NetCitadel threat management and security analytics Message from NetCitadel Co-Founder & CEO, Mike Horn


Our Technology

NetCitadel Threat Response threat management platform includes patent-pending security orchestration technologies that integrate existing security devices, such as firewalls and web proxies, with rich sources of security information like Security Incident and Event Management (SIEM) systems.

Threat Response provides threat management out-of-the-box, is distributed as a virtual appliance, and seamlessly integrates  the following core technology components to deliver real-time responses to security events. No coding is required to integrate with the source and enforcement devices below, and if you don’t see your device listed, contact us, as we are always developing integrations with other vendors and technologies.


  • IOC Collector connects to network systems and collects Indicator Of Compromise (IOC) data
  • IOC Analyzer organizes, correlates, and presents filtered IOC data into actionable intelligence
  • Event Processor logs incoming security events and runs them through an event parser so they can be analyzed
  • Correlation Engine takes the parsed event and combines it with data from external sources to increase the information regarding the event
  • Rules Engine includes user defined logic for categorizing security events after they have been correlated, based on the information contained in the event
  • Workflow System provides support for both fully-automated and semi-automated response workflows
  • Data Connectors provide rich 3rd party information relating to security event data
  • Device Connectors push and pull information from a wide range of security devices including Cisco™, Juniper™ , Check Point™, Palo Alto Networks™ and Fortinet™

Each time a security event is received by the Event Processor the system parses the event and extracts critical event information, such as the IP addresses involved in the event, and hands the deconstructed event to the Correlation Engine.  The Correlation Engine uses proprietary algorithms along with external data sources such as reputation data to provide deeper understanding of the received event.

Once the event has been processed, it goes to the Rules Engine to determine if the event matches any existing criteria.  Matching criteria can include information such as the location of the systems involved in the event or the original severity of the event.  If matching criteria is found, the event is automatically mapped to an action in the system.

Using the Workflow System, actions can be configured to be either semi-automated or fully-automated depending on the information in the event. Once an action is in the Workflow System the action can be approved or rejected resulting in organization-wide security device updates using the Device Connectors.

Threat Response includes an audit sub-system that provides full audit details about all events, actions and system settings.


Web Statistics