Translate TTP-level Threat Intelligence into Deployment-Ready Detections

Organizations struggle with evolving threats, burdening security teams to build effective defenses. Advances in threat intelligence offer detailed insights into threat actor procedures, including specific scripts used. Despite this, security teams face challenges in operationalizing the intelligence due to expertise gaps, difficulty prioritizing vast data, and adapting it into actionable controls, creating a bottleneck in operations.

CardinalOps helps by translating TTP-level threat intelligence into detection rules. To get a taste of what CardinalOps can offer, choose your threat (or provide your own threat intelligence report) below:

Choose your threat, we’ll provide the detections:

Midnight Blizzard

Midnight Blizzard (also know as APT29, UNC2452, Cozy Bear, and NOBELIUM), a Russian threat actor linked to the SVR, is known for targeting governments, NGOs, and IT providers in the US and Europe. Active since 2018, they focus on intelligence collection through espionage.


BlackCat, or ALPHV, is a sophisticated ransomware group that emerged in late 2021. Operating on a Ransomware-as-a-Service (RaaS) model, it’s written in Rust, making it hard to detect. BlackCat uses double extortion, encrypting data and threatening to leak it if ransoms aren’t paid. Targeting various industries, it poses a significant threat with its advanced tactics.

Provide Your Own Intel Report

Share your threat intelligence report with CardinalOps and receive deployment-ready detections tailored to your needs. Simplify your security operations by transforming detailed threat insights into actionable controls. Enhance your defenses effortlessly and stay ahead of evolving threats with expertly crafted detection rules.

4th Annual Report: State of SIEM Detection Risk

In our fourth annual report, CardinalOps set out to gain visibility into the current state of use case development and threat detection coverage in enterprise SOCs. We analyzed, aggregated and anonymized data from production SIEM instances to understand SOC preparedness to detect the latest adversary techniques in MITRE ATT&CK.

The report analyzes real-world data from production SIEMs – including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic – covering more than 10,000 detection rules, over 1.2 million log sources, and hundreds of unique log source types.