We build intelligence
infrastructure
Threat intelligence tooling has been overpriced, opaque, and cloud-dependent for too long. We're fixing the infrastructure layer.
The market is broken.
We built the alternative.
Enterprise threat intelligence platforms run $100K+ per year. They run in vendor clouds, meaning every IOC you query — every indicator that maps to your environment — is visible to the vendor. That's not a theoretical risk. It's a structural one.
Open-source alternatives like MISP and OpenCTI solve the cost problem but not the operational ones: no privacy guarantees, no automation layer, and integration work that lands on your already-stretched engineering team.
MalCloud is our answer. Self-hosted. Air-gapped-capable. Automated. From zero-knowledge sharing to SIEM integration, from local AI inference to collective threat pools — we're building the full intelligence stack, proving that threat intelligence can be private, fast, and production-grade without choosing between any of those properties.
What we're building
MalCloud is a closed-source threat intelligence platform — self-hosted, designed for environments where data sovereignty is non-negotiable. Free hosted community tier available.
Self-hosted TIP
Full-featured threat intelligence platform. Deploy on your infrastructure, own your data. 15+ microservices: Go backend, Next.js frontend, NATS messaging, Elasticsearch. No call-home, no telemetry.
ZK-STIX — Zero-Knowledge Threat Sharing
Share IOC sets with partners and ISACs without revealing which indicators you're searching for. Bloom filter overlap queries let you participate in collective defense without exposing your threat model. Zero-knowledge proofs applied to STIX 2.1 objects.
Air-gapped AI Co-Pilot
LLM-powered analysis of threat data — triage, attribution hypothesis, kill chain mapping — running entirely on your hardware. No inference API calls, no data leaving your perimeter. Works in classified and air-gapped environments.
Detection-as-Code
Sigma rules, YARA signatures, and Snort rules generated directly from ingested threat intel in under 60 seconds. Feed in a campaign report, get deployable detections. Supports custom rule templates and CI/CD integration.
ZK Proof-of-Observation
Cryptographic proof you observed a threat indicator before it was publicly shared. gnark Groth16 zk-SNARKs over a Merkle commitment tree, with public transparency roots. Establishes temporal precedence without revealing what you saw.
SIEM Connectors
Push enriched IOCs to Elastic (ECS), Splunk (HEC), Sentinel, Chronicle, and Syslog/CEF in real-time. Plugin architecture with a test endpoint for instant POC demos. No manual export, no stale feeds.
Threat Pool
Collective intelligence from all MalCloud orgs. See sighting counts, velocity, and sector breakdown without revealing who contributed. Privacy-preserving by design — hash-only counters, no raw indicator exchange.
Graph Context
Analyst annotations, immutable audit trails, and provenance chains. Every note, confidence override, and relationship reasoning is stored on the graph. Deepens switching cost with every hour your team invests.
Built by practitioners,
for practitioners.
We're a small team of security engineers, intelligence analysts, and applied cryptographers. Our backgrounds span intelligence agencies, FAANG security teams, and published cryptography research.
We're currently in stealth. Team bios and org details are shared during briefings — reach out if you want to talk.
Closed-source.
Auditable on request.
MalCloud is closed-source. The community tier is free, permanently hosted, with no feature gates or usage caps for standard threat intelligence workflows.
Enterprise customers requiring source review — for security audits, compliance, or integration certification — can access the codebase under NDA. Contact us to arrange.
Ready to talk threat intelligence?
Whether you're evaluating MalCloud for deployment, interested in contributing, or want to discuss the architecture — we respond to every substantive inquiry.