Tracelight
Cyber IR

Attribution + context
in the first hour of an incident.

When you're 30 minutes into a confirmed breach, you need fast answers: who is this attacker, what else have they touched, what's exposed about our org on the dark web, what does the public footprint of the threat actor look like. Tracelight pulls all of that in parallel, citation-anchored, in under 5 minutes — without the SOC pulling out of triage to do OSINT.

Try a sample IR enrichmentSee the demo

What this fixes.

PAIN 1
Manual OSINT during an incident steals analyst time from triage.
First-hour-of-the-incident is when IR analysts should be containing, not Googling the threat actor. Manual OSINT lookups during active IR cost containment minutes.
PAIN 2
Threat-actor attribution requires correlation across many sources.
Indicators of compromise have to be checked against multiple breach corpora, dark-web mention databases, and adverse-media records. Doing it sequentially during an active incident is too slow.
PAIN 3
Notification scoping needs context Tracelight surfaces.
When you have to notify customers/regulators about a breach, knowing the full dark-web exposure footprint of affected identities makes the notification meaningful instead of generic.
What gets checked

8+ data sources running in parallel.

Threat-actor handle correlation (dark-web aliases + breach-corpus identities)
IOC (indicator-of-compromise) cross-reference across VT + AbuseIPDB + Shodan
Domain WHOIS + DNS history for attacker infrastructure
SSL certificate transparency for related infrastructure discovery
Dark-web mention search for org name + affected identifiers
Adverse media on threat-actor handles for attribution context
OFAC / EU sanctions cross-check (state-sponsored actor signal)
Cross-incident pattern detection in the workspace's history
What you get

The report that lands on your desk.

  1. 1
    Threat-actor profile with attribution-confidence summary + behavioral signatures
  2. 2
    IOC table with cross-source confirmation + first-seen / last-seen dates
  3. 3
    Org dark-web exposure footprint (emails + credentials + mentions)
  4. 4
    Infrastructure map of related domains + IPs + certs
  5. 5
    Citation appendix linking every claim to the originating data source

Common questions.

Does this replace a real threat-intel platform?+

No — Tracelight is OSINT-flavored IR support, not full threat-intel like Recorded Future or Mandiant. We surface publicly available context fast; you still need your EDR + SIEM + dedicated TI for the meat of the response. Tracelight is the OSINT layer that complements them.

Can I integrate this into my SOAR?+

Yes — the public REST API + webhook event subscriptions let you wire Tracelight into Tines, Torq, Splunk SOAR, or homegrown playbooks. Common pattern: SOAR detects suspicious indicator → calls Tracelight enrichment API → posts findings to the IR Slack channel.

How is this priced for SOC teams?+

The Agency plan ($499/mo) covers 500 enrichments/mo + unlimited users + API access — typically the right tier for a mid-size SOC. For burst capacity above the monthly cap, contact us at sales@trytracelight.com.

Try a sample IR enrichment — free for 7 days.

No credit card. Cancel anytime. Same product, same OSINT workers, same audit trail — just scoped to your investigation.

Start free trial See pricing
Other use cases
M&A diligence
M&A & pre-acquisition due diligence
Surface sanctions hits, undisclosed litigation, key-person liability, and reputational red flags before LOI. Citation-anchored reports your legal team can defend.
Background checks
Background checks
Pre-employment screening with FCRA-aware citation trails. 32 parallel workers cover criminal records, sanctions, dark-web exposure, and adverse media — far beyond a stock credit-report background check.
Fraud / insurance
Fraud & insurance investigations
Claim verification, social-media surveillance, address history, and behavior pattern analysis. Built for SIU teams and fraud investigators who need court-ready evidence.
Journalism
Investigative journalism
Source vetting + cross-platform identity correlation for investigative reporters. Verify identities, surface conflicts of interest, and audit your own sourcing trail before publication.
Skip tracing
Skip tracing
Find people who've gone off the grid. 32 OSINT workers correlate aliases, addresses, social activity, and breach exposure to surface a current location lead.
Expert witness vetting
Expert witness vetting
Before you depose them or hire them, run an expert through 32 OSINT workers. Surface prior testimony, conflict of interest, credentials disputes, and reputation risks before they cost the case.
Litigation support
Litigation support
Adverse party discovery, witness vetting, asset-search leads, and impeachment ammunition for civil + criminal litigators. Citation-anchored, deposition-defensible.
Asset search
Asset search
Find what they own — entities, properties, vehicles, hidden affiliates — for collection actions, judgment enforcement, divorce discovery, and pre-litigation settlement leverage.
Insurance / SIU
Insurance claim investigation
Catch claim fraud before payout. Social-media surveillance, address history, cross-claim pattern detection, and court-ready evidence preservation for SIU teams.
Executive protection
Executive protection
Pre-event venue threat assessment, named-target social-media monitoring, doxx-exposure baseline, and travel security briefs for EP teams.
Real estate
Real-estate diligence
Counterparty + entity verification + sanctions screening + adverse-media checks for commercial real-estate transactions. AML-aware.
Brand protection
Brand protection
Surface lookalike domains, employee impersonation accounts, dark-web mentions of your brand + customer data exposure. Continuous monitoring with severity-graded alerts.
Crypto
Cryptocurrency investigations
Wallet attribution, transaction-counterparty diligence, exchange-account holder vetting, and dark-web exposure for crypto investigators + exchange compliance teams.