Today, cybersecurity programs must go beyond deploying tools. They need to seamlessly integrate threat intelligence into every stage of defensive security for immediate operational impact. Tidal Cyber's Threat-Led Defense Platform includes a deep well of Cyber Threat Intelligence (CTI), all aligned with MITRE ATT&CK® TTPs, enabling you to determine whether your organization can defend against the latest threats. This is bolstered through a strategic integration with ThreatConnect RQ, which provides cyber risk quantification, to expand the knowledge base of threats visible to Tidal Cyber users.
Tidal Cyber’s knowledge base is highly extensible and designed to enable a multi-source view of adversaries and, importantly, their TTPs – specifically TTPs normalized to the standardized taxonomy of Tactics, Techniques, and Sub-Techniques published by MITRE ATT&CK. This gives users the most complete view of the adversary behavioral landscape possible.
The knowledge base in Tidal Cyber’s platform begins with “gold standard” threat objects carefully curated and directly sourced from MITRE ATT&CK. Tidal’s dedicated intelligence team then regularly curates and publishes objects related to timely threats. While we add a growing selection of threats widely relevant to our users, we recognize that many teams leverage other sizable, high-quality sources of threat content that they also want to leverage for coverage assessments in Tidal.
Our new integration with ThreatConnect enables users to seamlessly add those objects into the Tidal Cyber knowledge base so they can be used in all the way other objects are sourced from ATT&CK, Tidal, or other custom user-added objects. To start, users can perform threat research on any/all of these objects side-by-side of each other directly in the knowledge base (Figure 1) and compare/contrast TTPs associated with these objects in visualizations like the Matrix view (Figure 2).
Figure 1: A list of “threat objects” in a table view from the knowledge base in Tidal Cyber, showing threat objects ingested via the new ThreatConnect integration. Importantly, each object contains relationships with ATT&CK TTPs, meaning users can leverage these right alongside objects from ATT&CK, Tidal, or other sources for threat research, Threat Profiling, and Coverage Mapping in Tidal.
Once objects have been ingested into Tidal Cyber via the ThreatConnect integration, they are then also available to be used within key Tidal Cyber features – specifically, Threat Profiles and then onward into Coverage Maps.
Figure 3 shows an example, where threat objects from each of the sources (ATT&CK, Tidal Cyber, and ThreatConnect) are added to a Tidal Cyber Threat Profile. A Threat Profile is valuable because it automatically keeps track of a continuously up-to-date record of the ATT&CK Tactics, Techniques, and Sub-Techniques associated with the threat objects contained within it. Having objects from all your important intelligence sources (such as ATT&CK, Tidal, and importantly ThreatConnect) gives you the most complete view of the threat landscape possible. And using the Tidal Cyber Threat-Led platform means you can truly operationalize this complete view (see next section). Any updates to the objects ingested via the ThreatConnect integration would be immediately reflected in this Threat Profile and any associated Tidal Cyber coverage assessments (Coverage Maps).
The final phase is operations. Enriched threats feed detection engineering, validation (Purple/Red), incident response, threat hunting, and defensibility reporting. Tidal Cyber’s Threat-Led Platform orchestration layer then deploys TTP coverage mappings across the security stack.
Then the feedback loop begins: Tidal Cyber gathers data on detection success, exposure identification, and control performance and feeds insights back into ThreatConnect. As an advanced TIP, ThreatConnect supports dynamic updates of Tidal Cyber’s Confidence Scores and threat priorities and provides ROI metrics and reporting. Integration with ThreatConnect RQ, which provides cyber risk quantification enabling insights based on actual financial risk to the business.
Tip into a federated system: ThreatConnect’s ability to ingest and correlate intel from internal SIEM, malware feeds, and external vendors (a key TIP capability) feeds directly into Tidal Cyber’s threat-led workflows. Tidal Cyber’s AI-powered Threat-Led Defense Platform enrichment and normalization mean your analysts only see the threat intelligence that matters, saving time and reducing noise.
By aligning ThreatConnect-derived intel with ATT&CK techniques and applying them across Tidal Cyber’s control validation and detection engineering modules, security teams are no longer chasing alerts, they’re building defenses positioned to real adversary behavior.
ThreatConnect’s RQ cyber-risk quantification and ROI analysis integrates seamlessly into Tidal Cyber’s justification narrative. Investments in specific controls or tools can now be tied directly to threat coverage, control gaps filled, and risk reduction equipping CISOs with threat-informed decision support.
|
Advantage |
Description |
|
Centralized Visibility |
Enriched intel from dozens of sources via ThreatConnect, all mapped to ATT&CK in the Tidal Cyber Threat-Led Defense Platform |
|
Strategic Prioritization |
ThreatConnect’s cyber risk quantification + Tidal Cyber’s control validation = risk-based defense tuning |
|
Operational Efficiency |
Analysts work faster because intel, detection, and response are consolidated and automated |
|
Continuous Improvement |
Integrated feedback loop ensures defenses evolve in sync with threat dynamics |
|
Board-Ready Reporting |
ThreatConnect’s ROI and risk metrics powers Tidal Cyber’s ability to justify spend |
Tidal Cyber’s is the first true Threat-Led Defense platform built to flip the traditional defensive model by putting real adversary behavior at the center of your defense strategy. Through TTPs and procedural-level insights mapped to MITRE ATT&CK, adversary groups and their behavior are embedded into your security strategy to measure security stack effectiveness, reducing the probability of attacker success.
With the integration of ThreatConnect, organizations now have a modern, measurable approach to reducing risk and ensuring that resources and budgets are directed toward the most impactful risk reductions, maximizing the return on security investments.
Want to explore how this joint solution can mature your defensive security program? Go to www.tidalcyber.com and book a demo and see it in action.