Threat Intelligence & Incident Response

Situation

Your SOC has flagged a cluster of intrusion attempts that share TTP signatures but no clear attribution. Leadership wants a name and a motive. You need to correlate technical indicators against known adversary profiles, track campaign evolution over time, and distinguish a targeted operation from opportunistic noise — before the next alert fires.

The question

"Which known threat actors match this TTP cluster — lateral movement via [technique], C2 beaconing to [IP range] — and what sectors and geographies are they currently prioritising?"

How Mapshock handles it

Mapshock opens Dossiers on candidate threat groups, surfacing known aliases, associated campaigns, and attributed infrastructure from 850+ graded source domains. The Timeline renders campaign chronology so you can see whether activity is intensifying, dormant, or shifting targets. Narrative Evolution surfaces shifts in how analysts and threat-intelligence communities are characterising the group — an early signal that attribution is converging or fragmenting. Tactical Feed filters to relevant adversary activity in real time, and Entity Watches on the group's known infrastructure alert you when new indicators appear in graded sources.

Artifacts

Situation

You are four hours into an active incident. Forensics has indicators but no confirmed attribution. Your IR team needs to know who they are dealing with, what their typical next moves are, and whether there are any public reports of similar intrusions at peer organisations in your sector — fast enough to influence containment decisions still being made.

The question

"Given these indicators — [file hash], [C2 domain pattern], [lateral movement technique] — which adversary groups are consistent with this TTPs profile, and what did they do next in prior confirmed incidents?"

How Mapshock handles it

Mapshock pulls Dossiers on candidate threat actors matched to the indicator set, surfacing prior incident narratives and attributed next-stage behaviours from graded sources. The Tactical Feed filters to breaking intelligence on the same adversary group or technique cluster, so you catch any public disclosures that appeared after your scanner last ran. Claims Network shows you where specific attributions are contested — and at what source grade — so you do not overfit to a single analyst’s call. Alerts fire on any new graded source reporting on the active campaign while your IR team is still in containment. MARIA structures the adversary playbook in plain language so your incident commander can brief the CISO without waiting for a written summary.

Artifacts

Situation

Your organisation depends on 40-plus software and managed-service vendors. Three of them have had publicly disclosed breaches in the past 18 months. You need continuous visibility into which of your critical vendors are being targeted, whether threat actors are using vendor access as a pivot path into organisations like yours, and when new disclosures about a vendor warrant an urgent call to your procurement or legal team.

The question

"Which of our critical third-party vendors appear in active threat reporting — breach disclosures, targeting by known adversary groups, or supply-chain campaign coverage — in the past 30 days?"

How Mapshock handles it

Mapshock places Entity Watches on your vendor roster, routing new threat reporting into a Tactical Feed filtered to supply-chain and third-party compromise coverage across 850+ graded source domains. When a graded source reports a breach, a targeting campaign, or a known adversary group using a software supply-chain vector, an Alert fires with the source grade and the relevant claim. Dossiers on your highest-risk vendors are updated continuously, so your next vendor review starts from current intelligence rather than a questionnaire response. Narrative Evolution surfaces cases where public characterisation of a vendor’s security posture is shifting — a signal worth investigating before it surfaces in a disclosure filing.

Artifacts