Intel that actually does something.
Curated, enriched, operationalized threat intel that feeds every other tool — actor and campaign tracking, IoC management, dark-web and brand monitoring, and a sandbox.
What Sight does.
Threat-actor and campaign tracking
Follow adversary groups and active campaigns with curated profiles that update as new TTPs and infrastructure are attributed to them.
IoC management
Ingest, deduplicate, score, and expire indicators across hashes, IPs, domains, JA3 fingerprints, and YARA rules — with a full lineage trail for each indicator.
Dark-web monitoring
Surface credential leaks, data dumps, and chatter relevant to your organization from dark-web sources without requiring analysts to trawl manually.
Brand and domain protection
Detect typosquatting domains, phishing kits, and impersonation campaigns targeting your brand before they reach your users.
Malware sandbox detonation
Detonate suspicious files and URLs in an isolated environment and receive structured behavioral reports mapped back to known actor TTPs.
Operationalized intel push
Push curated indicators and detection logic as live rules into other Sandworm tools you already run — turning a feed subscription into active coverage across your stack.
How Sight works
- 1
Collect from structured and unstructured sources
Sight ingests from commercial threat feeds, STIX/TAXII publishers, MISP instances, and dark-web collection pipelines. All sources are normalized to a common indicator schema before storage.
- 2
Enrich, score, and deduplicate
Each indicator is scored for confidence and relevance, deduplicated across sources, and tagged with MITRE ATT&CK technique references where available. Expired or retracted indicators are automatically suppressed.
- 3
Detonate unknowns in the sandbox
Files or URLs flagged as suspicious can be submitted to the integrated sandbox. Behavioral output — network calls, file writes, process spawns — is correlated with existing actor profiles automatically.
- 4
Operationalize into active detections
High-confidence indicators and sandbox findings are pushed as detection rules to Sandworm tools running across your environment, closing the loop from raw intelligence to fired alert.
Built for these situations.
Teams that buy intel but never operationalize it
Sight bridges the gap between a threat-feed subscription and actual detections firing in your environment, without requiring a dedicated threat-intel analyst to manage the pipeline.
Dark-web and credential-leak monitoring
Know when your organization's credentials, internal data, or sensitive identifiers surface on dark-web forums or paste sites, with enough context to assess and act.
Brand and domain impersonation defense
Catch typosquatting registrations and lookalike phishing kits targeting your brand early — before users receive the first phishing email.
Proactive threat hunting with sandbox context
Give analysts a structured environment to chase hypotheses: submit samples to the sandbox, correlate behavioral output with actor profiles, and pivot to live detections without exporting CSVs.
Integrations
- STIX/TAXII
- MISP
- commercial threat feeds
- SIEM
Frequently asked questions
- How is Sight set up — does it need its own infrastructure?
Sight runs as a containerized service in the Sandworm platform alongside the other backend services. Setup involves pointing it at your existing threat-feed subscriptions via STIX/TAXII or API credentials — there is nothing to install on endpoints and no separate infrastructure to provision.
- Are my indicators shared with other Sight customers?
Raw indicators remain within your own deployment boundary and are never sent to Sandworm or any third party. If you join the optional federated intel pool, participation shares only differentially private statistical aggregates — your raw IoC data stays in your environment and never becomes part of a shared database.
- What does Sight cost?
Sight is included in the Platform and Sovereign bundles and is available as a standalone add-on. There is no per-indicator or per-sandbox-run charge. Current bundle and à-la-carte pricing is at /pricing.
- How is Sight different from subscribing to a threat feed directly?
A raw feed subscription hands you a list of indicators and stops there. Sight normalizes, deduplicates, scores, and expires indicators automatically; runs unknown files and URLs through the sandbox and correlates behavioral output against actor profiles; and pushes high-confidence indicators into the Sandworm tools already running in your environment as live detection rules — so raw intel becomes active coverage without a manual conversion step.
- What AI capabilities does Sight use today, and what is coming?
AI-assisted indicator enrichment and sandbox correlation currently runs on frontier AI models. The in-house Mendicant engine is in active development. When it reaches production readiness, it will be available as an option for operators who need fully sovereign, on-premises inference with no data leaving the network boundary.
- Which commercial threat feeds does Sight connect to?
Sight can consume any source that publishes over STIX/TAXII 2.x or exposes a structured poll API. Named commercial feed integrations are listed in the connector catalog. If a feed you rely on is not yet listed, contact us — new integrations are added based on demand.
Also in Sandworm.
Sandworm SIEM
Security information and event management with real-time correlation.
See Sandworm SIEM →Put your intel to work.
Connect your existing threat feeds and let Sight turn them into detections across your full stack.