Kraken Release Notes
Request Access
Release Notes • First evaluation build

Kraken 1.0‑eval
«Hadal»

The first evaluation release of the actor-centric Cyber Threat Intelligence platform. Hadal brings the full collection-to-attribution pipeline together and adds Mantis, native malware analysis, as a first-class service.

Version 1.0‑eval Codename Hadal Channel Evaluation Deployment On‑premise Access Vetted
Why «Hadal»

Named for the deepest zone of the ocean

The hadal zone begins where light has long since vanished, the trenches below 6,000 metres. It is where Kraken belongs: deep beneath the surface noise, where adversary infrastructure actually lives.

−6,000 m
Hadal Zone

Intelligence from the depths

Surface tools see scattered indicators. Hadal is built to descend past them, tracking infrastructure as a living system, clustering it into actors, and surfacing the connections that static IOC lists never show.

Release Highlights

What makes Hadal matter

Mantis goes native

Malware analysis is no longer a separate tool. Mantis ships inside Kraken, sharing databases, auth and events.

One continuous pipeline

Collection, scheduling, import, graph enrichment and confidence, the full lifecycle in a single system.

Infrastructure modeling

26 IIM techniques capture how actors build infrastructure, the layer between raw IOCs and ATT&CK.

Visual automation

A node-based Automation Builder turns events into workflows, no code, runs on the live event stream.

Extend without forking

Custom Python modules build into isolated containers via the Foundry, no changes to the core.

Auditable by design

Every entity ties back to its evidence and a confidence score tracked over time. Always answer “why?”

In This Release

Everything that ships in Hadal

Grouped by area. All items below are implemented and available in this evaluation build.

Malware Analysis

Mantis: integrated analysis service FLAGSHIP

  • Static analysis: file format, entropy, hashes, PE imports and YARA.
  • Dynamic analysis: sandbox profiles in isolated Podman containers.
  • Threat attribution: link samples directly to Kraken ThreatActors.
  • IIM chain & pattern linkage into the infrastructure model.
  • Bidirectional sample sync with the Kraken malware catalog.
  • Event-driven automation rules: tag/YARA reactions to new samples.
Intelligence Core

Graph, evidence & confidence

  • Intelligence graph: directed, typed multigraph of entities and labeled links, with attribution to actors, campaigns and operations.
  • Evidence trail: every claim tied to the evidence that produced it; full audit history.
  • Confidence scoring (0–100) per entity over time, with source-quality, recency and infra-overlap factors.
  • Infrastructure Intelligence Model: 26 techniques across hosting, resolution, composition, routing and gating.
Collection & Pipeline

Tracking, import & proxies

  • Automated tracking: definitions expand into concrete tasks with schedules, backoff, per-entity policies and templates.
  • Import pipeline: module results flow through a Redis stream, import profiles and import rules into the graph.
  • Proxy pool: managed HTTP/SOCKS pool with continuous health-checks and scoring.
  • Malwarebox integration: ingest upstream analysis results via the standard import path.
Automation & Extensibility

Builder, scripts & events

  • Automation Builder: visual, node-based event-driven workflows running on the live stream.
  • Script Registry & Foundry: author custom Python modules, built into isolated container images.
  • Event system: domain events on a Redis stream as the shared backbone.
  • Notifications: rule-driven email and webhook delivery, audited and hot-reloadable.
Operations

Runtime & housekeeping

  • Six-service architecture: ui, taskmanager, worker, importer, foundry, janitor (plus Mantis).
  • Three databases: TimescaleDB (graph & tasks), trackingdb, proxydb.
  • Janitor: scheduled cleanup of heartbeats, old tasks, facts and events.
  • On-premise & autonomous: a single instance runs fully self-contained.
▲▲▲ The flagship of Hadal

Mantis: the headline feature

Hadal’s defining change: malware analysis becomes part of Kraken itself. Mantis runs as a dedicated service, sharing the same databases, user authentication and event system as the core. Upload a sample, and the result flows straight into attribution and the intelligence graph.

  • Static + dynamic analysis in one workflow: YARA, PE parsing, entropy, sandbox.
  • Attribution to ThreatActors and IIM chain/pattern linkage.
  • Bidirectional sync with the Kraken malware catalog.
  • Event-driven tag & YARA automation rules on new samples.
Release Facts

At a glance

Version1.0‑eval
CodenameHadal
Release channelEvaluation
AudienceFirst registrants
Core services6 + Mantis
DatabasesTimescaleDB · tracking · proxy
IIM techniques26
DeploymentOn-premise, self-contained
Flagship featureMantis (native analysis)
Access modelRestricted · analyst vetting
⚠️

This is an evaluation release

Hadal is the first eval build, aimed at the earliest registrants who want hands-on time with the platform. Expect rapid iteration: your feedback feeds directly into what ships next. Kraken is not a public platform; access is restricted and granted through a manual review process.

After Hadal

What’s on the engineering roadmap

Not in this release, but on the way. Listed here for transparency about where Hadal goes next.

PLANNED

Sandbox expansion

Automated dynamic analysis for submitted binaries with network, DNS and dropped-file results mapped straight into the graph.

PLANNED

Federation MVP

Policy-controlled sharing between Kraken instances via a central hub, trust tiers, mTLS, snapshot signing and redaction.

PLANNED

Trust scoring

Automated confidence adjustment based on the historical accuracy of each source over time.

Restricted · analyst vetting

Get Hadal in your hands.

Kraken 1.0‑eval «Hadal» is open to the first registrants who want to put the platform to work. Request access, get vetted, and dive into the full feature set, with a direct line to the team.

Initiate access request → Back to overview