Context Engine

C
Written By Threat NG Staff

In the realm of cybersecurity, the Context Engine is a specialized, advanced processing component designed to enrich raw, technical security data with real-world relevance. It serves as the central intelligence hub, performing multi-source data fusion to resolve the "Attribution Chasm"—the struggle to link a technical finding to its actual business risk.

The primary function of a Context Engine is to take ambiguous security alerts (like an open port, a leaked file, or a weak configuration) and fuse them with external, non-technical context. This context includes elements like:

  • Legal Data: Mapping findings to known regulatory compliance mandates (e.g., GDPR, HIPAA).

  • Financial Data: Identifying the revenue stream or business unit associated with a compromised asset.

  • Operational Data: Determining the owner, location, or criticality of the asset to the organization's mission.

  • Adversarial Data: Correlating the vulnerability with known threat actor tactics and techniques (e.g., MITRE ATT&CK).

By performing this iterative correlation, the Context Engine eliminates guesswork. It transforms technical noise into Legal-Grade Attribution, providing security leaders with the absolute certainty required to strategically prioritize risks, justify necessary security investments, and accelerate the correct remediation response, ultimately removing the "Hidden Tax on the SOC" caused by wasted investigative time. ThreatNG’s Context Engine™ is the mechanism central to its goal of delivering Certainty Intelligence, helping organizations move past ambiguous security findings to achieve definitive, actionable knowledge.

It is explicitly a patent-backed solution that performs Multi-Source Data Fusion to iteratively correlate external technical security findings with decisive legal, financial, and operational context.

External Discovery and External Assessment

ThreatNG’s foundation is purely external, unauthenticated discovery, ensuring all data is collected from an attack-surface perspective. The Context Engine™ then uses this raw external data to power its contextualization.

The high-value Security Ratings (A-F) provide the structured technical findings that the Context Engine™ enriches:

  • Non-Human Identity (NHI) Exposure Security Rating (A-F): The rating is a critical metric that quantifies vulnerability to threats from machine identities (like API keys). The Context Engine™ then applies Legal-Grade Attribution to this NHI exposure finding (e.g., exposed ports or Sensitive Code Exposure) to convert chaotic technical data into irrefutable evidence.

  • Data Leak Susceptibility Security Rating (A-F): This assessment includes identifying external digital risks such as Cloud Exposure (exposed open cloud buckets) and Compromised Credentials. The Context Engine™ connects these technical exposures to business context, transforming raw findings into business-relevant data leak risks.

Continuous Monitoring and Reporting

Continuous Monitoring of the external attack surface ensures a constant flow of up-to-date technical findings into the Context Engine™. This allows the Context Engine™ to maintain a real-time, dynamic view of risk.

The Reporting capability is where the Context Engine's output is delivered for action:

  • Prioritized Reports (High, Medium, Low, and Informational) are a direct result of the engine using business context to rank technical risks.

  • The Knowledgebase in the reports provides Reasoning and Recommendations. This contextual feedback, generated by the engine's data fusion, helps organizations understand and act on the risk.

Investigation Modules and Intelligence Repositories

The Investigation Modules gather the technical data, while the Intelligence Repositories provide the context that the Context Engine™ fuses:

  • Investigation Modules:

    • Sensitive Code Exposure: Discovers public code repositories that contain sensitive data like Access Credentials (e.g., AWS Access Key ID, Stripe API key). The Context Engine™ links this technical finding to the organization’s asset inventory and owner.

    • External Adversary View: Performs outside-in discovery to identify vulnerabilities and exposures in a manner that an attacker would, and the resulting assessments directly map to MITRE ATT&CK techniques. This mapping is a key function of the Context Engine™, providing adversarial context to technical findings.

  • Intelligence Repositories (DarCache):

    • Dark Web (DarCache Dark Web) and Compromised Credentials (DarCache Rupture): These repositories provide external threat data that the Context Engine™ fuses with an organization's employee lists or asset records to attribute a leaked credential definitively.

    • SEC Form 8-Ks (DarCache 8-K) and ESG Violations (DarCache ESG): These are examples of the decisive legal and financial context the Context Engine™ integrates to achieve Legal-Grade Attribution.

Examples of ThreatNG Helping

  • Ending the Crisis of Context: The Context Engine™ resolves the industry's Attribution Chasm. For example, ThreatNG finds an exposed API endpoint on a subdomain that is vulnerable to a known exploit. The Context Engine™ links that specific subdomain to the public SEC Form 8-K Filings (DarCache 8-K) that disclose the use of that application in a critical risk. This fusion turns an abstract technical vulnerability into a board-level, Legal-Grade Attribution risk with clear financial/legal implications, thereby accelerating remediation.

  • Eliminating the Hidden Tax on the SOC: An analyst finds a server with an exposed port (a technical finding). The Context Engine™ correlates this port exposure with the Vulnerabilities (DarCache Vulnerability) repository to determine whether the vulnerability is actively exploited in the wild (KEV), and then links the affected server to the compliance needs listed in the External GRC Assessment. The result is an immediately prioritized alert, eliminating the time spent manually gathering business and threat context.

Cooperation with Complementary Solutions

The Context Engine™ is built to deliver high-certainty intelligence that other tools can use.

  • Working with a Governance, Risk, and Compliance (GRC) Platform: ThreatNG's Context Engine™ delivers findings with Legal-Grade Attribution and specific mappings to GRC frameworks like PCI DSS and GDPR. This contextualized output can be fed directly into a GRC platform, enabling it to move beyond internal audit data and automatically update the organization's external risk profile with verified, attorney-ready evidence, thereby justifying remediation budgets with business context.

  • Working with an External Attack Surface Management (EASM) Solution: While ThreatNG is an EASM solution, its Context Engine™ provides superior, differentiated certainty intelligence. If the EASM solution discovers an extensive list of exposed assets, ThreatNG's Context Engine™ can ingest that list and instantly provide Legal-Grade Attribution and prioritization based on correlations with the DarCache ESG and DarCache 8-K repositories, turning a simple asset list into a prioritized, business-critical remediation plan.

Threat NG Staff
Previous

Correlation Evidence Questionnaire
Next

Continuous Security Validation