SOC Triage

The Challenge with Existing Processes & Solutions

Fragmented Tools

SOC analysts typically use a mishmash of tools including open source projects, their own guest VMs and, if they’re lucky, commercial tools. This collection of technologies frequently requires manual analyst intervention and transferring of data between systems.

Public Services

Organizations are often forced to rely upon public solutions that render web pages or provide sandboxing. Unfortunately using these services means that anything you analyze is now out in the public domain and can be searched for, and viewed, by others.

Lack of Consistency

The diversity of available tools, analyst preferences, and differences in investigation processes can result in totally different results for a threat depending on who is investigating it. It also means that different analysts will often generate different forensics data.

How TwinWave Helps

Security analysts can directly submit suspected threats to the TwinWave platform for analysis using the web interface or command line tools. Once a threat is submitted, the TwinWave platform will perform the actions required to fully execute the attack chain including clicking and following links, extracting out attachments & embedded files, dealing with archives, and much more.

Suspected threats can also be submitted to the TwinWave platform for analysis through our REST API. This is particularly useful for organizations that have a SOAR solution in place. In this case analysts typically review the high-level threat analysis results in the SOAR solution and then pivot into the TwinWave platform when they need to do a deeper dive threat review.

TwinWave enables SOC analysts to quickly and consistently assess potential threats.

Attack Chain Example

In this case a SOC security analyst has a Sharepoint URL that was flagged as suspicious and they need to investigate it.

After submitting it to TwinWave the analyst can quickly see that the submitted link requires a click to get to a web page that then leads to multiple phishing pages (O365, Outlook and a generic email phish).

TwinWave automatically clicked and followed the links without requiring any analyst interaction. Screenshots for each of the visited pages are also captured so analysts can quickly see what a user would see if they interacted with the threat.

Benefits of Using TwinWave



TwinWave normalizes scores across a wide range of platforms to give analysts an easy to understand 0 – 100 scoring scale. This reduces the potential for error due to misinterpreting a score from a 3rd party solution.

Easy to


The TwinWave UI has been optimized to make it easy for security analysts to quickly understand the anatomy of a threat along with visual clues like screenshots that document the entire attack chain from the initial lure all the way through the final threat delivery.



After analyzing the threat the TwinWave UI includes critical data like credential phishing form URLs, malware payload download links, C2 IP addresses and more that security analysts can use to better understand the potential impact of a threat.