Creating Order from Chaos: Enabling (Even) Better Decision Making with ThreatConnect 6.0

For those that don’t know, I have 4 kids and a dog. The children are 9 and under. Fresno, my dog, is like 100 years old in “dog years.” My house is chaotic, to say the least.

I remember being able to sit down at my desk in the morning with a cup of coffee and the only distraction I had was when my coffee cup was empty, or when I had to go deal with all the coffee I drank.

Enter COVID-19.

I refuse to call my current life the “new normal” because I sure hope that this is temporary. Things have changed and have grown even more chaotic – work and family time is intermingled, noise cancelling headphones are no longer sufficient, and the network perimeter between personal and professional life has all but disappeared.

This is a reality I’m sure you are dealing with and one that has some interesting parallels to the work we’ve always done at ThreatConnect to bring order from chaos and better inform and enable security decisions. We now live with an ever changing daily reality, simultaneous competing priorities, an overwhelming amount of ‘alerts’, a need to streamline processes, orchestrate response between parental units and automate repeatable functions – seems very familiar.

Case in point, this is what I’ve done while trying to write this blog post: took the dog and my oldest daughter for a walk, took my youngest to the potty a few times, saved the family from a cricket, and at one point reacted to my 4-year old proclaiming, “there is a fire going downstairs.” Also, so much yelling. On the bright side, homeschooling is on hold this week while my kids are on spring break. On the work side, I had multiple calls, responded to a few urgent emails, spoke with a board member, and finalized and sent an all-hands email.

And, it’s only 11:08 am.

And while not our “new normal,” I do think this situation is a wake up call for most organizations.  Organizations had previously planned for vast numbers of risks to their businesses. The closest one to the situation we are dealing with today being where employees need to be relocated to a secondary location. I don’t think most had planned and practiced for an all-hands work from home type of emergency. Even if they had, I doubt they would have told everyone to keep their kids home that day and attempt caring for, and homeschooling, while dealing with their work emergency.

This is an unprecedented situation and it is changing the way we have worked for years. It’s challenging – both professionally and personally.

There is a saying that I heard once and I’m using it to get through my own situation. It comes from people that have survived natural disasters, plane crashes, and other survival types of events. The saying is, “focus on the next step as if it’s the only one that matters.” What I took from this is that we shouldn’t let ourselves think about the entirety of our situation as it is too overwhelming and will result in shutdown. Instead, just take the next step, celebrate its completion as if it is the only thing that matters, and move to the step after.

We are all in this together and will get through this – one step at a time.

ThreatConnect is celebrating the completion of our own next step with the release of the 6th major version of our Platform, moving us from our heritage as a Threat Intelligence Platform (TIP) to a full blown, intelligence driven Security Orchestration Automation and Response (SOAR) solution. And on a personal note, I also just celebrated my 9th year as the company’s CEO. We’ve come so far in the last 9 years and the 6.0 release of our Platform completes a part of the vision I had when we started the company – to be a business platform for Security.

In this latest release we have added an advanced Workflow capability. Since this is a major milestone for the company, I want to take you all the way back to the beginning.

Let’s start with the vision


In 2011 this was the vision for the ThreatConnect Platform (we called it Choreographer back then):

“Choreographer is a business process management suite (BPMS) for cyber analytics automation. With Choreographer, a project team can model, deploy and manage cyber analyst activities that combine system and human tasks using a completely visual solution.”

So, right from the start, ThreatConnect had a vision to improve cyber analysis processes. This required us to build a software platform that enabled security professionals to model, implement, execute, monitor, and optimize any security processes that they were responsible for.

“At the heart of the Choreographer product is the concept of an “Activity”. Activities are processes performed by Analysts regularly in their day-to-day jobs that have been modeled in Business Process Modeling Notation (BPMN) and execute automatically with the Analyst Choreographer product. With Choreographer, every customer takes advantage of pre-built activities, and additionally can build their own activities using the activity modeling graphical interface.”

Now, activities in this definition were not specific to response, threat intelligence, vulnerability management or anything else across the business. Instead, we thought then — and still believe today — that ThreatConnect should provide activity management capabilities for various security personnel’s key workflows and these should be easily configurable and reconfigurable using a graphical interface.

“Choreographer, provides a fusion of intelligence to support analysis and decision making.”

We believe intelligence, e.g. actionable knowledge of threats and your ability to prevent, detect, respond to them, should inform all security processes.This benefits mid-to-large enterprises by enhancing detection, shortening response and remediation engagements, and allowing more predictive and proactive strategic decision making.

Where We Are Now

Today, with our range of integrations, automation, workflow and intelligence capabilities, customers are using ThreatConnect to facilitate use cases as broad as phishing email triage, vulnerability management, infected host containment, detection and alert enrichment in the SIEM, fraud, and intelligence report creation and sharing… just to highlight a few.

How do we enable these use-cases? The ThreatConnect Platform’s Playbooks capability allows a sequence of Apps, arranged as a Playbook, and is executed automatically. Known in the industry as security orchestration, it is a well understood aspect of the ThreatConnect Platform.

While ThreatConnect has had our orchestration capability with Playbooks since 2017 we hadn’t yet achieved the aspirational goal for human workflow that we originally envisioned. Workflow in 6.0 isn’t just another milestone of a feature, it’s a major capability that is intertwined into every other part of the Platform.

Workflow reduces the time it takes to put intelligence to work during
alert triage or an investigation.

Our users have always relied on ThreatConnect as a single source of truth for threats. Now Workflow lets them rely on ThreatConnect as a single source of truth for responding to those threats during case management, alert triage, incident response, or other investigations. In Workflow, users can:

  • Turn the expertise of leaders and senior analysts into reusable process templates to ensure consistency across operations, reducing the risk of critical missed steps or evidence
  • Increase efficiency by running machine automation seamlessly alongside human ingenuity (we don’t take a “black box” approach, either – all automated actions taken are easily viewable in-line with manual activities)
  • Reduce the time it takes to uncover relevant threat intelligence and related case data or patterns by exposing it directly to analysts in real time, lowering the risk of false positives and increasing the accuracy of the response
  • Create new intelligence from ground-truth operational data to inform future response, and
  • Enable de-siloing across SOC, IR, and threat intel teams with multiple collaboration tools.

By adding Workflow in the latest release (V6.0) a project team can now fully  “model, deploy and manage cyber analyst activities that combine system and human tasks using a completely visual solution.” Additionally, with our Workflow capability, ThreatConnect exemplifies Gartner’s definition of SOAR Platforms by combining threat intelligence platform capabilities with the benefits found in automation and orchestration products, and incident response platforms to create organizational alignment that was never before possible. ThreatConnect is the only solution available today with intelligence, orchestration and automation, analytics, and workflows in a single platform.

Congratulations to the entire team at ThreatConnect for a tremendous achievement over the last 9 years to get us to where we are today!

Existing customers get Workflow at no additional charge as part of your subscription to ThreatConnect, so reach out to your customer success rep for a demo and training.

Oh, and while we have introduced Workflow into ThreatConnect and realized this milestone, I am still working on streamlining processes at home. Stay tuned for that blog post at another time.








Adam Vincent
About the Author
Adam Vincent

Adam is an information security expert and is the former CEO and co-founder at ThreatConnect, Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, four children, and dog.