The breach usually just asks.
Most big breaches weren't fancy — someone called the help desk and asked for a password reset. Truthsayer covers all five social-engineering surfaces across M365, Google Workspace, Slack, Teams, ServiceNow, and Jira.
What Truthsayer detects.
Email and URL analysis
Inspects inbound messages for lookalike sender addresses, display-name spoofing, credential-harvesting links, and malicious attachments before they reach inboxes.
OAuth consent-abuse detection
Flags third-party apps requesting excessive scopes before an employee grants them, and continuously surfaces existing OAuth grants that represent live, unreviewed exposure.
Lookalike-domain monitoring
Watches certificate-transparency logs around the clock to catch domain registrations crafted to deceive employees and customers — typosquats, homoglyphs, and brand impersonations.
MFA push-bombing circuit breaker
Detects rapid-fire push sequences and trips the circuit before a fatigued employee taps approve. Stops the push-bombing pattern at the identity layer without requiring policy changes in your IdP.
Help-desk impersonation defense
Correlates inbound reset requests against call origin, identity signals, and recent threat context to flag social-engineering attempts at the service desk before a credential is changed.
SEG floor enrichment
Integrates with Proofpoint and Abnormal as an up-only enrichment layer — Truthsayer can only raise a risk score, never lower one, so existing gateway investments are fully preserved.
How Truthsayer works
- 1
Connect your communication and identity stack
Read-only API connections to Microsoft 365, Google Workspace, Okta, Slack, and your ticketing system are established in minutes. No agents, no MX-record changes required for initial visibility.
- 2
Continuous multi-surface signal collection
Truthsayer ingests mail headers, OAuth grant events, DNS and certificate-transparency feeds, MFA authentication logs, and help-desk ticket metadata — correlating across surfaces that are normally siloed.
- 3
Correlated risk scoring and triage
Signals from each surface are weighted, cross-referenced against identity context, and consolidated into prioritized findings. High-confidence findings surface to your SOC or Sandworm Truthsayer dashboard; lower-confidence signals are queued for analyst review.
- 4
Findings flow into the Sandworm investigation workflow
Every Truthsayer finding becomes an investigation object — linked to the affected identity, the attack surface, and any correlated events — so your team closes the loop without juggling separate tools.
Who Truthsayer is built for
Teams losing the BEC and wire-fraud fight
Business-email compromise is the highest-dollar fraud vector. Truthsayer covers the correlation gaps that standalone email gateways cannot see: OAuth abuse, lookalike domains registered the morning of an attack, and compromised vendor accounts.
Organizations exposed to the help-desk reset vector
If your service desk resets passwords by phone, chat, or ticket, you carry this risk. Truthsayer makes the attack surface visible and adds a correlated signal layer before credentials change hands.
SOCs buried in OAuth-consent and lookalike-domain noise
Truthsayer correlates and prioritizes across surfaces so analysts investigate genuine threats, not a queue of disconnected low-confidence alerts from five separate tools.
Security teams needing coverage without rip-and-replace
Truthsayer is designed to layer on top of existing gateways and identity providers. It enriches what is already in place rather than requiring a platform swap.
Integrations
- Microsoft 365
- Google Workspace
- Okta/IdP
- Slack
- Microsoft Teams
- ServiceNow
- Jira
- Proofpoint
- Abnormal Security
- CertSpotter
Frequently asked questions
- How does Truthsayer connect to our environment?
Truthsayer connects via read-only API integrations to your mail, identity, and ticketing systems. There is nothing to install on endpoints and no MX-record change required to get started — initial setup is read-only OAuth or API-key credentials plus a few configuration fields in the console. SEG floor-enrichment mode (raising risk scores in Proofpoint or Abnormal) requires an API-key exchange with your existing gateway.
- What data does Truthsayer store from our environment?
Truthsayer ingests mail headers, OAuth grant metadata, MFA push-event logs, certificate-transparency feed data, and help-desk ticket attributes. Message bodies are never stored. All ingested signals are scoped to your tenant, never used to train shared models, and never visible to other organizations.
- How is Truthsayer priced?
Truthsayer is available in the Sandworm platform bundles and as a standalone add-on for teams that need social-engineering coverage without the full platform. Current rates and bundle options are on the /pricing page. There is no per-event, per-alert, or per-surface charge.
- Our email gateway already catches most phishing. What does Truthsayer add?
Email gateways are excellent at message-level filtering — they evaluate the email itself. Truthsayer adds cross-surface correlation: it connects a suspicious inbound message to a lookalike domain registered the same morning, an OAuth consent grant made ten minutes later by the targeted user, and an MFA push spike on that same identity. A standalone gateway sees the message; Truthsayer sees the campaign.
- Does Truthsayer require replacing our existing SEG?
No — and we actively recommend against it. Truthsayer is an up-only enrichment layer: it can only raise a risk score passed to Proofpoint or Abnormal, never lower one. Your existing gateway's tuned policies and quarantine rules stay intact; Truthsayer adds correlated context on top of what the gateway already knows.
- What AI-powered Truthsayer features are still being built?
The in-house Mendicant reasoning engine is in active development. Today, Truthsayer's AI-assisted triage and explanation layer runs on frontier model providers — Anthropic, OpenAI, and Azure OpenAI. When the in-house engine meets the same quality bar as the hosted providers, it will ship as a production option for operators who require fully air-gapped inference. We do not have a committed release date.
Also in Sandworm.
Sandworm SIEM
Security information and event management with real-time correlation.
See Sandworm SIEM →Run Truthsayer against your own mail flow.
We'll show you the social engineering already getting through — live.