Use Case - Incident Response

Detection to recovery.
No gaps. No handoffs.

Most IR failures are not a detection problem, they are a coordination problem. ThreatBook integrates evidence preservation, adversary attribution, and automated remediation into a single closed loop so nothing falls through the gaps between tools and teams.

Request a Demo
20,000+ APT incidents uncovered
<0.03% false positive rate
150+ integrated tools in Flocks
2,000+ adversary groups tracked
The Problem

Why IR takes weeks instead of hours

Security teams are good at detecting threats. They struggle at everything that comes after, because the evidence, the context, and the response capability live in separate products that were never designed to work together.

01
Evidence Degrades Fast
Network forensics require packet captures and flow logs that most detection tools do not preserve automatically. By the time IR starts, the most valuable data has already been overwritten or aged out of retention windows. Reconstruction from fragmented logs adds days.
02
No Adversary Context at the Start
Knowing what hit you matters immediately. Without attribution, responders guess at scope, misread attacker intent, and fail to prioritize correctly. They patch what they can see while the actor pivots to persistence they missed.
03
Remediation Requires Manual Orchestration
Each response action, isolate host, reset credential, block IP, close ticket, touches a different system and requires a different login, a different approval chain, and a different team member. The last 20% of an incident takes 80% of the calendar time.
How ThreatBook Solves It

Three products. One response chain.

TDP detects the threat and immediately begins preserving network-level evidence, full packet capture, lateral movement graphs, and C2 communication timelines, so responders have forensic-grade data from minute one rather than racing to reconstruct it later.

ATI closes the attribution gap in real time. As TDP surfaces the incident, ATI cross-references indicators against 2,000+ tracked adversary groups, returning TTPs, past campaigns, known peer-organization targets, and recommended containment priorities within the same console.

Flocks executes. Its 7+1 multi-agent architecture orchestrates cross-device forensics, host compromise analysis, isolation actions, and ticket closure across 150+ integrated tools, automatically, with a full audit trail, and without requiring responders to log into each system individually.

  • TDP preserves network evidence automatically from detection time
  • ATI attribution delivered in minutes, not weeks
  • Flocks closes tickets end-to-end without manual tool-switching
  • Full audit trail from alert through remediation
Core Capabilities

Every phase covered

From the first alert through post-incident reporting, ThreatBook's integrated stack handles detection, investigation, attribution, and remediation without requiring your team to manually bridge between tools.

Network Evidence Preservation
TDP continuously captures network telemetry and automatically archives relevant flows, packets, and behavioral graphs the moment an alert fires. Forensic evidence is available from detection time, not reconstructed hours later.
<0.03%
false positive rate on TDP alerts
Adversary Attribution
ATI cross-references indicators from the active incident against ThreatBook's database of 2,000+ tracked groups, returning actor identity, known TTPs, past campaign history, and peer-organization impact context within minutes of alert generation.
2,000+
adversary groups in ATI database
Automated Remediation Execution
Flocks orchestrates response actions across 150+ tools, host isolation, credential reset, IOC blocking, ITSM ticket closure, through a structured multi-agent workflow that executes and documents each step without requiring analyst tool-switching.
150+
integrated tools across security stack
Lateral Movement Mapping
TDP's behavioral analytics map attacker movement across network segments in real time, identifying compromised assets, propagation paths, and persistence mechanisms so responders understand the full blast radius before beginning containment.
Cross-Device Forensics
Flocks' host compromise analysis agent queries affected endpoints, correlates process trees with network evidence, and assembles a forensic timeline automatically. Investigation steps that previously took hours of manual effort are compressed into minutes of automated execution.
Audit Trail and Reporting
Every detection, enrichment step, and remediation action is logged with timestamps, data sources, and decision rationale. Post-incident reports are generated automatically from the response chain, ready for regulators, executives, or the next tabletop exercise.
Response Workflow

From alert to closed ticket

The entire response chain executes within a single integrated environment. No context-switching between tools, no duplicate data entry, no waiting for the threat intel team to respond to a Slack message.

1
TDP Fires a High-Fidelity Alert
TDP's ML engine identifies anomalous behavior, C2 communication, lateral movement, data staging, and generates a detection with network evidence automatically preserved: flows, packets, connection graphs, and affected asset inventory.
2
ATI Delivers Instant Attribution
Indicators from the TDP alert are cross-referenced against ATI's adversary intelligence in real time. The analyst receives actor identity, known TTPs mapped to MITRE ATT&CK, historical campaign data, and indicators of what other organizations in the same sector experienced during similar intrusions.
3
Flocks Launches the Forensics Workflow
Flocks assigns the forensic tasks to specialized sub-agents: host compromise analysis queries endpoints, network analysis correlates lateral movement, and the threat classification agent maps the timeline to the attribution context provided by ATI.
4
Containment Actions Execute Automatically
Based on the forensic findings and ATI's priority recommendations, Flocks executes containment through its 150+ integrations: isolating compromised hosts via EDR, blocking malicious IPs at the firewall, resetting affected credentials in AD, and notifying relevant stakeholders, all through a single audited workflow.
5
Ticket Closed with Full Documentation
Flocks compiles the incident record, detection evidence, attribution, forensic findings, and every remediation action taken, and closes the ITSM ticket with complete documentation. The post-incident report is available immediately, not three weeks later when analyst memories have faded.
Measured Outcomes

What changes when the loop closes

The shift from fragmented tooling to an integrated response chain produces measurable improvements in every IR metric that matters to security leadership.

20,000+
APT Incidents Uncovered
ThreatBook's combined TDP detection and ATI attribution has surfaced over 20,000 APT-attributed incidents globally. That firsthand research data feeds directly into every active IR engagement, giving responders context that threat intelligence reports deliver weeks after the fact.
<0.03%
False Positive Rate
IR teams cannot afford to chase false positives during an active incident. TDP's sub-0.03% false positive rate means responders spend investigation time on real threats, not on validating whether an alert was worth opening in the first place.
150+
Tools Orchestrated by Flocks
Flocks integrates with 150+ security and IT tools, EDR, SIEM, SOAR, firewall, AD, ITSM, so remediation actions execute through one workflow rather than requiring analysts to log into each system, copy data between interfaces, and manually track completion.
Products Powering This Use Case

Three products. One response chain.

Network Detection & Response
TDP
Threat Detection Platform (NDR). Behavioral ML engine with cloud sandbox detects threats across all network traffic, cloud, on-premises, and hybrid. Preserves forensic evidence from the moment of detection.
Explore TDP
Threat Intelligence
ATI
Advanced Threat Intelligence. 2,000+ tracked adversary groups, 20,000+ APT incidents, firsthand APAC coverage since 2015. Delivers actor attribution and TTP mapping in real time during active incidents.
Explore ATI
Agentic SecOps
Flocks
Open-source agentic SecOps platform. 7+1 multi-agent architecture with Rex as Main Agent orchestrates forensics, containment, and ticket closure across 150+ tool integrations. Free and available on GitHub.
Get Flocks on GitHub
Get Started

See the closed loop in action

Walk through a live incident scenario, from TDP detection through ATI attribution to Flocks remediation, with a ThreatBook incident response specialist.

Request a Demo Download Flocks on GitHub

Flocks is open-source, start today at github.com/AgentFlocks/flocks