Frequently Asked Questions

Most TI platforms aggregate feeds but still leave analysts to sort duplicates, stale indicators, and disconnected infrastructure. S6 Trace groups related indicators, uses provenance graphs to show infrastructure relationships, and produces Morning Brief handovers. The goal is triage: what to review first, why it matters, and what evidence supports it.

Morning Brief is an AI-generated summary of overnight threat intelligence activity. It highlights new high-priority threats, investigation updates, and environmental changes. Condenses handover notes into a short briefing with provenance graphs for critical findings.

S6 Trace analyzes indicators from multiple feeds and groups related IOCs into clusters based on shared infrastructure, timing, targeting patterns, and TTPs. Analysts investigate clusters instead of individual indicators, reducing manual correlation and duplicate review.

Native integration with ThreatConnect, MISP, and major commercial feeds. API-based integration for custom feeds. Can also import STIX/TAXII formatted intelligence. The provenance graph tracks original source and propagation path for each indicator across feeds.

Yes. S6 Trace supports air-gapped deployment patterns for classified and restricted environments. Threat feed data can be imported via approved transfer mechanisms, and core intelligence processing can run locally without external network access.

S6 Trace automatically deduplicates indicators and shows provenance—which feed originally published the IOC and how it propagated to other sources. This helps analysts identify the most authoritative source and understand indicator confidence based on source reputation.

A visual map showing relationships between IOCs, threat actors, campaigns, and infrastructure. For example, if three separate campaigns reuse the same C2 server, the provenance graph connects them—revealing coordinated activity that might be missed reviewing indicators in isolation.

Scoring combines source reputation, indicator freshness, environmental relevance, and threat actor attribution. Threats from sources with a reliable track record and a match to your industry, region, or SIEM context are promoted for analyst review.

Yes. S6 Trace has an API-first design for SOAR integration. High-priority IOC clusters can trigger automated containment workflows. Findings export to ticketing systems (Jira, ServiceNow) and SIEMs (Splunk, ELK, Cortex) for correlation with security events.

Yes. Small teams are often overwhelmed by threat-intelligence volume, so clustering and prioritization matter more when analyst capacity is limited. Morning Brief helps preserve overnight context without requiring a dedicated overnight analyst for every environment.

Cloud deployment: 3-5 days for provisioning and feed integration. On-premise: 1-2 weeks including installation, feed configuration, and initial clustering tuning. Training included for SOC analysts on cluster investigation and provenance graph interpretation.

Beta program includes: Direct access to development team, priority feature requests, weekly check-ins during onboarding, and community support channel. Production release will include tiered support with enterprise options.