from the initial detection to the final resolution, is documented and can be compiled into Reports.

  • What it is: Comprehensive summaries of all activities, including discoveries, detections, incidents, and investigations. Reports provide a complete overview for compliance, review, and strategic planning.
  • Analogy: The final, comprehensive audit report detailing every finding, action taken, and the final outcome of the investigation.

\