Huntress Acquires Inside Agent: A New Era for Identity ProtectionFree Trial
Menu
InvestorsCareersBlogAboutAcademySupportContact
LoginSign up
SPAKTO ATTACK INTELLIGENCE PLATFORM · ADVERSARIAL EXPOSURE VALIDATION · CONTINUOUS SECURITY

Continuously validate howattackers can movethrough your environment.

Spakto AEV is the continuous adversarial exposure engine that maps real attack paths across identity, cloud, endpoint, and external surface — showing you what attackers see, where they move, and what you must fix first.

Request Platform DemoSee How It Works

Your security stack
generates noise.
Attackers operate
in signal.

There are 14 steps between a phishing email and domain controller takeover. Traditional tools alert on some of them individually. Spakto maps all 14 — in sequence, causally linked, against your live environment.

01

Correlation is the missing layer.

A failed login at 2:14am. A privilege change at 2:31am. A cloud API call from a different machine at 2:49am. Individually — noise. Sequenced — a targeted intrusion in progress. Your tools saw three separate events. Spakto saw one attack.

02

CVSS scores miss the point entirely.

A CVSS 4.2 misconfiguration that bridges identity to lateral movement is more critical than a CVSS 9.8 finding on an air-gapped system. Exploitability only exists in context. Spakto shows you context — not scores.

03

Assumptions expire. Emulation doesn't.

Your environment changes daily. A new cloud deployment, a rotated credential, a modified IAM policy — each one reshapes your attack surface. Spakto re-runs the full adversary playbook against every change, automatically.

Continuous EmulationMulti-hop Path MappingCross-domain CorrelationSafe ExecutionLive Re-analysisEvidence-based Output
Without Spakto
With Spakto AEV
847 UNRESOLVED ALERTSFailed AuthProc SpawnReg WriteAPI CallPriv ChangeSMB ProbeCred DumpATTACK PATH REVEALEDINIT ACCESST1566FOOTHOLDT1059PRIV ESCT1548LATERALT1021DC TAKEOVERIMPACT5 techniques · 4 hops · 14 min domain to compromise
Result: 847 unresolved alerts
Result: 1 critical path, prioritised
23d

Average dwell time your tools miss

1

Path needed for domain compromise

300+

ATT&CK techniques emulated live

0

Production systems disrupted

End-to-End Pipeline

Five deterministic stages.
One continuous loop.

Every environment change — new asset, modified permission, cloud deployment — triggers a full pipeline re-run automatically. No manual intervention. No stale findings.

<30s
Ingestion lag
Continuous
Re-evaluation
Zero
Production impact
ADVERSARIAL EXPOSURE PIPELINE · CONTINUOUS
01
INGEST
APINORM

Telemetry Ingestion

50+ native connectors stream normalized telemetry from EDR, IAM, cloud, and SIEM into a unified event schema in under 30 seconds.

REST + streaming · webhook push
Schema normalization · dedup
50+ connectors active
OUTPUT →Normalized event stream
02
MODEL
ASSET · IDENTITY · TRUST

Graph Construction

Builds a living directed graph of every asset, identity, permission, trust chain, and network path — updated on every environment change.

Graph DB · O(1) traversal
Identity + permission inference
Real-time delta updates
OUTPUT →Live attack graph
03
EMULATE
T1566T1078T1059T1548

Adversary Emulation

Executes 300+ MITRE ATT&CK techniques safely against your live graph — verifying real exploitability without touching production workloads.

Safe exec · no-impact mode
Multi-hop technique chaining
300+ ATT&CK TTPs
OUTPUT →Exploitability results
04
PRIORITIZE
CRITHIGHMED

Path Prioritization

Scores each discovered path by blast radius, reachability, and business criticality — reducing hundreds of findings to the paths that demand action.

Blast radius scoring
Business criticality weighting
Dedup + ranked output
OUTPUT →Ranked attack paths
05
REPORT
EXEC SUMMARYRISK DASHBOARDTECH FINDINGSCOMPLIANCE MAP

Intelligence Delivery

Layered findings for every audience — attack path maps for engineers, risk dashboards for CISOs, compliance evidence for auditors.

Multi-audience output formats
SIEM + ticketing integration
Framework evidence export
OUTPUT →Actionable findings
50+Data sources
300+ATT&CK techniques
<30sIngestion lag
24/7Continuous re-run
EVENT-DRIVEN · ZERO MANUAL TRIGGERS
Live Attack Path Engine

Real attacker movement,
traced in real time.

Spakto continuously maps every viable attack path — from initial access vectors through lateral movement and privilege escalation to high-value targets — updating live as your environment changes.

Critical / Active path
At-risk / Lateral path
Monitored / Blocked
LIVE ATTACK EMULATIONSESSION-7F3A
PATHS ACTIVE: 14CRITICAL: 3TECHNIQUES: 47UPDATED: NOW
INITIAL ACCESSFOOTHOLDLATERAL MOVEESCALATEIMPACTTHREAT ACTORPHISHINGACTIVECVE-2024EXPLOITEDSUPPLY CHAINDETECTEDENDPOINT-01COMPROMISEDENDPOINT-02AT RISKIDENTITY (AD)ESCALATEDCLOUD (AWS)LATERALADMIN CREDSSEIZEDDOMAIN CTRLTARGETEDDATA STORETARGETED
14
Active Attack Paths
3
Critical Chain Paths
47
Techniques Mapped
89%
Controls Validated
MITRE ATT&CK® Framework Coverage

317 adversary techniques.
284 continuously validated.

Every emulation run maps against the full MITRE ATT&CK® matrix across all 11 tactical categories — from Reconnaissance to Impact. Coverage expands automatically as the live adversary library grows.

89.6%
Detection Rate
317
Techniques Mapped
11/11
Tactics Covered
ATT&CK® LIVE COVERAGE MAP
RC57%RECONRD40%RESOURCEIA86%INIT ACCEX100%EXECUTIONPE63%PERSISTPS88%PRIV ESCDE44%DEF EVASCA86%CRED ACCDI100%DISCOVERYLM86%LATERALIM71%IMPACT
62/82
Cells Validated
75.6%
Overall Coverage
2/11
Full Tactic Coverage
Live
Real-time Updates
Platform Capabilities

Six core engines.
Always running.

Each capability is a purpose-built engine — not a dashboard widget. They run concurrently, share state, and feed into each other continuously.

6
Concurrent engines
Live
Shared state bus
API
Fully programmable
CAP-01GRAPH-TRAVERSAL
ACTIVE
INITFOOTLATPRIVIMPACT

Attack Path Discovery

Computes every viable multi-hop path from every entry point to every high-value target — combining identity trust, cloud permissions, and endpoint reachability in a single directed graph.

Multi-hop traversal · identity + cloud + endpoint
Blast radius + reachability scoring per path
Real-time path invalidation on environment change
14msavg traversal
path combinations
1critical path exposed
CAP-02SAFE-EXEC-ENGINE
ACTIVE
DONEDONERUNRUN

Adversary Emulation

Executes real attacker tradecraft — recon, initial access, lateral movement, privilege escalation, persistence, impact — safely against your live environment. No agents. No production risk.

300+ MITRE ATT&CK techniques covered
Multi-stage kill chain execution with chaining
Real-time telemetry capture per technique
300+TTPs
0prod. impact
3.2Ktests/hr
CAP-03LLM-SYNTHESIS
ACTIVE
ENV DATALLMSYNTHESISAPT29 PATHT1566 CHAINLATERAL SIM

AI Scenario Generation

Synthesizes contextually relevant attack scenarios from your live environment telemetry — not generic templates. Models APT group behaviors, maps to your specific asset topology and crown jewels.

Environment-aware scenario synthesis
40+ APT group TTP libraries
Scenario relevance scoring by crown-jewel proximity
40+threat actors
<100mssynthesis
Liveenv-aware
CAP-04REAL-TIME-RERUN
ACTIVE
24/7RERUNIAM CHANGENEW ASSETCONFIG Δ

Continuous Validation

Every environment change — a new IAM policy, a deployed VM, a rotated credential — triggers an automatic full re-run of affected attack paths. Findings are never more than minutes old.

Event-driven re-simulation on every change
<60s re-evaluation latency on delta events
Zero manual scheduling — fully autonomous loop
24/7continuous
<60sre-eval lag
Zerostale findings
CAP-05CHAIN-ANALYSIS
ACTIVE
CRITCHAINCVSS 4.2CVSS 3.8= IMPACTCRITEXPOSURE

Toxic Risk Combination

Detects non-obvious compound paths where individually low-risk findings converge into critical attack chains. A CVSS 4.2 misconfiguration bridging identity to lateral movement outranks a CVSS 9.8 on an isolated host.

Cross-domain risk confluence detection
Config-only paths with zero CVEs required
Context-score overrides raw CVSS ranking
CVSS 4.2→ critical in context
3 hopsavg to DC
Configonly paths
CAP-06MULTI-AUDIENCE
ACTIVE
TECHNICAL · ATTACK PATH MAPEXECUTIVE · RISK REDUCTION DASHCOMPLIANCE · SOC2 / NIST / ISOTICKETING · JIRA / SERVICENOW

Evidence-Based Reporting

Produces layered, audience-specific output automatically — attack path maps for engineers, risk reduction dashboards for CISOs, and framework-mapped control evidence for compliance and auditors.

Technical · executive · compliance output layers
SIEM + ticketing API integration (Jira, ServiceNow)
SOC2 · NIST · ISO 27001 · NIS2 evidence export
3audience layers
APISIEM integration
Autoframework map
Attack Surface Coverage

Your entire attack surface.
Continuously mapped.

Spakto validates your security controls across every domain of your attack surface — identity, cloud, endpoints, network, external, and application — showing real coverage, real gaps, real risk.

74%OVERALLCOVERAGE
72%
Identity & IAM
34 techniques
+8% this month
COVERAGE72%
Okta · Azure AD · CyberArk
88%
Cloud Infrastructure
41 techniques
+12% this month
COVERAGE88%
AWS · Azure · GCP
91%
Endpoints
28 techniques
+5% this month
COVERAGE91%
CrowdStrike · Defender · SentinelOne
61%
Network & Perimeter
22 techniques
+3% this month
COVERAGE61%
Firewalls · NetFlow · IDS/IPS
44%
External Attack Surface
19 techniques
+19% this month
COVERAGE44%
OSINT · Certificate · DNS
67%
Application Layer
16 techniques
+7% this month
COVERAGE67%
API · Web · Supply Chain
Infrastructure

Platform architecture

Three isolated processing layers connected by a typed event bus. Zero-trust data flow from raw telemetry to prioritized action.

PLATFORM ARCHITECTURE · SPAKTO AEV · v2.4.1
ALL SYSTEMS NOMINAL
Input Sources
EDR/XDRIAM/SSOCloud APIsSIEM/LogsNetwork FlowDevOps CI+44 more
L0Data Layer
NORMENGINEschema

Ingestion & Normalization

Parallel connectors ingest raw telemetry, normalize to Spakto Asset Schema, deduplicate at source with vector fingerprinting.

proto: REST/gRPC/Syslog/Kafka
schema: SAS-v3.1 unified
throughput: 2.4M events/sec
latency: <30s ingestion p99
50+ connectorsRESTgRPCKafkaSyslog
L1Intelligence Layer
GRAPH

Graph Engine & AI Synthesis

Constructs live attack graphs from normalized assets. Dijkstra-variant path computation finds exploitable chains. LLM synthesizes realistic adversary scenarios.

engine: Dijkstra-AEV traversal
nodes: up to 500K assets
paths: ranked by blast radius
model: fine-tuned adversary LLM
Attack GraphMITRE ATT&CKPath RankingLLM Synthesis
L2Action Layer
P1 CRITICALP2 HIGHP3 MEDIUMTICKETREPORTDASHBOARD

Prioritization & Delivery

Risk-scored findings routed to ticketing systems, compliance frameworks, and executive dashboards. Full remediation lifecycle tracked automatically.

output: JSON/SARIF/PDF/CSV
tickets: Jira/ServiceNow/Linear
frameworks: NIST/SOC2/ISO27001
reporting: <500ms dashboard refresh
Risk ScoringJira/SNNISTSOC2Exec Report
Event Bus
asset.ingestedgraph.updatedpath.rankedscenario.emittedfinding.createdticket.opened
Output Artifacts
Attack Path ReportRemediation TicketsExecutive DashboardMITRE HeatmapRisk Score FeedCompliance PDF
Live Validation Engine

Every technique tested.
Every control validated.

Spakto's validation engine executes real attack scenarios against your live environment — verifying whether each control detects, blocks, or misses each technique — automatically, every hour.

3.2K+
Tests / Hour
99.8%
Uptime SLA
LIVE VALIDATION · APT29 SIMULATION
RUNNING: 1PASSED: 3FAILED: 1QUEUED: 3
ATTACK SCENARIO QUEUE
APT29 · Initial Compromise
12 techniques
64%
T1566 · Spear Phishing Vector
T1566.001-003
T1078 · Valid Account Takeover
T1078.002
T1548 · UAC Bypass via DLL
T1548.002
T1059 · PowerShell Execution
T1059.001
T1021 · Lateral via SMB Shares
T1021.002
T1087 · AD Account Discovery
T1087.002
T1003 · OS Credential Dump
T1003.001
EXECUTION LOG · REAL-TIME OUTPUT
12:48:01.234INITTarget: corp-ws-041.internal · Environment loaded
12:48:01.891EXECT1566.001 · Spear-phishing Link attachmentDETECTED
12:48:02.103EXECT1078.002 · Domain Account credential replayBYPASSED
12:48:02.881PRIVT1548.002 · UAC bypass via winPEAS DLL hijackBLOCKED
12:48:03.442EXECT1059.001 · PowerShell encoded command executionDETECTED
12:48:04.001MOVET1021.002 · SMB / Windows Admin Share traversalLATERAL
12:48:04.720PRIVT1548.001 · Setuid elevation on service accountDETECTED
12:48:05.300CREDT1110.003 · Password spray against Entra IDBLOCKED
12:48:06.881DISCT1087.002 · Domain Account enumeration via LDAPRUNNING
12:48:07.003MOVET1550.002 · Pass-the-Hash against domain controllerQUEUED
12:48:08.003INITTarget: corp-ws-041.internal · Environment loaded
12:48:08.420EXECT1566.001 · Spear-phishing Link attachmentDETECTED
12:48:09.100EXECT1078.002 · Domain Account credential replayBYPASSED
12:48:09.881PRIVT1548.002 · UAC bypass via winPEAS DLL hijackBLOCKED
12:48:10.442EXECT1059.001 · PowerShell encoded command executionDETECTED
12:48:11.001MOVET1021.002 · SMB / Windows Admin Share traversalLATERAL
12:48:11.720PRIVT1548.001 · Setuid elevation on service accountDETECTED
12:48:12.300CREDT1110.003 · Password spray against Entra IDBLOCKED
12:48:13.881DISCT1087.002 · Domain Account enumeration via LDAPRUNNING
12:48:14.003MOVET1550.002 · Pass-the-Hash against domain controllerQUEUED
User Base

Operator profiles

Four distinct operator contexts. Each receives role-scoped data, custom output formats, and permission-gated dashboards.

OPERATOR PROFILES · ACCESS MATRIX · SPAKTO AEV
RBAC: ENFORCEDAUDIT_LOG: ON
4 ACTIVE ROLES
OPS-01Chief Info Sec Officer

CISO

RISK

Receives board-ready risk narratives automatically generated from live attack path data. Quantified exposure scores replace manual status reports.

Board-level risk narrativesauto-generated · PDF/PPTX
Risk reduction velocityΔ score tracked per sprint
Compliance evidence packsNIST/SOC2/ISO27001 mapped
Peer benchmark indexindustry quartile scoring
Risk ScoreBoard ReportCompliance PDFBenchmark
ACCESS: EXEC
OPS-02Security Ops Center

SecOps / SOC

P1

Alert triage prioritized by real attack-path context — not severity scores alone. Detection gaps surfaced before adversaries exploit them.

Detection coverage validationSIEM rule efficacy scoring
Alert-to-path context enrichmentauto-injected per ticket
MTTR reduction playbooksavg. 72h → 4h observed
Playbook simulation testing300 pre-built scenarios
SIEM ContextAlert P1MTTR −72hPlaybooks
ACCESS: ANALYST
OPS-03Adversary Simulation

Red Teams

Continuous attack path discovery removes the need for manual reconnaissance. Automated MITRE-mapped scenarios extend coverage across the full kill chain.

Adversary emulation scenarios300+ MITRE-aligned TTPs
Live path discovery enginegraph re-computed on change
Technique coverage heatmapT-code density per tactic
Automated continuous testing24/7 · no engagement window
300+ TTPsKill ChainPath Map24/7 Auto
ACCESS: OPERATOR
OPS-04Governance, Risk & Compliance

GRC / Compliance

Control effectiveness proven with live telemetry, not point-in-time assessments. Audit evidence packages generated on demand for any major compliance framework.

Continuous control validationreal-time vs. scheduled
Framework alignment mappingNIST/SOC2/ISO27001/PCI
Evidence collection automationtimestamped artifact bundles
Audit readiness score0–100 indexed per control
NISTSOC2ISO27001PCI DSS
ACCESS: AUDITOR
CISO

Exec dashboards, PDF reports

SecOps

Live alerts, SIEM enrichment, playbooks

Red Team

Full graph access, scenario builder

GRC

Framework maps, evidence bundles

Real Scenarios

Scenario execution log

Three operational contexts where Spakto intervenes with machine-speed analysis, evidence generation, and path-aware remediation.

UC-01CRITICALPre-audit / Board Reporting Cycle

Before Board Audit

72h window before audit. Manual evidence collection typically takes 3 weeks. Controls assumed compliant — not verified against live telemetry.

Execution Timeline
T+00:00
Ingest full environment telemetry
EDR · IAM · Cloud · SIEM · Network
T+00:28
Enumerate 1,240 active controls
mapped to NIST CSF, SOC2, ISO 27001
T+04:12
Validate 94.2% controls with live test
attack simulation against each control
T+06:50
Flag 71 control gaps with evidence
exploitable paths ranked by blast radius
T+07:15
Generate audit-ready evidence bundle
PDF + SARIF + timestamped artifacts
94.2%
Controls validated
71
Gaps identified
7h 15m
vs 3-week manual
<48h
Remediation SLA
Output

Compliance PDF · Control Map · Risk Narrative

UC-02HIGHIncident Response / Post-Breach

After a Near-Miss Incident

Credential stuffing attempt partially blocked. SOC unsure of full blast radius. Forensic reconstruction typically takes days — exposure continues.

Execution Timeline
T+00:00
Ingest incident telemetry + IOCs
alert context · access logs · net flows
T+00:14
Reconstruct exact attack path taken
Dijkstra traversal against live graph
T+01:45
Identify all parallel exploitable paths
12 additional paths sharing same root
T+02:30
Surface 3 detection rule gaps
SIEM rules bypassed during attack
T+03:05
Auto-generate hardening playbook
ordered by exploitability + impact score
14ms
Path reconstruction
12
Parallel paths found
3
Detection gaps
3h 05m
vs 3-day forensic
Output

Incident Report · Path Diagram · Detection Fixes

UC-03ELEVATEDM&A / Third-Party Risk

M&A Due Diligence

Acquisition target has 8,000 assets across 3 cloud providers. Traditional pentest takes 6 weeks. Risk inheritance is unknown before deal close.

Execution Timeline
T+00:00
Onboard target via read-only APIs
AWS · Azure · Okta · CrowdStrike
T+00:30
Build graph: 8,241 nodes · 19,400 edges
full asset topology in 30 minutes
T+02:20
Run 300 adversary emulation scenarios
MITRE ATT&CK full technique set
T+05:40
Score risk inheritance to acquirer
blast radius if target is compromised
T+06:00
Deliver prioritized hardening roadmap
ranked by deal-blocker risk threshold
8,241
Nodes mapped
300+
Scenarios run
6h
vs 6-week pentest
Pre-close
risk scored
Output

Risk Report · Hardening Roadmap · Deal Flags

All scenarios run continuously — not as point-in-time engagements.
SOC2NIST CSFISO 27001PCI DSS

Frequently Asked Questions

Frequently asked
questions.

Still have questions?
Our security engineers answer within one business day.
Ask a question