Today, I am thrilled to announce the acquisition of Zero-Shot Security, founded by Harrison Van Riper. Zero-Shot’s Natural Attack Reading and Comprehension (NARC) product is an LLM-based reasoning system used to map threat behaviors to MITRE ATT&CK® techniques with high accuracy and speed. Already in use at Tidal Cyber, it reduces the need for expert-level human labeling, which dramatically cuts time and expertise requirements to process threat intelligence. This acquisition will continue to help deliver this capability at scale to our customers, as well as open pathways to solving additional Threat-Informed Defense problems our customers face.
How is Zero-Shot Security Used with Tidal Cyber Today?
One of the significant values Tidal Cyber delivers to our community users as well as our enterprise customers is the threat content we curate from open source intelligence to extend our knowledge base well beyond MITRE ATT&CK. New groups, software, and campaigns, along with new (sub-)technique relationships on existing threat objects are added to the platform every week, making our knowledge base a living, breathing version of ATT&CK. These updates ensure that our users can act on and make sense of the latest publicly available information. They can further customize this with threat intelligence from their closed sources, for example with integrations to CrowdStrike, Mandiant, Recorded Future, Synapse and a growing list of other vendors to provide the most complete “ATT&CK” picture available.
A key enabling capability we use to provide this content to our users at scale has been NARC. Specifically, this year, you have seen us highlight in the technique usage descriptions of select Tidal Cyber threat objects “Technique Relationship & Description powered by Zero-Shot Security generative AI technology”. We upload a curated list of open-source intel to Zero-Shot, apply additional clustering and filtering, and generate high confidence technique mappings for our users to leverage.
Why did Tidal Cyber decide to use Zero-Shot's NARC?
There are various open-source tools and commercial technologies that claim to map ATT&CK techniques from report text. So why do we use Zero-Shot's NARC? The differentiator here is that NARC works! It provides support across all techniques, is easily extensible to new techniques to allow us to keep pace with new ATT&CK versions, and – most importantly – the mappings are correct! Too many times have we tried a tool, only to find out that the level of work required to validate mappings ends up taking almost as much time as doing the mappings in the first place.
With NARC we have been able to achieve Zero-Shot’s goal of cutting time and expertise requirements to process threat intel. We didn’t have to hire and train additional analysts or take valuable time from our senior team members who want to focus on solving problems rather than ATT&CK mapping. Instead, Zero-Shot does the dirty work.
Now you might also wonder how this compares to the mappings CTI providers offer. While we have been excited to see the volume of mapped reports grow in recent years with ATT&CK’s continued adoption, even today, most of those mappings are simply provided as a list at the end of a report. This means readers often lack important details about how each technique manifested in practice. Enter again, Zero-Shot. We use it to not only pull the technique mapping, but also the related context, and summarize it so our users can get critical insight into how the technique was implemented, not just that it was used.
What’s the future of AI at Tidal Cyber?
Looking ahead, Tidal Cyber will continue to leverage Zero-Shot's capabilities as we do today while also offering it as a standalone solution for customers who need it. In the months ahead, we will integrate the solutions to streamline key workflows for CTI analysis, making it easier for customers to ingest and derive meaningful insights from their proprietary threat intelligence.
We're also excited to welcome Zero-Shot's founder, Harrison Van Riper, as our new Director of AI. Harrison brings extensive CTI experience from his roles at Digital Shadows, MITRE, and Red Canary – expertise that has been instrumental in making NARC so effective. He'll be leading our Generative AI and ML initiatives, with several promising projects already underway. We look forward to sharing more about these developments in future posts.
Our customers consistently tell us that Tidal Cyber has significantly accelerated their Threat-Informed Defense adoption – often by years. By combining Zero-Shot's capabilities with our platform's unique threat-defense-test contextualization, we're continuing to make threat intelligence more accessible and actionable for organizations.