Now in Private Beta  ·  API Access Available

Threat intelligence
designed for machines.

Security operations run at machine speed. Attackers hand off from initial access to secondary threat actor in 22 seconds. Your intelligence layer needs to keep up. SarraS is the normalized, scored, and machine-ready data infrastructure that autonomous security systems actually require.

Request API Access See how it works
<100ms
/v1/score P95 SLA
5
Scoring Dimensions
9+
Phase 1 Connectors
STIX 2.1
Native Schema
new evidence t=0 t=180d
POST /v1/score
Bidirectional freshness decay. Evidence resets the curve.
P95 < 100ms
0.88 corroboration 3 independent sources
GET /v1/indicators
Multi-source corroboration scoring. Not just one feed.
P95 < 200ms
live stream kafka offset tracking
GET /v1/feed
Real-time delta stream. No missed records on reconnect.
Streaming SSE
match: 0.94 match: 0.71 match: 0.43 pgvector semantic search
POST /v1/query
Natural language to ranked intelligence. No pre-structured query needed.
P95 < 800ms
TTPs + actors + sectors
GET /v1/campaigns
Full campaign context. TTPs, actors, targeted sectors in one call.
P95 < 300ms
indicator malware + actor campaign + course-of-action SARIS extension definition
GET /v1/bundle/{id}
Complete STIX 2.1 bundle export. Native OpenCTI import path.
P95 < 500ms · STIX 2.1
The Problem
Intelligence
built for humans.

The existing platforms never had to serve a machine. Now they do. And they can't.

Every major threat intelligence platform was designed around a single operational model: a human analyst opens a portal, reads enriched context, and decides what to do. The latency of that loop is measured in minutes to hours.

The security stack has become autonomous. SOAR playbooks fire in seconds. AI agents triage, enrich, and route alerts without analyst review. The intelligence infrastructure feeding them has not kept up.

Vendor confidence scores are static numbers designed for triage, not deterministic verdicts an agent can act on. They decay on timers, not on evidence. Single dimensions where autonomous systems need five.

"Attackers now hand off from initial access to secondary threat actor in 22 seconds. A timeline no human-in-the-loop workflow can match."

SarraS Threat Intelligence Infrastructure Brief, May 2026
What existing platforms fail to provide
Single-Score Confidence
A single number cannot drive autonomous routing. Agents need corroboration, freshness, severity, and exploitation reality as separate, queryable dimensions.
Timer-Based Decay
ThreatStream decays on timers. OpenCTI uses configurable rules. Neither responds to new evidence. A C2 IP reactivated after six months stays stale until a human intervenes.
Portal-First Architecture
Recorded Future, Anomali, and every incumbent built for browser-based human consumption. API access is secondary, slow, and not designed for millions of calls per month.
No Source Provenance
Agents need to verify who saw a threat first. Current platforms collapse source attribution an agent cannot distinguish a CISA-confirmed indicator from a single paste-dump sighting.
The Fix

The intelligence layer, built for machine consumption.

SarraS sits below the analyst workbench, below the SIEM, below the SOAR. The normalization, scoring, and delivery layer that none of the existing vendors have built because they were all selling to analysts, not to machines.

We don't compete with the analyst workbench. We are what feeds it. Every SIEM, SOAR, and AI security platform in your stack gets clean, scored, machine-ready intelligence from a single API with contractual SLAs.

POST /v1/score response 43ms
{
  "verdict": "malicious",
  "confidence": 0.94,
  "corroboration_score": 0.88,
  "freshness_score": 0.79,
  "severity_score": 8.7,
  "exploitation_status": "actively_exploited",
  "recommended_action": "block",
  "source_count": 4,
  "cisa_kev": false,
  "latency_ms": 43
}
01 SCHEMA
SARIS: The SarraS Intelligence Schema
The SarraS Intelligence Schema (SARIS) normalizes every record into a unified, machine-readable format. As a STIX 2.1 extension, any existing consumer ingests SARIS records without modification. Machine-specific scoring and routing fields live in the x_saris_ namespace.
02 SCORING
Five Agentic Scoring Dimensions
Autonomous agents cannot interpret a single collapsed score. SarraS provides confidence, corroboration, freshness, severity, and source reliability as separate queryable fields. Each serves a distinct agent decision path. Evidence-driven decay moves bidirectionally, not on timers.
03 DELIVERY
API-First, Agentic-Ready
Six endpoints with contractual SLAs. /v1/score under 100ms P95. Streaming delta feed via SSE. Natural language query via pgvector. Designed for millions of calls per hour at agentic query volumes.
How It Works

From raw feed to machine-ready intelligence.

Every indicator that enters SarraS passes through four sequential stages before it reaches your agent or platform. Nothing is served without being normalized, scored, and evidence-validated first.

CISA KEV NVD · OTX INGEST Kafka pipeline NORMALIZE SARIS schema SCORE 5 dimensions INDEX OpenSearch + Redis API 6 endpoints · SLA SOAR Agent SIEM Platform AI Security Tool
01 COLLECT
Ingest
Source-specific connectors pull from government feeds, open-source repositories, ISAC disclosures, and commercial sources. Every raw payload is stored verbatim before any processing begins.
02 NORMALIZE
Normalize
Every record is extracted, typed, and mapped into the SARIS schema a STIX 2.1 extension. MITRE ATT&CK techniques are mapped. Hash algorithms are detected. Inconsistent formats are resolved.
03 SCORE
Score
Five evidence-driven scores are computed and attached: confidence, corroboration, freshness, severity, and source reliability. Scores move bidirectionally as new evidence arrives never on timers alone.
04 SERVE
Deliver
Indexed across OpenSearch, PostgreSQL with pgvector, and Redis. Served via six API endpoints with contractual SLAs. TLP enforced at the key layer. Agents receive structured JSON never a portal.
The API

Six endpoints. Every one built for autonomous consumption.

The API surface is designed around one question: can an autonomous agent use this endpoint correctly without a human in the loop? Every response is typed, every field is explicit, every uncertainty is a number not a word.

POST P95 < 100ms
/v1/score
Real-Time IOC Verdict
Submit any indicator and receive a composite risk score with full evidence chain in under 100ms. The primary agentic decision endpoint designed for inline SOAR triage loops where every millisecond of latency has an operational cost.
Redis hot path
GET P95 < 200ms
/v1/indicators
Filtered Bulk Retrieval
Retrieve filtered sets of indicators by type, severity, freshness, exploitation status, or sector. Returns 1,000 records per page. Designed for SIEM enrichment pipelines and detection engineering workflows that need a scoped corpus rather than a single lookup.
OpenSearch indexed
POST P95 < 800ms
/v1/query
Natural Language Intelligence
Submit a natural language hypothesis and receive ranked, freshness-scored intelligence records. Built on pgvector semantic search agents can begin with an open-ended threat hunting directive rather than a pre-structured query.
pgvector semantic search
GET Streaming SSE
/v1/feed
Real-Time Delta Stream
Persistent SSE stream of new and updated records. Kafka consumer offset tracking means agents reconnect without data loss. Filter by sector, TLP level, indicator type, and freshness threshold. Built for detection engineering platforms that update rules in real time.
Kafka offset tracking
GET P95 < 300ms
/v1/campaigns   /v1/actors
Relationship Traversal
Retrieve full campaign and threat actor context without reassembling from individual indicator queries. An agent following a relationship ID from a scored indicator gets the full picture TTPs, targeted sectors, attributed tooling, active timeline in a single call.
PostgreSQL relational graph
GET P95 < 500ms
/v1/bundle/{id}
STIX 2.1 Bundle Export
Export any indicator as a complete STIX 2.1 bundle the indicator plus all related objects assembled in a single call. The native import path for OpenCTI and MISP. Accepts incoming bundles via POST for bidirectional STIX exchange with partner platforms.
STIX native · OpenCTI compatible
Why SarraS

Every existing platform was built for a world that no longer exists.

Incumbent analyst platforms
Portals designed for human workflows
The leading threat intelligence platforms are built around analyst portals, per-seat pricing, and PDF reports. Their APIs are secondary to the UI. Added later, not designed first. Confidence scores are single numbers with no corroboration model. Freshness decays on timers. When you add agentic tooling to your stack, these platforms cannot serve it.
Feed aggregators
Aggregation without machine-ready scoring
Feed aggregation platforms normalize across sources but score once and let timers handle decay. There is no corroboration model a single-source indicator and a six-source indicator receive the same treatment. The architecture was designed for analyst triage queues, not autonomous agent decision loops.
Open-source workbenches
Community tools without managed enrichment
Open-source sharing platforms give analysts community-contributed intelligence with no SLA, no managed enrichment, and no evidence-driven confidence scoring beyond manual tagging. They are the analyst workbench. SarraS is the data layer that feeds them not a competitor to them.

SarraS occupies the gap none of them fill: the infrastructure layer between raw feeds and machine-ready intelligence. Normalized. Evidence-scored. Delivered via an API designed from day one for autonomous consumption.

Evidence-driven, not timer-driven
Scores move bidirectionally when new evidence arrives. A dormant indicator that resurfaces in an active campaign recovers toward current corroboration levels automatically without human intervention.
Five dimensions, not one score
Confidence, corroboration, freshness, severity, and source reliability are separate queryable fields. Agents branch on specific dimensions a single collapsed number destroys the decision granularity autonomous systems require.
Source provenance on every record
Every record carries a full source timeline which feed saw the indicator first, and when. Agents can verify data provider claims and weight decisions by source composition, not just aggregate confidence.
API-first, contractual SLAs
The /v1/score endpoint has a contractual sub-100ms P95 SLA. No portal. No session state. No per-seat pricing model that breaks at machine-scale query volumes.
Pricing

Scale with your consumption, not your headcount.

Usage-based pricing designed for machine-scale query volumes. No per-seat model. No portal tax. Start on Developer, grow to Platform as your pipeline scales.

Most Popular
Developer
$299/mo
50,000 API calls / month
  • Tier 1 open source feeds
  • All six API endpoints
  • SARIS schema access
  • Standard SLA
  • Email support
Request Access
Most Popular
Professional
$1,200/mo
500,000 API calls / month
  • Tier 1 + ISAC feeds
  • All six API endpoints
  • Sector-filtered streaming
  • AMBER TLP clearance
  • Priority support
Request Access
Most Popular
Platform
$4,500/mo
5,000,000 API calls / month
  • All tiers including dark web
  • All six API endpoints
  • Contractual SLAs
  • RED TLP clearance
  • Dedicated onboarding
Request Access
Most Popular
Enterprise
Custom
Unlimited · custom feeds · SLA
  • All tiers + custom feeds
  • Private source integration
  • Custom SLA agreement
  • Data licensing available
  • Dedicated support
Contact Us
About

Built by practitioners who lived the problem.

SarraS was founded by security industry veterans with direct experience building and selling threat intelligence products to enterprise security teams. The gap SarraS fills is not theoretical. It was observed firsthand across years of working with the platforms, the practitioners, and the pain points that define the current market.

The founding team brings deep expertise in threat intelligence architecture, enterprise security operations, and API-first infrastructure design. The product was designed from first principles for the agentic era, not adapted from an existing analyst-facing platform.

SarraS is currently in private beta, onboarding a select group of design partners from the MDR, AI security, and SIEM/SOAR communities. If you are building autonomous security tooling and need a data layer you can trust, we want to talk.

Request API Access
Threat Intelligence Background
Deep operational experience with enterprise threat intelligence platforms, data pipelines, and the security operations teams that depend on them.
Enterprise Security Network
Direct relationships with MDR providers, MSSPs, SIEM vendors, and ISAC communities the exact buyers and partners SarraS is built to serve.
Agentic Security Focus
SarraS is purpose-built for the transition to autonomous security operations not a retrofit of existing analyst tooling onto a machine-consumption use case.
ISAC Community Access
Active membership and relationships across sector ISACs the source of the high-value, sector-specific intelligence that no public feed provides.
Early Access