Threat Intelligence Platform

Threat intelligence,
centralized.

Torch is a platform for collecting, correlating, and managing indicators of compromise. Track IPs and domains, enrich them with geolocation, ASN, and TLS certificate data, and map the malware families and MITRE ATT&CK techniques behind them.

IndicatorsMalware familiesATT&CK techniquesASNsCountriesCertificates
Open the platformGet in touch
torch / dashboard
Torch dashboard: observed malware, ATT&CK techniques, top ASNs, indicator activity, malware trends, and threat origins by country
What it does

One place for your threat data

Collect indicators, connect them to the malware, techniques, and infrastructure behind them, and turn the result into queries, alerts, and blocklists.

Indicator Management

Track IP and domain indicators with confidence scores. Values are normalized and deduplicated, then enriched with geolocation, ASN, and country data.

Entities & Relationships

Indicators link to malware families, MITRE ATT&CK techniques, ASNs, countries, and TLS certificates - all many-to-many, so you can pivot from any entity to the rest.

Graph Explorer

Build custom relationship graphs from any starting entity. Expand nodes to reveal connected infrastructure, then save the collection or export it.

MITRE ATT&CK

Full technique profiles with tactics and descriptions, plus trending techniques, top movers, co-occurring malware, and per-technique indicator counts.

Risk Scoring

Every indicator gets an automatic risk score derived from its linked malware families, ATT&CK techniques, and other threat data.

Alert Rules

Define alert rules on saved queries with thresholds, time windows, severities, and cooldowns. Track them on dashboards for severity, status, and activity.

Watchlist

Bookmark indicators, malware families, techniques, ASNs, and countries, and follow how their risk scores trend over time.

Blocklists & Feeds

Live, rule-based blocklists built from your watchlist, plus pre-generated feeds by threat type. Export any of them as TXT, JSON, or CSV.

REST API

Everything is available over a documented REST API with JWT and personal API-key auth, including bulk import for feeding indicators in at scale.

A closer look

The same indicators, seen from every angle - as a graph, a technique breakdown, an alert, or an exportable feed.

Graph Explorer

Explore the relationships

Start from any entity - a malware family, a domain, an ASN - and grow a graph outward. Every node is an indicator, malware family, technique, ASN, country, or certificate, and every edge is a real relationship in your data.

  • Expand nodes to pull in connected infrastructure
  • Colour-coded by entity type
  • Save graphs as collections or export them
MITRE ATT&CK

Know which techniques are in play

Each technique carries its tactics, description, and the indicators linked to it. See what's trending over the last 24 hours versus the 30-day average, which techniques are moving fastest, and the malware and countries they co-occur with.

  • Technique activity ranked by indicator count
  • Trending techniques and top movers
  • Co-occurring malware and top countries per technique
ATT&CK page showing technique activity, a trending technique, and top movers.
View full size
Alerts

Get told when it matters

Write rules against saved queries - say, domains containing “login”, or a surge in new indicators - with a threshold, time window, severity, and cooldown. The dashboard breaks alerts down by severity and status and tracks activity over time.

  • Query-based rules with thresholds and cooldowns
  • Severity and status breakdowns
  • 14-day activity history and a recent-alert feed
Blocklists & Feeds

Push intel back out

Turn your data into blocklists. Build live, rule-based lists from your watchlist, or use pre-generated feeds grouped by threat type - C2 servers, phishing domains, brute-force sources, and more - then export them anywhere.

  • Live, rule-based blocklists from your watchlist
  • Pre-generated feeds by threat type
  • TXT / JSON / CSV export, private or org-shared
Blocklists page showing live rule-based blocklists and pre-generated feeds by threat type with export options.
View full size
For CTI teams

When the UI isn't enough, there's the API

The web app is just one client. Everything Torch does - indicators, relationships, techniques, blocklists - sits behind a documented REST API. CTI teams whose needs run past the frontend can wire it straight into their own pipelines, enrichment jobs, and tooling, and work however their workflow dictates.

  • Authenticate with a session token or a personal API key (torch_pk_…)
  • Bulk-import indicators to feed ingestion at scale
  • Same role-based access as the UI, audit-logged on use
Read the API reference
api.cskittens.com/api/v1
# Look up an indicator with a personal API key
curl "https://api.cskittens.com/api/v1/indicators/lookup?type=ip&value=1.2.3.4" \
  -H "Authorization: Bearer torch_pk_…"

# → the indicator, plus its linked malware
#   families and ATT&CK techniques, inline

Interested in Torch?

If you'd like to take a look, try it out, or talk about whether it fits your team, send me an email and I'll get back to you.

jan.rehberg@cskittens.com