Skip to content

Accelerating Threat-Led Defense with Tidal Cyber + ThreatConnect

  • August 15, 2025
Tidal Cyber

Today, cybersecurity programs must go beyond deploying tools. They need to seamlessly integrate threat intelligence into every stage of defensive security for immediate operational impact. Tidal Cyber's Threat-Led Defense Platform includes a deep well of Cyber Threat Intelligence (CTI), all aligned with MITRE ATT&CK® TTPs, enabling you to determine whether your organization can defend against the latest threats. This is bolstered through a strategic integration with ThreatConnect RQ, which provides cyber risk quantification, to expand the knowledge base of threats visible to Tidal Cyber users.

Partnership Delivers Three Measurable Benefits:

1. Unified Intelligence Fusion

Tidal Cyber’s knowledge base is highly extensible and designed to enable a multi-source view of adversaries and, importantly, their TTPs – specifically TTPs normalized to the standardized taxonomy of Tactics, Techniques, and Sub-Techniques published by MITRE ATT&CK. This gives users the most complete view of the adversary behavioral landscape possible.

The knowledge base in Tidal Cyber’s platform begins with “gold standard” threat objects carefully curated and directly sourced from MITRE ATT&CK. Tidal’s dedicated intelligence team then regularly curates and publishes objects related to timely threats. While we add a growing selection of threats widely relevant to our users, we recognize that many teams leverage other sizable, high-quality sources of threat content that they also want to leverage for coverage assessments in Tidal.

Our new integration with ThreatConnect enables users to seamlessly add those objects into the Tidal Cyber knowledge base so they can be used in all the way other objects are sourced from ATT&CK, Tidal, or other custom user-added objects. To start, users can perform threat research on any/all of these objects side-by-side of each other directly in the knowledge base (Figure 1) and compare/contrast TTPs associated with these objects in visualizations like the Matrix view (Figure 2).

Figure 1- A list of “threat objects” in a table view from the knowledge base in Tidal Cyber-1
Figure 1: A list of “threat objects” in a table view from the knowledge base in Tidal Cyber, showing threat objects ingested via the new ThreatConnect integration. Importantly, each object contains relationships with ATT&CK TTPs, meaning users can leverage these right alongside objects from ATT&CK, Tidal, or other sources for threat research, Threat Profiling, and Coverage Mapping in Tidal.

 

Figure 2- A Tidal Matrix view that visualizes the Techniques and Sub-TechniquesFigure 2: A Tidal Cyber Matrix view that visualizes the Techniques and Sub-Techniques associated with the objects from these various sources (ATT&CK, Tidal Cyber, and ThreatConnect).

 

2. Threat Prioritization Rooted in Real-World Relevance

Once objects have been ingested into Tidal Cyber via the ThreatConnect integration, they are then also available to be used within key Tidal Cyber features – specifically, Threat Profiles and then onward into Coverage Maps.

Figure 3 shows an example, where threat objects from each of the sources (ATT&CK, Tidal Cyber, and ThreatConnect) are added to a Tidal Cyber Threat Profile. A Threat Profile is valuable because it automatically keeps track of a continuously up-to-date record of the ATT&CK Tactics, Techniques, and Sub-Techniques associated with the threat objects contained within it. Having objects from all your important intelligence sources (such as ATT&CK, Tidal, and importantly ThreatConnect) gives you the most complete view of the threat landscape possible. And using the Tidal Cyber Threat-Led platform means you can truly operationalize this complete view (see next section). Any updates to the objects ingested via the ThreatConnect integration would be immediately reflected in this Threat Profile and any associated Tidal Cyber coverage assessments (Coverage Maps).

Figure 3- An example Tidal Threat Profile containing the objects sourced from ATT&CK, Tidal, and ThreatConnectFigure 3: An example Tidal Cyber Threat Profile containing the objects sourced from ATT&CK, Tidal Cyber, and ThreatConnect. These Profiles automatically keep track of associated up to date ATT&CK TTPs so those can be leverage for coverage assessment analysis in Tidal Cyber Coverage Maps.

 

3. Closed-Loop Operational Effectiveness

The final phase is operations. Enriched threats feed detection engineering, validation (Purple/Red), incident response, threat hunting, and defensibility reporting. Tidal Cyber’s Threat-Led Platform orchestration layer then deploys TTP coverage mappings across the security stack.

Then the feedback loop begins: Tidal Cyber gathers data on detection success, exposure identification, and control performance and feeds insights back into ThreatConnect. As an advanced TIP, ThreatConnect supports dynamic updates of Tidal Cyber’s Confidence Scores and threat priorities and provides ROI metrics and reporting. Integration with ThreatConnect RQ, which provides cyber risk quantification enabling insights based on actual financial risk to the business.

Figure 4- A Tidal Cyber Coverage Map containing the Threat ProfileFigure 4: A Tidal Cyber Coverage Map containing the Threat Profile highlighted in the previous section, paired with a “Defensive Stack” showcasing ATT&CK’s “Mitigations” Data. The Coverage Map immediately prioritizes and keeps up to date the behaviors associated with the threat objects in this Threat Profile. Meanwhile, the recommendations and actions taken to enhance defenses can be reflected right back into the defensive stack. Any updates to the objects ingested via the ThreatConnect integration would be immediately reflected in this Threat Profile and any associated Tidal coverage assessments (Coverage Maps).

 

Why This Joint Integration Matters

  • High-Fidelity, Contextual Intelligence at Speed

Tip into a federated system: ThreatConnect’s ability to ingest and correlate intel from internal SIEM, malware feeds, and external vendors (a key TIP capability) feeds directly into Tidal Cyber’s threat-led workflows. Tidal Cyber’s AI-powered Threat-Led Defense Platform enrichment and normalization mean your analysts only see the threat intelligence that matters, saving time and reducing noise.

  • Threat-Centric Defense Built on MITRE ATT&CK

By aligning ThreatConnect-derived intel with ATT&CK techniques and applying them across Tidal Cyber’s control validation and detection engineering modules, security teams are no longer chasing alerts, they’re building defenses positioned to real adversary behavior.

  • Measurable ROI & Budget Justification

ThreatConnect’s RQ cyber-risk quantification and ROI analysis integrates seamlessly into Tidal Cyber’s justification narrative. Investments in specific controls or tools can now be tied directly to threat coverage, control gaps filled, and risk reduction equipping CISOs with threat-informed decision support.

 

Illustration: From Intel to Action

  1. Threat Normalization
    • ThreatConnect provides enriched IOC data mapped to Tidal Cyber’s ATT&CK IDs and Confidence Scores; Tidal Cyber ingests, dedupes, and aligns it with internal telemetry.
  2. Prioritization & Modeling
    • Intelligence operations in ThreatConnect rate each feed’s value. Tidal Cyber’s platform maps intel into prioritized threat models and campaign chains.
  3. Operationalization
    • Tidal Cyber’s orchestration deploys indicators and control tests (Purple/Red). Incident, threat hunting, and alerting workflows are code ready.
  4. Feedback & Refinement
    • Detection outcomes and false positives are funneled back into ThreatConnect, triggering intel refinement, confidence update, and improved detection tuning.

The Tidal Cyber + ThreatConnect Advantage

Advantage

Description

Centralized Visibility

Enriched intel from dozens of sources via ThreatConnect, all mapped to ATT&CK in the Tidal Cyber Threat-Led Defense Platform

Strategic Prioritization

ThreatConnect’s cyber risk quantification + Tidal Cyber’s control validation = risk-based defense tuning

Operational Efficiency

Analysts work faster because intel, detection, and response are consolidated and automated

Continuous Improvement

Integrated feedback loop ensures defenses evolve in sync with threat dynamics

Board-Ready Reporting

ThreatConnect’s ROI and risk metrics powers Tidal Cyber’s ability to justify spend

 

In Closing

Tidal Cyber’s is the first true Threat-Led Defense platform built to flip the traditional defensive model by putting real adversary behavior at the center of your defense strategy. Through TTPs and procedural-level insights mapped to MITRE ATT&CK, adversary groups and their behavior are embedded into your security strategy to measure security stack effectiveness, reducing the probability of attacker success.

With the integration of ThreatConnect, organizations now have a modern, measurable approach to reducing risk and ensuring that resources and budgets are directed toward the most impactful risk reductions, maximizing the return on security investments.

Want to explore how this joint solution can mature your defensive security program? Go to www.tidalcyber.com and book a demo and see it in action.

 
Data-Driven Threat-Informed Defense

Meet Tidal Enterprise Edition

Quickly and easily develop custom threat profiles and defensive stacks, see your coverage and identify gaps and redundancies, and get daily recommendations to improve your cybersecurity posture.

Learn More