Now in Private Beta  ·  API Access Available

Threat intelligence
designed for machines.

Security operations run at machine speed. Attackers hand off from initial access to secondary threat actor in under 22 seconds. Your intelligence layer needs to keep up. SarraS is the normalized, scored, and machine-ready data infrastructure that autonomous security systems actually require.

3 of 6
Endpoints Live Today
7
Scoring Dimensions
14
Active Connectors
STIX 2.1
Native Schema
new evidencet=0t=180d
POST /v1/score
Bidirectional freshness decay. Evidence resets the curve.
Live
0.88corroboration3 independent sources
GET /v1/indicators
Multi-source corroboration scoring. Not just one feed.
Live
live streamkafka offset tracking
GET /v1/feed
Real-time delta stream. No missed records on reconnect.
Coming Q3 2026
match: 0.94match: 0.71match: 0.43pgvector semantic search
POST /v1/query
Natural language to ranked intelligence. No pre-structured query needed.
Coming Q3 2026
TTPs + actors + sectors
GET /v1/campaigns
Full campaign context. TTPs, actors, targeted sectors in one call.
Coming Q3 2026
indicatormalware + actorcampaign + course-of-actionSARIS extension definition
GET /v1/bundle/{id}
Indicator + STIX 2.1 extension bundle export. Native OpenCTI import path.
Live · STIX 2.1
new evidencet=0t=180d
POST /v1/score
Bidirectional freshness decay. Evidence resets the curve.
Live
0.88corroboration3 independent sources
GET /v1/indicators
Multi-source corroboration scoring. Not just one feed.
Live
live streamkafka offset tracking
GET /v1/feed
Real-time delta stream. No missed records on reconnect.
Coming Q3 2026
match: 0.94match: 0.71match: 0.43pgvector semantic search
POST /v1/query
Natural language to ranked intelligence. No pre-structured query needed.
Coming Q3 2026
TTPs + actors + sectors
GET /v1/campaigns
Full campaign context. TTPs, actors, targeted sectors in one call.
Coming Q3 2026
indicatormalware + actorcampaign + course-of-actionSARIS extension definition
GET /v1/bundle/{id}
Indicator + STIX 2.1 extension bundle export. Native OpenCTI import path.
Live · STIX 2.1
The Problem
Intelligence
only built for humans.

The existing platforms never had to serve a machine. Now they do. And they can't.

Every major threat intelligence platform was designed around a single operational model: a human analyst opens a portal, reads enriched context, and decides what to do. The latency of that loop is measured in minutes to hours.

The security stack has become autonomous. SOAR playbooks fire in seconds. AI agents triage, enrich, and route alerts without analyst review. The intelligence infrastructure feeding them has not kept up.

Vendor confidence scores are static numbers designed for triage, not deterministic verdicts an agent can act on. They decay on timers, not on evidence. Single dimensions where autonomous systems need seven.

"Attackers now hand off from initial access to secondary threat actor in 22 seconds. A timeline no human-in-the-loop workflow can match."

SarraS Threat Intelligence Infrastructure Brief, May 2026
What existing platforms fail to provide
Single-Score Confidence
A single number cannot drive autonomous routing. Agents need corroboration, freshness, severity, and exploitation reality as separate, queryable dimensions.
Timer-Based Decay
Timer-based decay is the standard across every incumbent platform. None respond to new evidence. A C2 IP reactivated after six months stays stale until a human intervenes — regardless of what a new source reports.
Portal-First Architecture
Every incumbent platform was built for browser-based human consumption. API access is secondary, slow, and not designed for millions of calls per hour at agentic query volumes.
No Source Provenance
Agents need to verify who saw a threat first. Current platforms collapse source attribution an agent cannot distinguish a CISA-confirmed indicator from a single paste-dump sighting.
The Fix

The intelligence layer, built for machine consumption.

SarraS sits below the analyst workbench, below the SIEM, below the SOAR. The normalization, scoring, and delivery layer that none of the existing vendors have built because they were all selling to analysts, not to machines.

We don't compete with the analyst workbench. We are what feeds it. Every SIEM, SOAR, XDR, EDR, vulnerability management platform, MDR/MSSP SOC, threat hunting tool, patch orchestration system, and AI security platform in your stack gets clean, scored, machine-ready intelligence from a single API.

POST /v1/score response Live
{
  "found": true,
  "verdict": "suspicious",
  "recommended_action": "review",
  "confidence": 0.76,
  "corroboration_score": 0.1,
  "freshness_score": 60,
  "source_reliability": "A",
  "information_credibility": 6,
  "source_count": 1
}
01 SCHEMA
SARIS: The SarraS Intelligence Schema
The SarraS Intelligence Schema (SARIS) normalizes every record into a unified, machine-readable format. As a STIX 2.1 extension, any existing consumer ingests SARIS records without modification. Machine-specific scoring and routing fields live in the x_saris_ namespace.
02 SCORING
Seven Agentic Scoring Dimensions
Autonomous agents cannot interpret a single collapsed score. SarraS separates confidence, corroboration, freshness, severity, exploitation status, and NATO Admiralty source reliability and information credibility into seven independently queryable fields. Each dimension serves a distinct agent decision path.
03 DELIVERY
API-First, Agentic-Ready
Three live endpoints today real-time verdict scoring, indicator lookup, and STIX bundle export with streaming delta feed and natural language query shipping through Q3 2026. Built from day one for agentic query volumes, not retrofitted from a human portal.
How It Works

From raw feed to machine-ready intelligence.

Every indicator that enters SarraS passes through four sequential stages before it reaches your agent or platform. Nothing is served without being normalized, scored, and evidence-validated first.

CISA KEV NVD · OTX INGEST Kafka pipeline NORMALIZE SARIS schema SCORE 7 dimensions INDEX OpenSearch + Redis API 3 live · 3 in Q3 SOAR Agent SIEM Platform AI Security Tool
01 COLLECT
Ingest
Source-specific connectors pull from government feeds, open-source repositories, ISAC disclosures, and commercial sources. Every raw payload is stored verbatim before any processing begins.
02 NORMALIZE
Normalize
Every record is extracted, typed, and mapped into the SARIS schema a STIX 2.1 extension. MITRE ATT&CK techniques are mapped. Hash algorithms are detected. Inconsistent formats are resolved.
03 SCORE
Score
Seven evidence-driven scores are computed and attached: confidence, corroboration, freshness, severity, exploitation status, source reliability, and information credibility. Scores move bidirectionally as new evidence arrives never on timers alone.
04 SERVE
Deliver
Indexed across OpenSearch and PostgreSQL. Served via API three endpoints live today, three more shipping through Q3 2026. TLP enforced at the key layer. Agents receive structured JSON never a portal.
The API

Six endpoints. Three live today, three shipping through Q3 2026.

The API surface is designed around one question: can an autonomous agent use this endpoint correctly without a human in the loop? Every response is typed, every field is explicit, every uncertainty is a number not a word.

POST Live
/v1/score
Real-Time IOC Verdict
Submit any indicator in the system and receive a composite risk score, verdict, and recommended action in a single call. The primary agentic decision endpoint, designed for inline SOAR triage loops.
Shares scoring pipeline with /v1/indicators
GET Live
/v1/indicators
Filtered Bulk Retrieval
Retrieve filtered sets of indicators by type, severity, freshness, exploitation status, or sector. Returns 1,000 records per page. Designed for SIEM enrichment pipelines and detection engineering workflows that need a scoped corpus rather than a single lookup.
OpenSearch indexed
POST Coming Q3 2026
/v1/query
Natural Language Intelligence
Will let you submit a natural language hypothesis and receive ranked, freshness-scored intelligence records. Built on pgvector semantic search agents will be able to begin with an open-ended threat hunting directive rather than a pre-structured query.
Planned: pgvector semantic search
GET Coming Q3 2026
/v1/feed
Real-Time Delta Stream
Persistent SSE stream of new and updated records. Reconnect support means agents pick back up without data loss. Filter by sector, TLP level, indicator type, and freshness threshold. Built for detection engineering platforms that update rules in real time.
Planned: streaming offset tracking
GET Coming Q3 2026
/v1/campaigns   /v1/actors
Relationship Traversal
Will let you retrieve full campaign and threat actor context without reassembling from individual indicator queries. An agent following a relationship ID from a scored indicator will get the full picture TTPs, targeted sectors, attributed tooling, active timeline in a single call.
Planned: PostgreSQL relational graph
GET Live
/v1/bundle/{id}
STIX 2.1 Bundle Export
Export any indicator as a STIX 2.1 bundle the indicator plus its SARIS extension definition in a single call. Native import path for OpenCTI. Bidirectional exchange (accepting incoming bundles via POST) is on the Q3 2026 roadmap.
STIX native · OpenCTI compatible
Why SarraS

Every existing platform was built for a world that no longer exists.

Incumbent analyst platforms
Portals designed for human workflows
The leading threat intelligence platforms are built around analyst portals, per-seat pricing, and PDF reports. Their APIs are secondary to the UI. Added later, not designed first. Confidence scores are single numbers with no corroboration model. Freshness decays on timers. When you add agentic tooling to your stack, these platforms cannot serve it.
Feed aggregators
Aggregation without machine-ready scoring
Feed aggregation platforms normalize across sources but score once and let timers handle decay. There is no corroboration model a single-source indicator and a six-source indicator receive the same treatment. The architecture was designed for analyst triage queues, not autonomous agent decision loops.
Open-source workbenches
Community tools without managed enrichment
Open-source sharing platforms give analysts community-contributed intelligence with no SLA, no managed enrichment, and no evidence-driven confidence scoring beyond manual tagging. They are the analyst workbench. SarraS is the data layer that feeds them not a competitor to them.

SarraS occupies the gap none of them fill: the infrastructure layer between raw feeds and machine-ready intelligence. Normalized. Evidence-scored. Delivered via an API designed from day one for autonomous consumption.

Evidence-driven, not timer-driven
Scores move bidirectionally when new evidence arrives. A dormant indicator that resurfaces in an active campaign recovers toward current corroboration levels automatically without human intervention.
Seven dimensions, not one score
Confidence, corroboration, freshness, severity, exploitation status, source reliability, and information credibility are separate queryable fields. Agents branch on specific dimensions a single collapsed number destroys the decision granularity autonomous systems require.
Source provenance on every record
Every record carries a full source timeline which feed saw the indicator first, and when. Agents can verify data provider claims and weight decisions by source composition, not just aggregate confidence.
API-first, built for machine consumption
No portal. No session state. No per-seat pricing model that breaks at machine-scale query volumes. Three endpoints live today, including real-time verdict scoring streaming delivery and semantic search are shipping through Q3 2026.
Pricing

Pay for distribution rights, not API calls.

SarraS is built to be embedded, not queried seat-by-seat. Platform partners license SARIS as infrastructure under a flat annual fee scaled to their own customer base — one integration reaches every one of your customers, with no per-call metering to pass through.

Enterprise & Custom
Custom
Large-scale, government, and multi-region deployments
  • Custom feed construction & private source integration
  • Custom SLA and compliance requirements
  • Data licensing agreements
  • Dedicated account team
Contact Us
About

Built by practitioners who lived the problem.

SarraS was founded by security industry veterans with direct experience building and selling threat intelligence products to enterprise security teams. The gap SarraS fills is not theoretical. It was observed firsthand across years of working with the platforms, the practitioners, and the pain points that define the current market.

The founding team brings deep expertise in threat intelligence architecture, enterprise security operations, and API-first infrastructure design. The product was designed from first principles for the agentic era, not adapted from an existing analyst-facing platform.

SarraS is currently in private beta, onboarding a select group of design partners from the MDR, AI security, and SIEM/SOAR communities. If you are building autonomous security tooling and need a data layer you can trust, we want to talk.

Request API Access
Threat Intelligence Background
Deep operational experience with enterprise threat intelligence platforms, data pipelines, and the security operations teams that depend on them.
Enterprise Security Network
Direct relationships with MDR providers, MSSPs, SIEM vendors, and ISAC communities the exact buyers and partners SarraS is built to serve.
Agentic Security Focus
SarraS is purpose-built for the transition to autonomous security operations not a retrofit of existing analyst tooling onto a machine-consumption use case.
ISAC Community Access
Active membership and relationships across sector ISACs the source of the high-value, sector-specific intelligence that no public feed provides.