Posted
In a world where time is the enemy, ThreatConnect 7.9 helps you take it back.
Whether you’re a SOC analyst racing the clock to contain a ransomware outbreak, a CTI analyst piecing together adversary behavior, or an MSSP juggling dozens of concurrent investigations, this release gives you the tools to detect faster, respond smarter, and prove your impact—with less friction.
Let’s take a closer look at what’s new in 7.9 and how it helps you win more battles in the trenches of cybersecurity.
⏱ SLA Tracking for Cases: Because “We’ll Get to It” Doesn’t Cut It
You can’t improve what you can’t measure—and for most security teams, measuring Time to Detect (TTD) and Time to Respond (TTR) is either painful or impossible. That changes with 7.9.
With SLA tracking for Workflow Cases, you can now define and monitor SLAs across every incident, with real-time insights on whether you’re meeting your goals.
Picture this:
- You’re managing multiple critical alerts for a customer facing a suspected Cactus ransomware campaign. SLA metrics tell you which Cases are at risk of breaching detection or response deadlines so you can prioritize remediation before the next foothold is gained.
- A SOC manager overseeing a small team now has dashboard cards showing mean TTD and TTR across incident types, helping them understand where their processes break down—and what’s improving.
- An MSSP analyst can pull up a case and see “Detected in 3 hours” or “Overdue by 2 hours” right at the top. That kind of visibility builds accountability—and client trust.
You can even configure SLA rules by severity level, because we know that not every phishing attempt deserves the same response time as a hands-on-keyboard attack.
⚡ Measure It. Track It. Crush It—with Polarity + SLA Metrics
This release enables better measurement and tracking, but the real goal is accelerating MTTR/D, not just measurement. Did you know that ThreatConnect offers a companion tool to our TI Ops platform called Polarity? With Polarity’s real-time overlays, you can dramatically accelerate response times by surfacing critical context right where analysts work—no tab-switching, no searching. This enables your team to act faster, smarter, and with total confidence at the moment of decision and action.
👉 Want to see how Polarity can turn MTTR/D and SLA tracking into improvement? Learn more →
🔍 A Smarter Search Experience: All Your Data, One Screen, Zero Confusion
Let’s face it: if finding the data you need feels like navigating a maze, your investigation slows to a crawl. That’s why we redesigned Search in 7.9.
Now, instead of hopping between “Browse” and “Enhanced Search,” you can:
- Run fast, keyword-based searches across your entire dataset (perfect for hunting down an obscure alias or new C2 domain),
- Use filters or TQL to zero in on things like “Indicators tagged FIN7, confidence >80, last seen <30 days ago”,
- Or simply explore recent data grouped by object type—Indicators, Adversaries, Signatures, Incidents, and more.
Use Case:
A threat intel analyst is investigating a resurgence of activity linked to Volt Typhoon, a state-sponsored threat group known for living-off-the-land techniques and targeting U.S. critical infrastructure. They start by searching for Indicators tagged “Volt Typhoon” and filtering for those active in the last 7 days, then pivot to linked Groups and Signatures—all from one screen.
Meanwhile, a SOC analyst doing proactive hunting for QR code phishing might search for URLs with high threat scores and tags like “quishing”, then triage the results right from the same interface.
It’s fast, intuitive, and built to make your next move obvious.
🔒 Indicator Status Locks: Trust Your Intelligence (and Protect It)
Ever find that an Indicator’s status mysteriously changed after syncing across communities or got overwritten by CAL™ automation? You’re not alone.
In 7.9, you can now lock Indicator Status changes at the owner level—giving admins full control over when and how changes happen. That means:
- No more accidental updates across shared data owners
- Optional CAL lockouts for Indicators you want to manage manually
- Full visibility into how and who changed a status, with improved activity log entries
Example:
A CTI lead working with a healthcare consortium relies on careful status management across shared intel. With sync locks in place, they can ensure that when one hospital marks an Indicator as inactive due to low confidence, that change doesn’t ripple across others still seeing active hits.
🧭 Dashboards, Search Shortcuts, and Quality-of-Life Upgrades
This release isn’t just about big-ticket features. We’ve also added the kind of thoughtful improvements that make daily workflows smoother:
- New dashboard cards show SLA performance at a glance, broken down by Case severity
- Custom Query Cards for Mean Time to Detect and Mean Time to Respond (MTTD/MTTR)
- New Details screen for Signatures
- Search icon shortcut support (open in new tab with a simple Cmd/Ctrl+click!)
- And persistent intel source filters, so your favorite views stick around between sessions
Plus: We’ve made behind-the-scenes improvements to OpenSearch® that will boost performance for high-volume users—especially when interacting with Intelligence Requirements.
TL;DR: Why 7.9 Matters
Every second counts in security. With ThreatConnect 7.9, you’re better equipped to:
✅ Meet SLAs and prove your team’s performance
✅ Investigate faster with smarter search and filtering
✅ Keep your data clean and status changes controlled
✅ Visualize what’s working—and what’s not—on your dashboards
In short, you’ll spend less time chasing down data and more time acting on it.
👉 Ready to dive in?
For more insight, check out the full release notes, or better yet, schedule a demo today! Existing customers can also chat with their Customer Success Manager for a guided walkthrough—we’re here for you.
Here’s to faster, smarter, more confident threat operations.