Resolve security incidents faster with contextualized threat intelligence

Envoy is an cyber threat feed aggregator and analysis engine.
Envoy adds context to the collected threat data and uses automation to integrate with your existing security tools.
It runs on-premise using Docker or in the cloud as a SaaS application.

Run locally using Docker Sign up free for Envoy Cloud

Threat Intelligence in a container

Envoy is an on-premise threat intelligence aggregator and analysis engine, with the goal to provide accurate and contextualized threat intelligence data.
The software is delivered as 1 Docker container, to allow for scale and resiliency.
With just 2 simple commands you can host Envoy in your organization's network.
There is no phone home - your data stays with you.
There is no special hardware needed or complex setup procedure.

Input and output format flexibility

At the heart of the software it's the multiple-input, multiple-output format support.
The flexibility to take data from CSV, JSON, CEF, STIX, TAXII, MISP and other formats allows data to be easily ingested. Custom, in-house format parsing is also supported.
The output of the system can be views in a web page, or exported (on demand or stream) in a multitude of formats, like Snort rules, PaloAlto rules, Bind, CyBOX, CEF, Json, STIX, or others.

Easy integrate with security tools

Envoy focuses on integrating the data mining information and deliver it in the format that you need.
It can integrate with systems like SIEMs (ArcSight, Splunk, QRadar etc.), internal enterprise software, mobile applications, or can work with scripts that query the API.
Envoy is able to work in tandem with the MISP platform, via pull or push method.

Reduce noise with machine learning

After fetching the data, every event in the system is evaluated by our machine learning models, to detect new patterns and adapt accordingly. This is the basis for the scoring system.
The score can be used to integrate with existing systems, and alert of possible breaches. How strict the engine performs is up to you.

Scalable input

Use the connector binary to push data into the system.
Run with pre-existing providers or specify the data format for your in-house threat feeds.

user@system: connector -provider blocklistdeinfo starting processinginfo fetching configuration provider blacklistdeinfo parsing providerinfo processed and parsed indicator processed and parsed indicator

Developer friendly with full access to API

Access all the features from scripts and other applications by accessing the API server.
Actions include: adding new events, query the data, share, perform updates as result of investigations and many more.

user@system:curl http://envoyproject.local/api/events/query?type=ipv4_address&status=malicious{ code: 200, data: { descs: [ { id: "1491325959486309841", status: "malicious", score: 5, sharelevel: "WHITE", reviewstatus: "unknown", privacymethod: "all" } ], nextpagetoken: 1491325959486310000 } }

Request more information about Envoy

To find out more, send us an email at hello @ or use the contact page. An Envoy engineer will contact you shortly.