An Evidence-Weighted Investigation Layer for Modern Security Stacks
ThreatLens today announced that ThreatLens Core is now live and available for deployment. Positioned as an investigation and response control layer, ThreatLens Core is designed to sit above existing SIEM, EDR/XDR, SOAR, and cloud security tools—auditing and governing their outputs rather than replacing them.
Modern security teams typically operate platforms such as CrowdStrike, Microsoft Defender, SentinelOne, Palo Alto Networks, Splunk, IBM QRadar, Microsoft Sentinel, and Elastic. While these systems generate alerts and analytics, many security operations centers (SOCs) still rely on manual correlation and analyst interpretation to determine what most likely happened and what actions are safe to take.
ThreatLens Core addresses this gap through its Investigation-Level Truth (ILT) Engine—a structured reasoning system that produces evidence-weighted investigative conclusions rather than narrative summaries.
From Alerts to Investigations
ThreatLens Core ingests telemetry and alert data from existing tools and normalizes it into atomic observations. It then constructs a case-scoped threat graph that models entities such as users, endpoints, processes, identities, and cloud resources.
Instead of generating a single AI narrative, the ILT Engine forms multiple competing hypotheses about what may have occurred. Each hypothesis is scored using evidence weighting, explicitly highlighting:
- Supporting evidence
- Contradictory signals between tools
- Missing evidence required for higher confidence
- Disproving tests that could invalidate the hypothesis
The output is an investigation-grade report that includes claim-level and hypothesis-level confidence scoring, source-linked evidence references, and an audit trail suitable for regulated environments.
Sandbox-Integrated Evidence
ThreatLens Core includes integrated malware detonation capabilities or can connect to existing sandbox systems. Suspicious files, URLs, or payloads can be detonated in a controlled environment, producing behavioral artifacts such as:
- Process trees
- Network connections
- File system modifications
- Registry or persistence mechanisms
These sandbox observations are treated as evidentiary inputs into the ILT Engine, strengthening or weakening active hypotheses rather than remaining isolated technical reports.
Evidence-Driven Enrichment
ThreatLens Core supports enrichment from commercial threat intelligence feeds, internal asset inventories (e.g., CMDB and IAM systems), and case-scoped historical context.
All enrichment is incorporated directly into the investigation graph and hypothesis scoring model. The system does not perform cross-tenant learning; each case remains logically isolated to preserve data residency and governance requirements.
Human-Gated Response Controls
ThreatLens Core proposes response actions but classifies risk before execution. Low-risk, deterministic actions may be automated. Medium- and high-impact actions require explicit human approval.
Every decision is logged with supporting evidence, risk classification, and approval metadata to ensure auditability.
Governance and Auditability by Design
ThreatLens Core is built to operate in environments where explainability and compliance are mandatory. Key governance features include:
- Evidence-linked claims traceable back to source telemetry
- Explicit contradiction visibility between vendor tools
- Confidence scoring with transparent uncertainty
- Case lifecycle management with defined retention windows
- Tenant isolation and data residency enforcement
- PII controls at both ingress and egress
Availability
ThreatLens Core is now live and available for enterprise deployment. The platform supports integration with major SIEM, EDR/XDR, and data lake environments and is designed to operate as a vendor-neutral oversight and reasoning layer.
Organizations seeking to move from alert-centric operations to investigation-grade conclusions can evaluate ThreatLens Core as an overlay to their existing security investments.
For technical documentation, integration guidance, or evaluation access, visit:
https://www.thethreatlens.com
About ThreatLens
ThreatLens develops investigation and response governance technology focused on producing defensible, evidence-weighted conclusions from complex security telemetry environments. The company’s approach emphasizes explicit confidence, contradiction visibility, and human-gated decision integrity.
