PARTNER BRIEF — CONFIDENTIAL
Security Intelligence — Domain Model
How the Vantage intelligence engine works in cybersecurity incident response
Prepared for Brian · Vantage / 1580358 B.C. LTD. · April 2026
What This Is
The Core Idea
Vantage is an intelligence engine purpose-built for a specific domain: cybersecurity incident response. It doesn't flag suspicious activity — it computes, in real time, what is causing the attack, what happens next in the kill chain, and which containment action breaks the attack sequence with the least disruption to the business.
Your SIEM detects. Vantage reasons. That's the partnership. A SIEM sees that PowerShell ran on an endpoint and fires an alert. Vantage sees that Word.exe spawned PowerShell, which spawned ProcDump against LSASS memory — and that this specific attack sequence predicts ransomware deployment with 94% probability within 8 hours unless a network-level intervention is made right now.
The gap Vantage fills: Every SIEM tells you the same thing — "suspicious PowerShell activity detected." What none of them tell you is: given that this PowerShell spawned from Word.exe on a host that already ran ProcDump 12 minutes ago, ransomware deployment has an 89% probability within the next 6 hours, and isolating this specific network segment right now reduces that to 4%. That calculation — and the containment decision that follows from it — is what the engine produces.
The Domain Model
What the Causal DAG Covers
The security incident DAG is the structured model of how attacks work — which events cause which outcomes across the kill chain. It covers six incident types across all major attack vectors, with MITRE ATT&CK framing at each stage.
| Incident Type | Description | MITRE ATT&CK Frame | Status |
|---|
| Ransomware | Encryption-based extortion via phishing or vulnerability exploit | TA0040 — Impact (Encrypt for Impact) | Live in Demo |
| Insider Threat | Authorized user exfiltrating data or sabotaging systems from within | TA0009 — Collection / TA0010 — Exfiltration | Live in Demo |
| Phishing / BEC | Email-borne credential theft, wire fraud, or malware delivery | TA0001 — Initial Access (Spearphishing) | Live in Demo |
| APT / Supply Chain | Long-dwell infiltration through a trusted vendor or update channel | TA0011 — C2 / T1195 — Supply Chain Compromise | Roadmap |
| Privilege Escalation | Credential abuse enabling lateral movement to crown jewels | TA0004 — Privilege Escalation / TA0008 — Lateral Movement | Roadmap |
| Data Exfiltration | Structured data staging and transfer to external infrastructure | TA0010 — Exfiltration / T1041 — Exfil Over C2 | Roadmap |
Causal DAG — Ransomware Kill Chain · Simplified Response Flow
Layer 1 — Root Inputs (set at incident start, loaded from EDR + asset inventory)
Initial AccessPhishing email — Office macro — IT department user
Target EnvironmentWindows endpoints, AD domain, 200 hosts
EDR PolicyCrowdStrike deployed — policy: Monitor (not Block)
↓ Situation Scan populates these from live log telemetry
Layer 2 — Observations (update live as EDR and SIEM events stream in)
Execution ChainWord.exe → PowerShell → Base64 payload — suspicious ancestry confirmed
Privilege StateLSASS dump via ProcDump — SYSTEM-level access achieved
Lateral ReachPsExec confirmed to 14 additional hosts in 40 minutes
C2 ChannelCobalt Strike beacon — 10-second interval to external IP
↓ Decision Guide activates — scores each containment option before response team acts
Layer 3 — Decision Point (response team choice — engine has already scored all options)
A — Isolate patient zero onlyPartial — lateral movement already spread to 14 hosts. High risk.
B — Isolate affected segmentBreaks C2 + lateral simultaneously. Recommended.
C — Monitor (forensic mode)Maximum intelligence, maximum risk. Use only with IR team on-site.
D — Emergency domain shutdownTotal prevention, 4-hour downtime for all users. Last resort.
Colors match below — each containment choice leads to its corresponding outcome
↓ Evidence Analysis runs — actual vs. counterfactual outcome computed
Layer 4 — Outcomes (terminal nodes — post-incident report generated here)
3 encrypted, 197 at riskPatient-zero isolation — lateral already in 14 hosts — ransomware likely
0 hosts encrypted ✓Segment isolation — C2 severed — ransomware never deployed
200 hosts encryptedForensic delay — ransomware deployed — catastrophic. $4.2M impact.
0 encrypted, 4-hr outageDomain shutdown — total prevention — significant business disruption
Observation node (live update)
Decision node (response team choice)
The Nodes — What the Engine Tracks
Variables in the Threat Model
Every node in the threat model is a variable the engine tracks and updates as the incident develops. These are the facts that cause outcomes — not correlations, not rules, not signatures.
Initial Access Vector
Root Node — Attack Initiator
Phishing, exploit, supply chain, insider, credential stuffing. Sets the legal and technical frame for all downstream nodes. Determines which kill chain variant the engine activates.
Target Profile
Root Node — Attack Surface
OS, patch level, EDR coverage, backup status, network segmentation. Loaded from asset inventory at incident start. Determines which containment options are available.
EDR Policy
Critical Observation Node
Monitor vs. Block. This single variable determines whether the engine can stop execution in place or must recommend network-level containment. The most consequential policy decision in endpoint security.
Execution Chain
Observation Node — Updates Live
Process ancestry: which process spawned which. Word.exe → PowerShell is a known malicious pattern. The engine classifies the chain against the threat model and scores its stage probability.
Privilege State
Derived Node — Engine Infers
Local user / local admin / domain admin / SYSTEM. Inferred from observed events — LSASS access confirms privilege escalation even before the attacker takes a privileged action.
Lateral Reach
Observation Node — Critical
How many hosts has lateral movement reached, and which ones. Determines whether patient-zero isolation is still viable. Once lateral reach exceeds 3 hosts in a flat network, segment isolation is the minimum effective response.
C2 Channel
Observation Node
Beacon presence, interval, external IP, protocol. An active C2 channel means the attacker has persistent access and is directing the attack in real time. Severing C2 is the single highest-leverage containment action.
Kill Chain Stage
Derived Node — Continuous
Initial Access → Execution → Privilege Escalation → Lateral Movement → C2 → Impact. The engine infers the current stage from observed events and updates the probability distribution of the next stage every 60 seconds.
Backup Integrity
Root Node — Recovery Options
Coverage, last backup date, last tested recovery. Determines whether shutdown is a viable containment option. A backup last tested 90 days ago is not a reliable recovery option — the engine weights this in its decision scoring.
Business Impact
Terminal Node
Hosts encrypted × data sensitivity × downtime cost × regulatory exposure. The terminal node the engine is computing toward. Every upstream node is trying to predict and minimize this value.
The Four Layers — How Vantage Runs
What Happens During an Incident
Vantage runs four layers of analysis simultaneously during a security incident. Each layer activates at a different point in the response timeline and serves a different function for the security team.
1
Situation Scan — Observe
Active from the first alert
Ingests and classifies the incident: attack vector, kill chain stage, affected hosts, involved user accounts, active C2 channels. Populates the threat model with current observed values and tells the response team what is happening in plain language — not generic, but specific to this incident, right now. Pulls from EDR, SIEM, network flow, and asset inventory simultaneously.
2
Decision Guide — Intervene
Activates at each response decision point
Scores each available containment option by running it through the threat model as a response intervention. Computes the impact on attack progression for each choice — not a guess, a structured calculation. Presents ranked options: "Isolating this segment severs C2 and blocks lateral movement. Ransomware probability drops from 94% to 4%." No methodology. Just the result and the recommended action.
2.5
Foresight Engine — Anticipate
Active between response decisions
Projects the attack trajectory as it develops — before the next kill chain stage executes. Tells the response team what is likely to happen next and when. This is the proprietary layer: streaming threat analysis between decision points. It allows the system to say "ransomware deployment estimated within 6 hours — recommend segment isolation now" before the attacker has taken any encryption action. Pre-emption, not reaction.
3
Evidence Analysis — Counterfactual
Activates after incident closes
Generates the formal post-incident report. Computes the actual outcome vs. the best alternative outcome, identifies the exact decision or policy gap that drove the difference, and produces a structured board-ready document. "If EDR policy had been set to Block, macro execution would have been stopped at step 2. 197 hosts would not have been affected. Cost differential: $4.2M." This layer also powers compliance reporting for NIST CSF, ISO 27001, and cyber insurance.
Why This Matters — The Gap in the Market
What SIEM, SOAR, and XDR Cannot Do
Current security platforms operate on correlation rules and ML anomaly detection. They are trained to find patterns that look like past attacks. Vantage does something categorically different: it models the attack structure and reasons forward from it.
The limitation of correlation: A SIEM can tell you that PsExec ran on 14 hosts within 40 minutes — and call it suspicious. It cannot tell you that this specific sequence is directly connected to the PowerShell execution 40 minutes earlier, that this represents stage 4 of 6 in a ransomware kill chain, and that the attacker has approximately 6 hours of undetected access remaining before they deploy. The difference is not sophistication. It is architecture.
SOAR platforms automate response playbooks. But a playbook is a list of rules. It cannot adapt to a novel attack sequence or compute which intervention is most effective given the current state of the kill chain. Vantage reasons over the actual attack structure — which is why it can recommend a response option that no playbook anticipated and explain exactly why it works.
Mean Time to Contain
4.2 hrs
Industry average — rule-based SIEM + manual response
With Vantage
38 min
Causal containment recommendation at alert — before the team convenes
Cost Differential
$4.2M
IBM Cost of a Data Breach 2024 — average ransomware incident, mid-market
Commercial Model
How This Goes to Market
Revenue Structure — Security Intelligence Vertical
MSSP / SOC License
$8K–$24K
Per month. Tiered by endpoints under management. Target: Alvaka Networks and regional MSSPs.
Enterprise Direct
$120K–$400K
Per year. Fortune 1000 direct. Integrates into existing SIEM stack via API. No rip-and-replace.
Compliance Module
$2K–$6K
Per month add-on. Post-incident counterfactual report mapped to NIST CSF, ISO 27001, cyber insurance.
The immediate opportunity: Kevin McDonald at Alvaka Networks (regional MSSP, Los Angeles) has expressed direct interest. Alvaka manages approximately 1,200 endpoints across 40 clients. At $14K/month, this is a $168K ARR contract from a single MSSP customer. The demo is live. The domain model is built. The meeting is the next step.