AETHER Feature Fact Sheets
12 feature modules - competitive parity ratings - API reference - software map
12
Feature Modules
7
Market-Leading
5
Industry Parity
28
New API Endpoints
90+
MITRE Techniques
4
Compliance Frameworks
*
Sentinel SwarmCore Defence
Multi-agent AI consensus network swarm votes before any critical action fires
LEADS
9/10
Key Strengths
  • Up to 50+ autonomous agents running simultaneously no single point of failure
  • APEX admission: only Level 20+ graduated bots handle critical actions
  • AWS-native isolation: EC2 deny-all SG, IAM AWSDenyAll, SSM+LiME memory dump, EBS snapshot
  • DEFCON ladder: GREEN > YELLOW > ORANGE > RED with escalation audit trail
  • Swarm consensus vote prevents single compromised agent from triggering false positive
  • Live roster at GET /api/sentinel/apex-roster see active APEX agents in real-time
Delivered by
CORE/orchestrator.pyCORE/telemetry_api.py
API Reference
  • GET /api/sentinel/status
  • GET /api/sentinel/apex-roster
  • POST /api/sentinel/escalate
Competitive Comparison
PlatformScoreNote
AETHER
9/10
 Built-in, no add-on cost
CrowdStrike Falcon
7/10
 Single agent, no multi-agent consensus
SentinelOne
6/10
 Single agent model
Darktrace
8/10
 AI-driven but single response point
Palo Alto XSOAR
7/10
 Orchestration but not swarm model
*
WiFi DomeNetwork Defence
Continuous passive network threat detection with 5-feed CTI correlation
PARITY
8/10
Key Strengths
  • Real-time monitoring of all TCP/UDP connections via psutil zero blind spots
  • IOC correlation against 5 live CTI feeds: Feodo, URLhaus, CISA KEV, Tor exits, EmergingThreats
  • Geographic threat mapping country of origin on every suspicious connection
  • Protocol anomaly detection: DNS tunnelling, HTTPS C2 beaconing, unusual port patterns
  • Autopriority scoring: CRITICAL / HIGH / MEDIUM / LOW queue
  • Zero-configuration passive mode no network tap or mirror port required
Delivered by
CORE/network_threat_detector.py
API Reference
  • GET /api/network/threats
  • GET /api/network/connections
  • GET /api/feeds/status
Competitive Comparison
PlatformScoreNote
AETHER
8/10
 Built-in, no add-on cost
Darktrace
9/10
 Industry NDR leader - AETHER integrates SOAR response
CrowdStrike
8/10
 Good network telemetry, subscription cost high
Palo Alto NGFW
8/10
 Hardwaredependent, higher cost
Zeek/Suricata
7/10
 Open source, no AI/ML or automated response
*
Bots Training CampAI / ML
Continuous adversarial ML Bronze>Silver>Gold>Platinum>APEX tier progression
LEADS
9/10
Key Strengths
  • 90+ MITRE ATT&CK techniques across Enterprise + ICS matrices
  • 5-tier XP system: Bronze (L5) > Silver (L10) > Gold (L15) > Platinum (L18) > APEX (L20)
  • Atomic Red Team + Caldera JSON evidence import real test results feed the ML pipeline
  • Z-score (3sigma) behavioral baseline eliminates bursty single-sample false positives
  • LSTM anomaly detector for sustained multi-step threat patterns
  • Synthetic gap injection: bots automatically trained on any uncovered MITRE technique
Delivered by
CORE/detection_bridge.pyCORE/validation_importer.py
API Reference
  • GET /api/bots/graduation
  • GET /api/telemetry/heartbeat
  • POST /api/validation/import
  • POST /api/validation/scan
Competitive Comparison
PlatformScoreNote
AETHER
9/10
 Built-in, no add-on cost
AttackIQ
8/10
 Dedicated BAS platform, higher standalone cost
CrowdStrike Falcon X
8/10
 Strong ML but closed import pipeline
SentinelOne Singularity
7/10
 AI-focused, no open training pipeline
VECTR
7/10
 Purple team tracking, no ML graduation
*
Big Four Nation-State DefenceThreat Intelligence
100% verified posture against PRC / Russia / Iran / DPRK with automated hardening
LEADS
10/10
Key Strengths
  • China (PRC): Volt/Salt Typhoon living-off-the-land defence, SMB signing, no reverse tunnels (frpc/ngrok/chisel)
  • Russia (Sandworm): Wiper-target FIM, VSS shadow copy protection, LAN gateway monitoring, mail spray guard
  • Iran (APT33/Av3ngers): ICS port lockdown (T0xxx), FIDO2 enforcement, cloud credential rotation, no unmanaged RMM
  • DPRK (Lazarus/Chollima): Supply chain lockfiles, no SaaS C2 tunnels, biometric sentry capability, social lure awareness
  • Automated hardening: single API call registers 12 actor IPs + 16 domains into IOC engine, extends FIM
  • SOC 2-style compensating-control override system with full audit trail handles GPO-managed environments
Delivered by
CORE/bigfour_defenders.pyCORE/big_four_posture.py
API Reference
  • GET /api/bigfour/posture
  • GET /api/bigfour/actor/{id}
  • POST /api/bigfour/sparring/run
  • POST /api/bigfour/defences/harden
  • POST /api/bigfour/defences/override
Competitive Comparison
PlatformScoreNote
AETHER
10/10
 Built-in, no add-on cost
CrowdStrike Intel
8/10
 Excellent threat intel, but no automated hardening
Mandiant Advantage
9/10
 Deepest APT intel, but passive no automated defence
Microsoft Sentinel
7/10
 Good for Azure, limited ICS/OT coverage
Recorded Future
8/10
 Best-in-class intel feed, no automated response
*
Kill Chain EngineDetection
6-phase MITRE-aligned kill chain with per-phase priority technique sets
LEADS
9/10
Key Strengths
  • Phase 1 Recon: T1595 (Active Scan), T1592 (Gather Victim Host Info), T1590, T1589, T1598
  • Phase 2 Staging: T1547 (Boot Autorun), T1546 (Event Triggered), T1543, T1053 (Task/Job Scheduled)
  • Phase 3 Lateral: T1021 (Remote Services), T1110 (Brute Force), T1550 (Pass-the-Hash/Ticket), T1557 (MITM)
  • Phase 4 Collection: T1082 (Sys Discovery), T1046 (Network Scan), T1083 (File Discovery), T1087
  • Phase 5 C2/Exfil: T1071 (App Layer Protocol), T1573 (Encrypted Channel), T1090 (Proxy), T1567/T1048
  • Phase 6 Impact/Grid: T1486 (Ransomware), T1490 (Inhibit Recovery), T0813/T0831/T0836 (ICS disruption)
Delivered by
CORE/kill_chain_engine.pyCORE/phase_bridges.py
API Reference
  • GET /api/kill-chain/status
  • GET /api/detections
  • GET /api/training/history
Competitive Comparison
PlatformScoreNote
AETHER
9/10
 Built-in, no add-on cost
CrowdStrike Falcon
8/10
 Excellent kill chain, EPP-focused endpoint
Carbon Black
8/10
 Strong but endpoint-only coverage
Splunk Enterprise Security
8/10
 Powerful correlation, expensive licensing
Elastic SIEM
7/10
 Flexible but requires significant tuning
*
SOAR PlaybooksAutomation
Automated response - 16 default playbooks, 11 action types, EventBus-driven
PARITY
8/10
Key Strengths
  • Default playbooks: critical_threat_response, honeytoken_triggered, kill_chain_phase3_plus, scanner_block, anomaly_high, nation_state_detection, local_ransomware_burst, credential_abuse_freeze, kev_hotfix_triage, beacon_quarantine, web_defacement_rollback, impossible_travel_review, live_ioc_suppression, tor_exit_step_up, phishing_lure_containment, mass_scanner_suppression
  • Action types: Slack alert, Teams alert, PagerDuty, email, block IP, isolate alert, enrich IOCs, redeploy honeytokens, run sparring, ticket, custom webhook
  • Condition engine: AND-chained rules with eq/ne/in/not_in/gte/lte/contains/exists on any event field
  • Full execution log + ticket generation stored in JSONL audit trail
  • Zero external dependencies - operates without SIEM subscription
  • Custom playbooks via API: POST /api/soar/playbooks with any condition/action config
Delivered by
CORE/soar_playbooks.py
API Reference
  • GET /api/soar/playbooks
  • POST /api/soar/playbooks
  • DELETE /api/soar/playbooks/{id}
  • GET /api/soar/executions
  • GET /api/soar/tickets
  • GET /api/soar/blocked-ips
Competitive Comparison
PlatformScoreNote
AETHER
8/10
 Built-in, no add-on cost
Palo Alto XSOAR
9/10
 Industry leader AETHER avoids config overhead and licensing
Splunk SOAR
9/10
 Powerful but expensive
Microsoft Sentinel SOAR
8/10
 Azuredependent, works best in MS ecosystem
IBM SOAR
8/10
 Enterprise focus, very high cost
*
CTI EnrichmentThreat Intelligence
Real-time IOC enrichment from 5 providers composite risk score 0-100 with verdict
PARITY
8/10
Key Strengths
  • Providers: VirusTotal, AbuseIPDB, Shodan InternetDB (free), GreyNoise community, IPAPI (geo)
  • Composite risk score 0-100 with verdict: clean / suspicious / malicious + risk band LOW/MED/HIGH/CRITICAL
  • Tokenbucket rate limiting per provider prevents API key burn during high-volume events
  • TTL caching: VirusTotal 24h, AbuseIPDB 6h, Shodan 12h, GreyNoise 12h no duplicate lookups
  • Async queue: queue_enrichment(ioc) non-blocking, results fetched later via get_enrichment_result()
  • Auto-fires on every honeytoken trigger, ASM scan, and network threat detection
Delivered by
CORE/cti_enrichment.py
API Reference
  • GET /api/cti/enrich?ioc=1.2.3.4
  • POST /api/cti/enrich/batch
  • GET /api/cti/results
Competitive Comparison
PlatformScoreNote
AETHER
8/10
 Built-in, no add-on cost
CrowdStrike Falcon X
9/10
 Best-in-class IOC intel, requires subscription
VirusTotal Enterprise
9/10
 IOC lookup only no automated response integration
ThreatConnect TIP
8/10
 Full TIP platform, enterprise pricing
Recorded Future
9/10
 Industry-leading context, standalone product cost
*
HoneytokensDeception
Zero-false-positive deception 6 credential traps + HTTP canary URL
LEADS
9/10
Key Strengths
  • 6 token types: fake AWS access keys (aws_credentials.cfg), Azure SP creds (JSON), DB passwords, SSH deploy key, API master keys
  • HTTP canary URL: /system/internal-diagnostics/auth-bypass-test any access = confirmed attacker
  • FIM integration: all 6 token file paths added to File Integrity Monitoring watchlist on deploy
  • CTI enrichment: any attacker IP that triggers a token is immediately queued for enrichment
  • EventBus THREAT_DETECTED CRITICAL on every trigger feeds SOAR playbooks instantly
  • Zero false positives by design: real users/processes never access these decoy credentials
Delivered by
CORE/honeytokens.py
API Reference
  • GET /api/honeytokens/status
  • POST /api/honeytokens/deploy
  • POST /api/honeytokens/redeploy
  • GET /api/honeytokens/log
  • POST /api/honeytokens/check/url
Competitive Comparison
PlatformScoreNote
AETHER
9/10
 Built-in, no add-on cost
Attivo Networks
9/10
 Dedicated deception platform AETHER integrates deception into full SIEM without add-on
Illusive Networks
9/10
 Enterprise deception, standalone subscription cost
Canarytokens.org
7/10
 Free and easy but manual no automated SOAR response
SentinelOne Singularity Identity
8/10
 Subscription deception module
*
Compliance MapperCompliance
Automated detection>control mapping: NIST CSF 2.0, Cyber Essentials+, ISO 27001:2022, DORA
LEADS
9/10
Key Strengths
  • NIST CSF 2.0: 38 controls across 6 functions Govern (new in v2.0), Identify, Protect, Detect, Respond, Recover
  • UK Cyber Essentials+: 19 controls, 6 themes aligned with NCSC requirements for UK public sector / government contracts
  • ISO 27001:2022 Annex A: 25 controls, 4 themes supports certification audit evidence
  • DORA (EU Digital Operational Resilience Act): 11 articles, 4 pillars financial sector regulatory compliance
  • AUDIT_READY scoring bands: Compliant >=90 / Substantially >=70 / Partially >=50 / NonCompliant <50
  • Zero new data collection maps AETHER existing detection data to controls automatically
Delivered by
CORE/compliance_mapper.py
API Reference
  • GET /api/compliance/report
  • GET /api/compliance/gap/{framework}
  • GET /api/compliance/export
  • GET /api/compliance/frameworks
Competitive Comparison
PlatformScoreNote
AETHER
9/10
 Built-in, no add-on cost
Mandiant Advantage Compliance
8/10
 Strong framework coverage, subscription-only
Tenable.io
8/10
 Vulnerabilitycentric compliance, not detectioncentric
Drata
8/10
 Compliance automation tool, zero threat detection capability
Vanta
7/10
 Complianceonly, no defence integration
*
Attack Surface ManagementExposure Mgmt
Continuous external attack surface scanning 6 scan types, no agent required
PARITY
8/10
Key Strengths
  • Certificate Transparency via crt.sh: discovers all subdomains ever issued a TLS certificate finds shadow IT
  • DNS security audit: SPF, DMARC, DKIM, MX via Google DNS-over-HTTPS no local resolver dependency
  • HTTP security header audit on apex domain + all discovered subdomains
  • Shodan InternetDB sweep: open ports + known CVEs on configured IP space (free tier, no key needed)
  • Typosquatting engine: 300+ variants per domain keyboard-adjacent, homoglyphs (0/o, 1/l, rn/m), TLD rotation
  • Domain expiry via RDAP: alerts 30 days out (WARNING), 7 days out (CRITICAL)
Delivered by
CORE/asm_engine.py
API Reference
  • GET /api/asm/scan/last
  • POST /api/asm/scan/run
  • GET /api/asm/history
Competitive Comparison
PlatformScoreNote
AETHER
8/10
 Built-in, no add-on cost
Censys Attack Surface Management
9/10
 Best-in-class ASM, subscription required
CrowdStrike Recon
9/10
 Excellent incl. dark web monitoring, premium tier
Mandiant ASM
8/10
 Enterprise focus, high cost
Shodan Monitor
7/10
 IP exposure only no CT/DNS audit/typosquat/expiry
*
Purple Team SchedulerSimulation
Automated adversary simulation calendar 7 schedules, 8 exercise types, posture trending
LEADS
9/10
Key Strengths
  • 7 built-in schedules: daily CTI sync, weekly Big Four sparring (Monday), weekly hardening (Wednesday), weekly compliance (Friday), weekly ASM (Sunday), 12h honeytoken audit, daily validation scan
  • 8 exercise types: big_four_sparring, big_four_hardening, training_cycle, validation_scan, compliance_check, asm_scan, threat_intel_sync, honeytoken_audit
  • Calendar-based: day-of-week + time_of_day OR interval_hours / interval_minutes (no cron daemon)
  • Historical posture trending: chart any metric (spar_avg, compliance_score, findings) over 30/90/365 day windows
  • Fully automated - runs 24/7 as background task in AETHER API process
  • Custom exercises via POST /api/purple-team/schedules any exercise, any schedule
Delivered by
CORE/purple_team_scheduler.py
API Reference
  • GET /api/purple-team/schedules
  • GET /api/purple-team/exercises
  • POST /api/purple-team/run/{exercise_id}
  • POST /api/purple-team/schedules
  • GET /api/purple-team/history
  • GET /api/purple-team/trend/{exercise_id}
Competitive Comparison
PlatformScoreNote
AETHER
9/10
 Built-in, no add-on cost
AttackIQ
8/10
 Dedicated BAS platform, standalone product/cost
Cymulate
9/10
 Best-in-class BAS, subscription per node
VECTR
7/10
 Purple team tracking, no automated scheduling engine
Palo Alto BAS
8/10
 Premium tier add-on
*
Behavioral Anomaly & FIMHost Defence
Z-score behavioral baseline, LSTM anomaly detection, File Integrity Monitoring
PARITY
8/10
Key Strengths
  • Z-score (3sigma) baseline: eliminates bursty single-sample false positives (e.g. browser tab opens)
  • Z_INSTANT=10sigma fast-path for catastrophic spikes - ransomware/wiper detected in <1 sample
  • PERSISTENCE=3: sustained anomaly over 3 consecutive samples before alert fires
  • FIM watchlist extended automatically by Big Four hardening: 5 wiper-target system files
  • CSRF protection, session cookie hardening (HttpOnly/Secure/SameSite), security header enforcement
  • GET /api/security/connections/top shows owning process + user per connection for triage
Delivered by
CORE/security_hardening.py
API Reference
  • GET /api/security/posture
  • GET /api/security/connections/top
  • POST /api/security/fim/baseline
  • GET /api/security/shields
Competitive Comparison
PlatformScoreNote
AETHER
8/10
 Built-in, no add-on cost
Carbon Black App Control
8/10
 Strong FIM, proprietary agent required
Tripwire Enterprise
9/10
 Dedicated FIM leader, high cost
Microsoft Defender for Endpoint
7/10
 Good on Windows, proprietary, subscription
OSSEC/Wazuh
7/10
 Open source FIM, no AI/ML layer or SOAR integration