Meet WitFoo Precinct

Next-level Gear for the Good Guys

Pitch and Demo

We strive to be as transparent as possible with our customers and partners. This video is a full sales pitch with product demonstration. Relax, pop some popcorn and learn about what we have built. If you think we can help you, kick the tires by downloading a free trial. Want an even deeper dive? Get free certification at the WitFoo Community.

Data Pipeline – Modern, Big Data Processing

Data Pipeline

Building on industry standard big-data technologies, WitFoo Precinct allows data to be collected, indexed and analyzed both forward looking and retrospectively. Additionally, existing tools and data are incorporated via API interrogation. Data from all data sources are normalized into a common taxonomy allowing for simplified interaction. Data can be stored and accessed on the embedded VM or in external data clusters.

Investigative Engine – Learning & Augmenting the Investigator

Creating Leads

Leads created via customizable signature language. Forward and retroactive analysis of artifacts. Events from all security tools in the organization are analyzed.

Lead Evaluation

Cross data domain analysis of leads utilizing human thought and process. Reducing false positives and noise by 40%-90%. The system learns to model the suspicion of the investigator as work is performed.

Incident Creation

Analysts are presented with a fraction of investigation-worthy incidents as Precinct then applies an algorithm based on common IR logic analysts use to discern risk and renders a Suspicion Score for each.

Investigations Complete In Minutes, Not Hours

Removing Hours of Busy Work

Precinct presents incidents to analysts complete with all case-relevant evidence from across tools and data domains. Events from affected hosts, users, files, network traffic, and name-spaces are correlated and provided in one place within minutes.

Evidence Visualized

Incidents are displayed visually using the concepts of link-board analysis. The primary “suspects” and their relationships to each other are presented as nodes and edges allowing investigators to determine the scope of the nefarious activity.

Human-Machine Collaboration

Precinct facilitates tribal knowledge sharing across investigations and network hosts by allowing analysts to annotate insights and characterize incidents and resolution techniques.

SecOps Performance, Quantified

Metrics in Context of Business

Precinct analytics support managers with an ability to quantify the business contribution of their teams, inform decision-making, and to justify current and future investments.

Measuring the Craft

IR teams get full visibility into the lifecycle of an incident, displaying duration of time from event identification through closure, noise ratios, failure rates, etc. Metrics are organically collected, allowing fact-based communication across the organization.

Measuring the Tools

Precinct also provides visibility into the impact existing security tools have on incident detection including how many verified security incidents each tool is contributing and which are generating alarm noise. It also detects where tuning is needed across network tools.


WitFoo Precinct runs as a virtual machine (deployed as OVA) that in deployments of 10,000 or less endpoints can run in a single instance. In larger organizations, data clusters can be offloaded from the virtual appliance to allow for horizontal processing and storage scale. Details on deployment architecture can be found on the WitFoo Appliance Download page.



Precinct accepts syslog and NetFlow from the organization and connects to security and orchestration tool API.

Tool Syslog Field Extraction Network Communications User Sessions API Lab Insights
All Syslog Yes
Common Event Format (CEF) Yes Yes Yes Yes
NetFlow v5, v9 Yes Yes Yes
NSEL, jFlow, cFlow Yes Yes Yes
QRadar Yes Yes Yes Yes Yes Yes
Splunk Yes Yes Yes Yes Yes Yes
Cisco AMP Yes Yes Yes Yes Yes
CarbonBlack/Bit9 Protect Yes Yes Yes Yes
CarbonBlack/Bit9 Respond Yes Yes Yes Yes
Crowdstrike Yes Yes Yes Yes Yes
Symantec SEP Yes Yes Yes Yes Yes
McAfee ePo Yes Yes Yes Yes Yes
TrapX Yes Yes Yes Yes
Cisco ASA Yes Yes Yes Yes Yes
Palo Alto NGFW Yes Yes Yes Yes
Checkpoint FW Yes Yes Yes Yes
Cisco Meraki Yes Yes Yes Yes
Cisco ISE Yes Yes Yes Yes
Cisco Stealthwatch Yes Yes Yes Yes
Tippingpoint FW Yes Yes Yes
Winlogbeats Yes Yes Yes

Would you like to see a new integration? Create a Feature Request to see it in an upcoming release.