ClusterHawk

Custom labeling rules identify malicious clusters, extending threat detection to previously unknown IP addresses. Automatic cluster labeling based on rule context (e.g., SSH bruteforce → Lazarus Group) helps prioritize response efforts.

Possibility of training custom models based on your specific attack patterns to automatically identify new threats matching previous attack patterns. Each IP receives confidence scores (e.g., 63% confidence for APT29 phishing, 73% for Lazarus Group) to prioritize investigation.

Track IP movement between clusters across different jobs, identifying IPs that frequently change behavior or association. Analysis includes stability scores, comparison job distribution, and detailed neighbor changes for each IP address.

Deep analysis takes hours but delivers insights that would take analyst teams weeks to compile manually. Submit jobs before leaving the office for detailed infrastructure insights the next morning.

Multi-dimensional similarity analysis with hierarchical clustering validation metrics. Infrastructure fingerprinting examines service stacks, TLS configurations, certificate patterns, and vulnerability landscapes. Compound queries across 15+ parameters produce unique operator signatures — catching patterns invisible to manual analysis.

One-click conversion of clustering results into Markdown threat reports with SHAP/LIME-ranked feature analysis, competing hypotheses, and operational recommendations for immediate deployment.

Adaptive re-clustering of noise clusters reveals sophisticated adversary infrastructure that conventional tools discard, uncovering emerging threats through similarity analysis and anomaly detection.

Organizational profiling with geographic distribution analysis, vulnerability intelligence with CVE/EPSS integration, malware indicator profiling, and differentiating feature analytics for complete infrastructure understanding.

Transparent cluster explanations with feature importance rankings, confidence scores, and detailed reasoning behind clustering decisions, enabling analysts to understand and validate results.

Anomaly detection identifies threats without training data using topological analysis and mathematical concepts, uncovering sophisticated attacks designed to evade traditional detection methods.