Our Story

About ThreatPulsar

We built the tool we needed during an incident we should have caught sooner.

Why We Built This

A missed indicator, a three-day dwell time

In late 2022, the team that would become ThreatPulsar was running SOC operations for a mid-sized financial services firm in Virginia. During a routine shift handover, an analyst noted a suspicious IP address flagged by one feed but cleared by two others. It sat in the queue for 11 hours — manually enriching it wasn't anyone's next task.

The IP was a command-and-control node for a Cobalt Strike beacon. By the time it was correlated with two other IOCs from different shifts, the threat actor had been in the environment for 72 hours. Nothing was exfiltrated, but the post-incident review made one thing clear: the problem wasn't analyst skill. It was the tool's inability to parallelize context across feeds fast enough to matter.

Elena Vasquez and Marcus Osei spent the next four months building a parallel enrichment prototype. The first version queried eight feeds. Today ThreatPulsar queries 40+, maps results to MITRE ATT&CK v14, and returns enriched context in under 10 seconds.

SOC team analyzing threat intelligence
Timeline

How we got here

Q4 2022

The incident

A 72-hour dwell time during a Cobalt Strike engagement revealed the gap in manual IOC enrichment workflows. Prototype development begins.

Q2 2023

First deployment

ThreatPulsar v0.1 deployed internally, querying 8 threat feeds in parallel. Median enrichment time drops from 14 minutes to 41 seconds.

Q1 2024

Company founded, first external customers

ThreatPulsar Inc. incorporated in Virginia. First three paying customers — all mid-market financial services SOC teams — adopted the platform within the first 60 days.

Q3 2024

ATT&CK mapping + SOAR connectors

Platform expanded to 40+ feeds, added MITRE ATT&CK v14 mapping engine, and shipped native connectors for Splunk SOAR and Tines. SOC 2 Type II audit completed.

Q4 2024

Seed Round

Completed a Seed Round to expand the threat feed library, add ICS/OT coverage, and build out the enterprise multi-tenant architecture for MSSP deployments.

Values

What shapes how we build

Analyst time is finite

Every minute an analyst spends manually looking up an IOC is a minute not spent investigating the alert context. We optimize for reducing enrichment time, not for feature breadth. Speed is a core product requirement, not a marketing claim.

Transparency in attribution

We show analysts the evidence chain behind ATT&CK mappings and threat actor attributions. A platform that delivers conclusions without reasoning trains analysts to skip critical thinking. We show our work.

Your IOCs are not our training data

Indicators submitted for enrichment are isolated per tenant and are not used to improve shared models without explicit customer consent. Breach indicators are particularly sensitive. We handle them accordingly.

Fit into existing workflows

A platform that requires analysts to change how they work will get worked around. ThreatPulsar integrates with the tools your team already uses — Splunk, Elastic, Sentinel, XSOAR — and delivers enrichment context where analysts already look.

Results

What teams achieve after deployment

Mid-Market Financial Services SOC

From 14-minute manual enrichment to 9-second automated pipeline

A regional bank's SOC team was spending an average of 14 minutes per IOC on manual feed lookups. Two analysts per shift were dedicated almost entirely to enrichment tasks, leaving limited capacity for actual investigation.

After deploying ThreatPulsar with Splunk SOAR integration, enrichment time dropped to 9 seconds median. The two analysts previously dedicated to lookups were reassigned to threat hunting — and identified three additional incidents in the following quarter that manual triage would have missed.

9s median enrichment (from 14 min)
Healthcare System Security Team

IOC volume manageable after medical device network expansion

A hospital network adding 1,400 connected medical devices to its monitoring perimeter projected a 340% increase in alert volume. Their existing enrichment workflow — analysts manually querying VirusTotal and AbuseIPDB — would not scale to the new volume.

ThreatPulsar's bulk enrichment API processed the increased IOC volume without adding analyst headcount. ATT&CK mapping identified IoMT-specific TTPs that generic feeds had not flagged, including protocol anomalies consistent with T1046 (Network Service Discovery) on the device subnet.

340% IOC volume increase absorbed without headcount addition
Boutique MSSP (12 client environments)

Multi-tenant enrichment without analyst context errors

A managed security provider managing 12 client environments was running shared enrichment infrastructure. Analysts occasionally confused IOC context between clients — a low-severity issue in most cases, but a compliance concern for two financial services clients with strict data isolation requirements.

ThreatPulsar's Enterprise tenant isolation architecture resolved the compliance concern. Each client's IOC data is processed and stored in an isolated context. The MSSP also reduced per-analyst IOC processing time by 67%, enabling the team to onboard two additional clients without hiring.

67% reduction in per-analyst processing time
2023
Founded in Arlington, VA
4
Team members (seed stage)
40+
Integrated threat feeds
SOC 2
Type II certified (Q4 2024)

Want to know more before committing?

Talk to us about your current enrichment workflow. We'll tell you honestly whether ThreatPulsar fits.

Get in Touch