Now in Private Beta  ·  API Access Available

Threat intelligence
designed for machines.

Security operations run at machine speed. Attackers hand off from initial access to secondary threat actor in under 22 seconds. Your intelligence layer needs to keep up. SarraS is the normalized, scored, and machine-ready data infrastructure that autonomous security systems actually require.

ML-DSA-65
Every Response Signed
7
Scoring Dimensions
9+
Phase 1 Connectors
STIX 2.1
Native Schema
CISA KEVsorted by exploitation probability
GET /v1/cves
CVSS + EPSS + KEV enrichment. Sorted by real-world exploitation probability, not just severity.
CVSS · EPSS · KEV
0.88corroboration3 independent sources
GET /v1/indicators
Multi-source corroboration scoring. Not just one feed.
PostgreSQL indexed
CVE-2026-1234CVE-2026-5678CVE arrays extracted from advisory text
GET /v1/advisories
CISA advisories with CVE arrays extracted automatically. No manual parsing downstream.
CVE arrays extracted
T1071.001T1557ATT&CK matrix, filterable by tactic
GET /v1/techniques
MITRE ATT&CK techniques, filterable by tactic. Maps onto corroboration and severity scoring.
ATT&CK mapped
live corpus, refreshed continuously
GET /v1/stats
Live corpus size and enrichment coverage across all record types.
Live corpus health
indicatormalware + actorcampaign + course-of-actionSARIS extension definition
GET /v1/bundle
Complete STIX 2.1 bundle export. Native OpenCTI import path.
STIX 2.1
CISA KEVsorted by exploitation probability
GET /v1/cves
CVSS + EPSS + KEV enrichment. Sorted by real-world exploitation probability, not just severity.
CVSS · EPSS · KEV
0.88corroboration3 independent sources
GET /v1/indicators
Multi-source corroboration scoring. Not just one feed.
PostgreSQL indexed
CVE-2026-1234CVE-2026-5678CVE arrays extracted from advisory text
GET /v1/advisories
CISA advisories with CVE arrays extracted automatically. No manual parsing downstream.
CVE arrays extracted
T1071.001T1557ATT&CK matrix, filterable by tactic
GET /v1/techniques
MITRE ATT&CK techniques, filterable by tactic. Maps onto corroboration and severity scoring.
ATT&CK mapped
live corpus, refreshed continuously
GET /v1/stats
Live corpus size and enrichment coverage across all record types.
Live corpus health
indicatormalware + actorcampaign + course-of-actionSARIS extension definition
GET /v1/bundle
Complete STIX 2.1 bundle export. Native OpenCTI import path.
STIX 2.1
The Problem
Intelligence
only built for humans.

The existing platforms never had to serve a machine. Now they do. And they can't.

Every major threat intelligence platform was designed around a single operational model: a human analyst opens a portal, reads enriched context, and decides what to do. The latency of that loop is measured in minutes to hours.

The security stack has become autonomous. SOAR playbooks fire in seconds. AI agents triage, enrich, and route alerts without analyst review. The intelligence infrastructure feeding them has not kept up.

Vendor confidence scores are static numbers designed for triage, not deterministic verdicts an agent can act on. They decay on timers, not on evidence. Single dimensions where autonomous systems need many.

"Attackers now hand off from initial access to secondary threat actor in 22 seconds. A timeline no human-in-the-loop workflow can match."

SarraS Threat Intelligence Infrastructure Brief, May 2026
What existing platforms fail to provide
Single-Score Confidence
A single number cannot drive autonomous routing. Agents need corroboration, freshness, severity, and exploitation reality as separate, queryable dimensions.
Timer-Based Decay
Timer-based decay is the standard across every incumbent platform. None respond to new evidence. A C2 IP reactivated after six months stays stale until a human intervenes — regardless of what a new source reports.
Portal-First Architecture
Every incumbent platform was built for browser-based human consumption. API access is secondary, slow, and not designed for millions of calls per hour at agentic query volumes.
No Source Provenance
Agents need to verify who saw a threat first. Current platforms collapse source attribution an agent cannot distinguish a CISA-confirmed indicator from a single paste-dump sighting.
The Fix

The intelligence layer, built for machine consumption.

SarraS sits below the analyst workbench, below the SIEM, below the SOAR. The normalization, scoring, and delivery layer that none of the existing vendors have built because they were all selling to analysts, not to machines.

We don't compete with the analyst workbench. We are what feeds it. Every SIEM, SOAR, XDR, EDR, vulnerability management platform, MDR/MSSP SOC, threat hunting tool, patch orchestration system, and AI security platform in your stack gets clean, scored, machine-ready intelligence from a single API with contractual SLAs.

GET /v1/indicators/{indicator} response PQC Signed
{
  "indicator": "198.51.100.1",
  "type": "ip",
  "scores": {
    "freshness": 0.79,
    "severity": 8.7,
    "corroboration": 0.88,
    "source_reliability": "B"
  },
  "pqc_algorithm": "ML-DSA-65",
  "pqc_signature": "a3f9e1... (6.6kb)"
}
01 SCHEMA
SARIS: The SarraS Intelligence Schema
The SarraS Intelligence Schema (SARIS) normalizes every record into a unified, machine-readable format. As a STIX 2.1 extension, any existing consumer ingests SARIS records without modification. Machine-specific scoring and routing fields live in the x_saris_ namespace.
02 SCORING
Multi-Dimensional Agentic Scoring
Autonomous agents cannot interpret a single collapsed score. SarraS separates freshness, severity, corroboration, source reliability, and information credibility into independently queryable fields, computed and signed at query time not on a schema-only basis. Each dimension serves a distinct agent decision path.
03 DELIVERY
API-First, Agentic-Ready
Six live endpoints, STIX 2.1 native, PQC-signed. Real-time scoring computed at query time on /v1/indicators and /v1/cves — freshness, severity, corroboration, and source reliability returned and cryptographically signed on every response.
How It Works

From raw feed to machine-ready intelligence.

Every indicator that enters SarraS passes through four sequential stages before it reaches your agent or platform. Nothing is served without being normalized, scored, and evidence-validated first.

CISA KEV NVD · OTX INGEST Kafka pipeline NORMALIZE SARIS schema SCORE 7 dimensions INDEX OpenSearch + Redis API 6 endpoints · SLA SOAR Agent SIEM Platform AI Security Tool
01 COLLECT
Ingest
Source-specific connectors pull from government feeds, open-source repositories, ISAC disclosures, and commercial sources. Every raw payload is stored verbatim before any processing begins.
02 NORMALIZE
Normalize
Every record is extracted, typed, and mapped into the SARIS schema a STIX 2.1 extension. MITRE ATT&CK techniques are mapped. Hash algorithms are detected. Inconsistent formats are resolved.
03 SCORE
Score
Five evidence-driven scores are computed and attached: freshness, severity, corroboration, source reliability, and information credibility. Scores move bidirectionally as new evidence arrives — never on timers alone.
04 SERVE
Deliver
Indexed across OpenSearch, PostgreSQL with pgvector, and Redis. Served via six API endpoints with contractual SLAs. TLP enforced at the key layer. Agents receive structured JSON never a portal.
The API

Six endpoints. Every one built for autonomous consumption.

The API surface is designed around one question: can an autonomous agent use this endpoint correctly without a human in the loop? Every response is typed, every field is explicit, every uncertainty is a number not a word.

GET
/v1/indicators
Filtered Bulk Retrieval
Retrieve filtered sets of indicators by type, with KEV cross-reference and freshness scoring. Designed for SIEM enrichment pipelines and detection engineering workflows that need a scoped corpus rather than a single lookup.
PostgreSQL indexed
GET
/v1/cves
CVE Records
CVEs enriched with CVSS, EPSS, and KEV data, sorted by exploitation probability. Built for teams prioritizing patch and remediation queues by real-world exploitation signal.
CVSS + EPSS + KEV enrichment
GET
/v1/advisories
CISA Advisories
CISA cybersecurity advisories with extracted CVE arrays, kept current on a rolling ingest cycle. Feeds directly into downstream vulnerability correlation.
CVE arrays extracted
GET
/v1/techniques
MITRE ATT&CK Techniques
MITRE ATT&CK techniques, filterable by tactic. Maps directly onto corroboration and severity scoring for indicator and campaign records.
ATT&CK framework mapped
GET
/v1/stats
Corpus Summary
Live corpus size and enrichment coverage metrics across all record types. The same endpoint a connector polls to check corpus health before pulling a fresh bundle.
Live corpus health
GET
/v1/bundle
STIX 2.1 Bundle Export
Export any indicator as a complete STIX 2.1 bundle — the indicator plus all related objects assembled in a single call. The native import path for OpenCTI.
STIX native · OpenCTI compatible
Why SarraS

Every existing platform was built for a world that no longer exists.

Incumbent analyst platforms
Portals designed for human workflows
The leading threat intelligence platforms are built around analyst portals, per-seat pricing, and PDF reports. Their APIs are secondary to the UI. Added later, not designed first. Confidence scores are single numbers with no corroboration model. Freshness decays on timers. When you add agentic tooling to your stack, these platforms cannot serve it.
Feed aggregators
Aggregation without machine-ready scoring
Feed aggregation platforms normalize across sources but score once and let timers handle decay. There is no corroboration model a single-source indicator and a six-source indicator receive the same treatment. The architecture was designed for analyst triage queues, not autonomous agent decision loops.
Open-source workbenches
Community tools without managed enrichment
Open-source sharing platforms give analysts community-contributed intelligence with no SLA, no managed enrichment, and no evidence-driven confidence scoring beyond manual tagging. They are the analyst workbench. SarraS is the data layer that feeds them not a competitor to them.

SarraS occupies the gap none of them fill: the infrastructure layer between raw feeds and machine-ready intelligence. Normalized. Evidence-scored. Delivered via an API designed from day one for autonomous consumption.

Evidence-driven, not timer-driven
Scores move bidirectionally when new evidence arrives. A dormant indicator that resurfaces in an active campaign recovers toward current corroboration levels automatically without human intervention.
Multiple dimensions, not one score
Freshness, severity, corroboration, source reliability, and information credibility are separate queryable fields. Agents branch on specific dimensions a single collapsed number destroys the decision granularity autonomous systems require.
Source provenance on every record
Every record carries a full source timeline which feed saw the indicator first, and when. Agents can verify data provider claims and weight decisions by source composition, not just aggregate confidence.
Post-quantum signed, not just claimed
Every API response is signed with ML-DSA-65 (NIST FIPS 204) at the moment it's generated. No competitor in this space has post-quantum signed responses today — a verifiable integrity guarantee, not a claim you have to trust.
Pricing

Pay for distribution rights, not API calls.

SarraS is built to be embedded, not queried seat-by-seat. Platform partners license SARIS as infrastructure under a flat annual fee scaled to their own customer base — one integration reaches every one of your customers, with no per-call metering to pass through.

Enterprise & Custom
Custom
Large-scale, government, and multi-region deployments
  • Custom feed construction & private source integration
  • Custom SLA and compliance requirements
  • Data licensing agreements
  • Dedicated account team
Contact Us
About

Built by practitioners who lived the problem.

SarraS was founded by security industry veterans with direct experience building and selling threat intelligence products to enterprise security teams. The gap SarraS fills is not theoretical. It was observed firsthand across years of working with the platforms, the practitioners, and the pain points that define the current market.

The founding team brings deep expertise in threat intelligence architecture, enterprise security operations, and API-first infrastructure design. The product was designed from first principles for the agentic era, not adapted from an existing analyst-facing platform.

SarraS is currently in private beta, onboarding a select group of design partners from the MDR, AI security, and SIEM/SOAR communities. If you are building autonomous security tooling and need a data layer you can trust, we want to talk.

Request API Access
Threat Intelligence Background
Deep operational experience with enterprise threat intelligence platforms, data pipelines, and the security operations teams that depend on them.
Enterprise Security Network
Direct relationships with MDR providers, MSSPs, SIEM vendors, and ISAC communities the exact buyers and partners SarraS is built to serve.
Agentic Security Focus
SarraS is purpose-built for the transition to autonomous security operations not a retrofit of existing analyst tooling onto a machine-consumption use case.
ISAC Community Access
Active membership and relationships across sector ISACs the source of the high-value, sector-specific intelligence that no public feed provides.