Works with your stack.
Nythrix exports detections, IOCs, and evidence to the tools your SOC and SecOps teams already use — and pulls operational context back in for cross-reference. Every integration ships with closed-loop verification where supported.
Push detection rules, IOCs, and incident context to the systems your SOC runs on. Closed-loop verification confirms rules stay active and captures fire counts.
Splunk
Exported as saved searches with scheduled cron and alert actions. Rule IDs tracked for closed-loop verification. Splunk SPL query export for hunt leads.
Elastic Security
Detection rules pushed via Kibana with rule ID and query translation. Verification polls Kibana API to confirm rule status and pull signal counts.
Microsoft Sentinel
Scheduled analytics rules created with automatic KQL query translation. Rule state, disabled status, and incident counts tracked via Sentinel API.
Argeon SOC
Detections and honeypot IOCs published as SOC events. Cross-references IPs attacking honeypots against production network telemetry for early-warning enrichment.
Share canary-driven IOC feeds with your edge firewall and consume attacker telemetry from edge logs.
Cloudflare
Publish IOC lists as Cloudflare Firewall Rules and consume edge logs via Logpush. Attackers burned at the honeypot are blocked at the edge within minutes.
Ship detection rules as code. Every rule change is a reviewable PR or MR in your own source-control workflow, with audit trail.
GitHub
Detection rules exported as pull requests against a repository you control. Full diff review, CI checks, and standard code-review workflow on security rule changes.
GitLab
Detection rules exported as merge requests with the same review-and-audit workflow. Rule changes track inside your existing GitOps pipeline.
Deploy collectors with one click to built-in cloud targets, or download the collector and run it on any infrastructure you control.
Hetzner
One-click provisioning with auto-geo from the selected region. EU and US regions supported with Attack Likelihood Zone placement guidance.
DigitalOcean
One-click provisioning to any DigitalOcean region. Auto-geo, auto-teardown, and auto-redeploy handle the full lifecycle.
Vultr
One-click provisioning to global Vultr regions. Same managed experience as other built-in targets.
Any other infrastructure
Download the collector artifact and run it on any cloud, VPS, bare-metal server, private network, on-prem environment, colo, or edge device. Outbound-only, firewall-friendly, air-gap capable.
Pull enrichment from public and commercial intel providers, plus custom feeds. Every detection is auto-correlated against active incidents.
AbuseIPDB
IP reputation and abuse reports correlated against honeypot attackers.
GreyNoise
Mass-scanner tagging separates targeted intrusions from background noise.
VirusTotal
File and URL reputation for artifacts captured from attacker sessions.
Shodan
Internet-exposure context and scanner identification.
abuse.ch (ThreatFox / URLhaus / Feodo Tracker)
Malware IOCs, malicious URLs, and botnet C2 feeds.
CISA KEV
Known Exploited Vulnerabilities catalog auto-cross-referenced against observed exploit attempts.
OTX + MISP + custom CSV
Bring-your-own feeds via OTX, MISP instances, or CSV import. 7-day IOC caching built in.
Send data the way your tools consume it.
Custom destinations aren't a problem — deliver detections, IOCs, and evidence via any of these formats, with HMAC signing and retry-safe webhook delivery.
Need a specific integration?
If your SIEM, SOC, or security stack isn't listed here, talk to us. Custom webhook delivery plus the full export-format set means most integrations work out of the box.