Powered by ARGUS — Multi-tenant security intelligence engine

Question
every signal.

The threat intelligence platform for modern SecOps teams. ATT&CK-native, SIEM-agnostic, and built for analysts who need answers — not more dashboards.

Start Free → View Pricing
No credit card for demo MITRE ATT&CK v15 NIST D3FEND integrated Multi-tenant isolation
INTERRO — ARGUS Engine
lookup technique T1078
name Valid Accounts
tactics Initial Access · Persistence · Privilege Escalation · Defense Evasion
mitigations 8 ATT&CK mitigations found
d3fend 9 countermeasures — MFA, Privileged Account Management, Credential Hardening
assess posture T1078, T1566, T1059
risk_score 8.4 / 10 — HIGH
coverage_gap 2 of 3 techniques have no active detection rule
top_action Deploy MFA enforcement — addresses T1078 + reduces score by 3.1

Why INTERRO

Built for the analyst.
Not the vendor.

Threat Intelligence

ATT&CK and D3FEND — fully integrated

Query any technique, threat group, or actor by ID or natural language. Get ATT&CK mitigations and D3FEND countermeasures in the same response. No context switching between tools.

Posture Intelligence

Know where you're exposed — and what to fix first

Cyber threat susceptibility scoring scoped to your sector vertical. A merit-ranked remediation roadmap tells you exactly which controls to implement for maximum risk reduction.

SIEM Native

Your SIEM, your data, your queries

Live event search, log fidelity validation, and detection rule auditing — against your Chronicle, Sentinel, Securonix, or Splunk environment. INTERRO adapts to you, not the other way around.

Platform Capabilities

Everything your SOC needs.
Nothing it doesn't.

Every feature is purpose-built for security operations — not adapted from a general-purpose analytics tool.

Threat Intelligence Search

Live

Query ATT&CK techniques, threat groups, and actors by ID or natural language. Get structured intelligence — tactics, procedures, associated CVEs, and D3FEND defenses — in seconds.

Technique lookup by ID (T1078, T1566…) Threat group profiles by ID (G0016, APT29…) Full-text ATT&CK knowledge base search D3FEND countermeasures per technique

SIEM Event Search

Live

Run live queries against your connected SIEM environment. Supports UDM-native queries for Chronicle, SPL for Splunk, KQL for Sentinel, and natural language across all platforms.

Live event search with configurable time range Log source fidelity validation Detection rules listing and audit Platform health monitoring

Posture Intelligence

Live

Score your environment's exposure against ATT&CK using your sector vertical as context. Get a cyber threat susceptibility score, a merit-ranked remediation roadmap, and drift detection over time.

Cyber Threat Susceptibility Assessment (CTSA) Merit-ranked Remediation Roadmap (CRRA) Posture drift detection against saved baseline Sector vertical profiling (legal, healthcare, financial…)

TTP Coverage Analysis

Live

Map your active detection rules directly against the ATT&CK framework. Know exactly which techniques you can detect — and which have no coverage at all.

Coverage mapped per technique ID Uncovered techniques flagged by risk score Scoped to your sector vertical Export to PDF for reporting

Threat Reports

Live

Generate full sector-specific threat reports in seconds. Covers the top threat actors targeting your vertical, their TTPs, detection coverage gaps, and recommended countermeasures.

Sector-scoped actor and TTP analysis ATT&CK + D3FEND combined Coverage gap summary included PDF export for leadership reporting

Investigation Project Builder

Live

Build sequential investigation workflows without writing code. Chain queries and intelligence lookups, pass outputs between steps using template variables, and execute entire investigations in one run.

Visual step-by-step workflow canvas Output chaining with {{step_n.field}} syntax 11 step types across SIEM + TI + VTM Save, name, and re-execute projects

Document Interrogation

Coming Soon

Feed threat intelligence PDFs, advisories, and incident reports directly into INTERRO. Automatically extract TTPs, CVEs, threat actors, and timelines — mapped to ATT&CK and added to your tenant library.

PDF and Word document ingestion Automatic TTP and entity extraction Timeline and relationship identification ATT&CK auto-mapping of extracted TTPs

Evidence Chain Builder

Coming Soon

Construct fully-cited investigation reports with source attribution, confidence weights, and timestamps. Export structured evidence chains for incident response, legal handoff, or executive briefing.

Citation-backed findings with source links Confidence scoring per assertion Timeline reconstruction Export to structured report or PDF

Network Mapping

Coming Soon

Visualize relationships between threat actors, techniques, infrastructure, and your environment as an interactive graph. Drill into nodes, expand connections, and export for reporting.

Actor-to-TTP relationship graph Infrastructure and entity mapping Interactive drill-down and filtering Graph export for reporting

SIEM Compatibility

Your environment.
Not ours.

INTERRO connects to your existing SIEM. You keep your data. We bring the intelligence layer on top.

Google Chronicle

Google SecOps SIEM — UDM-native, cloud-scale detection and event search.

Available Now

Microsoft Sentinel

Azure-native SIEM and SOAR with Microsoft 365 and Defender integration.

Adapter Ready

Securonix

Cloud-native SIEM + SOAR with UEBA and insider threat capabilities.

Adapter Ready

Splunk

Market-leading SIEM with SPL query language and extensive ecosystem.

Adapter Ready

Don't see your SIEM? Contact sales — we add integrations on request.

How It Works

From onboarding to
world-class detections.

01

Connect your SIEM

Enter your SIEM credentials through the secure onboarding wizard. Credentials are encrypted at rest in Vault — never stored in plaintext. Connection is tested and confirmed before you proceed.

02

Set your sector vertical

Tell INTERRO what industry you operate in. This scopes your threat profile to the actors and TTPs known to target your sector — so coverage gaps and posture scoring are always relevant to your real threat landscape.

03

Question every signal

Search your SIEM, look up TTPs, run posture assessments, generate threat reports, and build investigation workflows. A consistent, repeatable intelligence process — from a single platform.

Pricing

Security intelligence priced for
how you actually work.

No long-term contracts. No setup fees. Start with a free demo key — no credit card required.

Analyst
$199 /seat/month

Core SIEM search and threat intelligence for day-to-day SOC operations.

  • SIEM event search (live)
  • Log source fidelity check
  • Detection rules audit
  • ATT&CK technique lookup
  • Full-text TI search
  • 3 saved projects
  • PDF export
  • Threat group + actor lookup
  • D3FEND countermeasures
  • Posture Intelligence (VTM)
  • Full threat reports
  • TTP coverage analysis
Get Started →
Most Popular
Investigator
$499 /seat/month

Full ATT&CK + D3FEND, posture intelligence, threat reports, and unlimited projects.

  • Everything in Analyst
  • Threat group + actor lookup
  • ATT&CK mitigations
  • D3FEND countermeasures
  • Sector vertical profiling
  • TTP coverage gap analysis
  • Full threat reports
  • Posture Intelligence (CTSA)
  • Merit-ranked remediation roadmap
  • Posture drift detection
  • Unlimited projects
  • Platform health monitoring
Get Started →
Enterprise SOC
Custom

Unlimited seats, white-label deployment, SLA, dedicated support engineer.

  • Everything in Investigator
  • Unlimited tenant seats
  • White-label deployment
  • Dedicated support engineer
  • SLA guarantees
  • Priority onboarding
  • Custom integrations
  • Advanced audit logging
  • Multi-SIEM support
  • Dedicated infrastructure
  • Volume pricing available
Contact Sales →
Not ready to commit? Generate a free demo key instantly — no credit card, no time limit on TI features.

MSSP & Multi-Tenant Licensing

Managing security for multiple clients?

INTERRO is built for MSSPs. Every client gets a fully isolated tenant with their own SIEM environment, threat profile, detection rules, and investigation projects — all managed from a single operator console. ARGUS handles tenant routing, credential isolation, and audit separation automatically.

Starting at $5,000/month for up to 10 tenants. Volume pricing available for 20+ tenants. Talk to sales →

Request Demo →

Security & Compliance

Built with a security-first architecture.

Vault-Encrypted Credentials

SIEM credentials are encrypted at rest in HashiCorp Vault, protected by hardware key (YubiKey 5 NFC). Never stored in plaintext.

Per-Tenant Isolation

Every tenant operates in a fully isolated context. Credentials, SIEM access, projects, and data are scoped strictly to the tenant — no cross-tenant access is architecturally possible.

Key Rotation

API keys can be rotated on demand from the account page. Rotation is immediate — old keys are invalidated the moment a new key is issued.

Audit Logging

All API actions are logged per tenant. Enterprise customers receive structured audit logs for compliance review and incident reconstruction.

NIST CSF Aligned

Platform architecture and posture scoring methodology align to the NIST Cybersecurity Framework. SOC 2 Type II audit in progress.

No Data Retention

INTERRO does not store your SIEM event data. Queries execute live against your environment. We store only your configuration and project definitions.

Common Questions

Straight answers.

Does INTERRO require Chronicle?

No. Chronicle is the first available SIEM adapter, but INTERRO is SIEM-agnostic. Microsoft Sentinel, Securonix, and Splunk adapters are in active development. All threat intelligence features (ATT&CK, D3FEND, VTM, threat reports) work independently with no SIEM required.

What is the ARGUS engine?

ARGUS is the multi-tenant security intelligence engine that powers INTERRO. It handles SIEM adapter routing, ATT&CK and D3FEND intelligence, posture scoring, and tenant isolation. INTERRO is the commercial interface layer on top of ARGUS.

Can I try it before buying?

Yes. Generate a free demo key from the dashboard — no credit card required. The demo tier includes ATT&CK technique lookup, basic TI search, and fidelity check with no time limit.

What is a sector vertical profile?

A vertical profile maps your industry (legal, healthcare, financial services, etc.) to a curated set of high-confidence ATT&CK TTPs used by threat actors known to target that sector. It scopes your posture assessment, coverage analysis, and threat reports to what's actually relevant to your environment.

How are my SIEM credentials protected?

Credentials are encrypted at rest using HashiCorp Vault with hardware key protection (YubiKey 5 NFC). They are isolated per tenant and never logged, shared, or accessible outside your tenant context. You can delete your credentials at any time from the account page.

Is there an API?

Yes. All INTERRO capabilities are available via REST API using your X-INTERRO-Key header. Full API documentation is available at app.interroai.com/api/docs. Enterprise customers can use the API for SIEM and SOAR integrations.

Ready to question every signal?

Start with a free demo key. No credit card, no sales call, no time limit on threat intelligence features.

Get Your Free Demo Key → Talk to Sales