Kraken 1.0‑eval · Hadal
Request Access
Release • Hadal Zone • −6,000 m

Intelligence
From the Depths.

Kraken 1.0‑eval «Hadal» — now in early access

A modular, actor-centric Cyber Threat Intelligence platform that continuously collects, models and analyzes adversary infrastructure, with integrated malware analysis through Mantis, all in one system.

Request early access → Explore the platform
6
Core services
26
IIM techniques
3
Databases
100%
Evidence trail
The Intelligence Gap

Modern threat intelligence is fragmented

Data is scattered across dozens of tools, feeds and platforms. Threat actors, however, operate as systems. Kraken closes the gap between the noise you collect and the picture you actually need.

The status quo

Too much data

— but —

Too little context

The Kraken approach

Not isolated indicators

— but —

Connected systems

How It Actually Works

From one indicator to a living map

Static IOC lists decay within days. Kraken tracks infrastructure as a living system: from isolated indicators to continuous intelligence.

Input
1 domain / IP /
artifact
Kraken
Automated
tracking pipeline
Output
+27 domains
+12 IPs
+3 dead drops
clustered · linked · continuously evolving

Automated graph expansion turns a single lead into a structured, attributed actor footprint.

Already on board

What ships in Hadal

No mockups, no waitlist features. Everything here is implemented in the current release and ready to use.

SHIPPED

Intelligence Graph

A directed, typed multigraph of threat entities and labeled links, with attribution to actors, campaigns and operations.

SHIPPED

Evidence & Reasoning

Every claim is tied to concrete evidence. “Why does this entity exist?” is always answerable, full audit trail included.

SHIPPED

Automated Tracking

Tracking definitions expand into concrete tasks, with schedules, backoff, per-entity policies and reusable templates.

SHIPPED

Import Pipeline

Module results flow through a Redis stream, import profiles and import rules into the graph, structured and traceable.

SHIPPED

Confidence Scoring

Numeric scores (0–100) per entity, tracked over time, with factors for source quality, recency and infrastructure overlap.

SHIPPED

Automation Builder

A visual, node-based editor for event-driven workflows. Trigger → conditions → actions, run automatically on the event stream.

SHIPPED

Infrastructure Intelligence Model

26 IIM techniques (hosting, resolution, routing, gating…) describe how an actor builds infrastructure, not just which IPs.

SHIPPED

Scripts & Foundry

Custom Python modules without touching the core. The Foundry builds each version into a container image, run in isolation by schedule or event.

SHIPPED

Proxy Pool

A managed HTTP/SOCKS pool with continuous health-checks and scoring, collection never originates from Kraken’s own IP.

SHIPPED

Notifications

Rule-driven delivery over email and webhooks on top of the event system, every delivery audited, rules reloadable without restart.

SHIPPED

Event System

Domain events (entity.created, actor.created…) on a Redis stream, the shared backbone for automations and notifications.

SHIPPED

Janitor

Background cleanup keeps the system lean: prunes heartbeats, old tasks, facts and events on a schedule, no manual upkeep.

▲▲▲ The heart of Hadal

Mantis - malware analysis,
natively integrated.

Not a bolt-on tool: Mantis runs as a first-class service inside Kraken, sharing the same databases, the same authentication and the same event system. From sample upload to attribution in one continuous flow.

  • Static analysis: file format, entropy, hashes, PE imports and YARA in one pass.
  • Dynamic analysis: sandbox profiles in isolated Podman containers.
  • Attribution: link samples directly to Kraken ThreatActors.
  • IIM linkage: attach chains and patterns to the infrastructure model.
  • Bidirectional sync: continuously reconciled with the Kraken malware catalog.
  • Event-driven rules: tag and YARA automations react to new samples.
Core Capabilities

Built for the full intelligence lifecycle

From raw collection to operational analysis: modeling, pipelines, intelligence and extensibility in one platform.

Data & Modeling

  • Entity modeling (malware, actors, campaigns, domains, IPs)
  • Relationship graph (infrastructure, links, dependencies)
  • Threat actor clustering
  • Campaign & actor analysis over time

Collection & Pipeline

  • Continuous infrastructure tracking
  • Automated collection pipelines
  • Modular collectors & enrichment modules
  • Automated graph expansion

Intelligence & Analysis

  • Real-time pipeline monitoring
  • Operational intelligence dashboards
  • Behavioral pattern detection
  • Infrastructure correlation

Extensibility

  • Custom module integration
  • Script-based collection (Script Runner)
  • Flexible data ingestion
  • Scalable architecture
Architecture

One platform, six services

Kraken runs as a distributed multi-service system with clean separation of collection, scheduling, processing and presentation.

uiWeb UI: entities, actors, campaigns, tracking & admin.
taskmanagerExpands tracking definitions into concrete tasks and queues them.
workerCelery worker: runs collector modules and script containers.
importerReads the stream and enriches the intelligence graph.
foundryBuilds and manages container images for custom script modules.
janitorBackground cleanup: heartbeats, old tasks, facts and events.
mantisIntegrated malware analysis as a first-class service (port 9001).
3 databasesTimescaleDB (graph & tasks), trackingdb, proxydb. Cleanly separated.
From Signal to Intelligence

The import pipeline

Collector modulesworker / scripts
Streammodule_results
Importerimport profiles & rules
Intelligence graphentities & links
Confidence & evidenceaudited
Practical Use Cases

Where Kraken earns its place

Fast-moving actorsTrack threat actors whose infrastructure rotates faster than static IOC lists can follow.
Incident responseExpand a single indicator from a case into the surrounding infrastructure footprint.
Continuous monitoringKeep known actor infrastructure under continuous, automated observation.
Dead-drop detectionSurface hidden resolvers, redirectors and dead drops through graph expansion.
Intelligence pipelinesRun automated collection and enrichment pipelines end to end.
Actor-centric modelingModel adversary activity as connected systems, not isolated data points.
From fragmented data to structured intelligence. Where signals form patterns. Where data becomes intelligence. Where adversary activity becomes visible.
— The Kraken Vision
🔒 Restricted platform · access requires analyst vetting

Be among the first to dive.

Kraken 1.0‑eval «Hadal» is opening to the first registrants who genuinely want to put the platform to work. Kraken is not a public intelligence platform. Access is restricted and granted through a manual review process. Full feature set, a direct line to the team, and your feedback shapes the next release.

Initiate access request → Read the whitepaper
Full feature set On-premise & autonomous Feedback shapes the roadmap