NoctiVox is a five-stage analysis pipeline. Drop in a malware sample or obfuscated payload and get back enriched IOCs, MITRE ATT&CK mappings, an infrastructure relationship graph, and an HTML/PDF report, in minutes, not days.
Currently onboarding a limited number of design partners. No credit card required.
Each stage in the NoctiVox pipeline is a discrete, inspectable module. Run them end-to-end or invoke individual stages against data you already have.
Extracts IOCs from malware samples and obfuscated code. Accepts binaries, scripts, and packed payloads and outputs clean, normalized IOC lists.
Fans out each IOC across six OSINT sources in parallel, builds a 32-dimensional feature vector, and scores it against a self-improving FAISS malicious index.
Maps enriched IOCs to MITRE ATT&CK techniques using 25+ deterministic rules. No ML, every attribution is traceable to a source signal.
Builds a directed relationship graph from IOC connections. Detects campaign clusters and pivot nodes using Louvain community detection and betweenness centrality.
Consumes all upstream outputs and produces publication-ready HTML, PDF, and Markdown reports with embedded charts, IOC tables, and ATT&CK coverage maps.
Each tool in the NoctiVox pipeline is a standalone Python module. Run the full chain end-to-end or call individual stages against data at any point in your workflow.
1. Extract, Deobfuscator
Feed in a malware sample or obfuscated script. Deobfuscator extracts all embedded IOCs, IPs, domains, URLs, file hashes, and normalizes them to JSON or CSV for the next stage.
2. Enrich & score, NAISS
Each IOC is fanned out asynchronously to six OSINT sources. NAISS builds a 32-dimensional feature vector per IOC and scores it with FAISS similarity against a growing malicious index. Verdict: clean, suspicious, or malicious.
3. Map, ATTA (parallel)
ATTA ingests the NAISS report and applies 25+ deterministic rules to assign MITRE ATT&CK techniques to each IOC. Outputs a Navigator v4 layer and structured JSON/CSV. Runs in parallel with Nexus.
4. Graph, Nexus (parallel)
Nexus builds a directed infrastructure graph from IOC relationships, detects campaign clusters via Louvain community detection, and identifies pivot nodes by betweenness centrality.
5. Report, Scribe
Scribe merges all upstream outputs and generates publication-ready HTML, PDF, and Markdown. Includes executive summary, IOC table, ATT&CK heatmap, and infrastructure map.
As a relatively new startup, we're working closely with a small number of security teams to shape the roadmap.
Instead of a canned video, we run interactive live walkthroughs. You bring a sample, a YARA hit, or a list of suspicious indicators. We show you what the pipeline produces against real data.
We'll follow up with a short questionnaire so we can tailor the demo to your environment.
We're actively incorporating feedback from security leaders and hands-on defenders.
Head of Security Operations
European telecom · Design partner
Threat Intelligence Lead
Financial services · Pilot project
Early customers get access to our founding pricing, with room to grow as your intel program matures.
Teams starting to run structured malware analysis and build threat intelligence reports.
Malware analysts & CTI teams running regular sample analysis workflows.
For organizations with highly regulated or complex environments.
Share a real-world scenario, a recent malware sample, suspicious domain cluster, or YARA hit. We'll use your data to run a live pipeline demonstration.
We're a security-first startup: NDAs and data handling requirements are welcome.