How WitFoo Precinct along with Gigamon and FireEye enable Ardalyst’s SOC of the Future.


WitFoo Company Background

WitFoo was founded in 2016 by veterans of the US Military, law enforcement and cybersecurity to develop tools and data that will aid in maturing the craft of cybersecurity operations. From 2016 to 2019, WitFoo conducted research with organizations ranging from higher education to the Fortune 500 to develop a comprehensive cybersecurity platform. In January 2020, WitFoo Precinct 6.0 was released for General Availability (GA) as the world’s first Diagnostic SIEM. WitFoo Precinct is available via distribution partner SYNNEX Westcon/Comstor commercially and via GSA Schedule. WitFoo sells exclusively through reselling partners to ensure customer success.

WitFoo Precinct Overview

WitFoo Precinct combines the best practices from the crafts of cybersecurity, US Military, and law enforcement to deliver comprehensive craft metrics and workflows.

Message Processing

Precinct accepts data over diverse transports including syslog (udp/tcp/tls), NetFlow/IPFIX and Kafka message clusters. Additionally, Precinct supports Elastic Beats agent data and connection to a growing number of API integrations with technology partners. For a complete list of current data sources, visit

Adaptive Parsing

All messages are analyzed using semantic framing. An approach from Natural Language Processing (NLP), to fully comprehend the meaning of each message, extract data elements and map them to a common schema. Unknown message types are sanitized and submitted to WitFoo Library for analysis by WitFoo researchers, to create new semantic frames for the message type. New messages are researched with our technology partners to fully understand the intent and syntax of the messages. Precinct checks for new parsing frames every 5 minutes. New semantic frames are generally developed in under three (3) business days. This approach allows all WitFoo customers to benefit from the collection of thousands of frames without needing to expend labor to support new or changing data sources.

Data Searching

Precinct inserts messages with the raw message, forensic data (sending source, timestamps, etc) and extracted fields. The search interface allows operators to search all data-sources without needing to understand a query language or the message data formats.

Incident Creation

Using investigative models borrowed from law enforcement, WitFoo Precinct builds relationships of all network computers, users, files, and emails. Precinct evaluates them for potential nefarious behavior by analyzing data, objects, and relationships for matches against the modus operandi of attackers.

Incident Analysis

Normalized incidents are analyzed using high-level Security Orchestration, Automation & Response (SOAR). WitFoo SOAR checks entire incidents for all observations that an expert analysis would run. The results of these observations impact the suspicion of incidents. Suspicion informs investigators if there is sufficient evidence to act against attacking hosts or compromised credentials.

Disruption Detection

Precinct analyzes every incident to determine if the security architecture successfully disrupted (blocked/quarantined, etc.) an attack. These incidents are closed as “disrupted” and generally do not require action by the local operator.

Response actions

SOAR actions are available via API integrations, which are triggered using RBAC permissions. SOAR actions can also be triggered remotely from enabled Aggregation clusters.

Proactive Diagnostic Metrics

Precinct provides readiness metrics by inventorying all security controls and evaluating the operational efficiency of each tool.

Scalable Architecture

Precinct clusters can be as small as a single node with 24GB of RAM and 8 CPU cores. Clusters can consist of an infinite number of data and processing nodes to allow for infinite ingestion, processing and storage. Precinct can deploy on physical hardware, virtual hypervisors, public and private cloud, or in combination. Details can be found at

Offline Mode

WitFoo Precinct can operate in offline or intermittent communication networks. For completely disconnected deployments, WitFoo Coordinator can be used to allow for air-gapped operation (

Operation Modes

WitFoo Precinct operates in two separate modes: Normal and Aggregation.

Normal Operation Mode

Normal Operation Mode collects and analyzes local data, producing incidents and metrics. Deployments running in Normal mode can be configured to send data to clusters operating in Aggregation mode. Connections to Aggregation clusters are one way (Normal as client, Aggregation as server) over HTTPS (443/tcp.)

Aggregation Operation Mode

Deployments in Aggregation Operation Mode can receive full Incident information (including raw messages) from other Precinct Deployments configured to send to it. These deployments can be running in Normal or Aggregation Modes. Sending data to Aggregation clusters are queued and delivery is confirmed to account for unstable internet connections.

Aggregation clusters can publish:

  • Response actions for downstream Normal nodes to execute.
  • Search jobs to execute and forward results.
  • Detection rules for downstream Normal nodes to use in creating incidents.

WitFoo Support and Training

WitFoo Certified User (WFCU) training is available at no cost on (sign up required.) WFCU course covers WitFoo philosophies, mechanics, configuration and workflows. Additional training can be obtained through WitFoo Gold Partners. Email, web and phone support is available 8×5 via WitFoo personnel. Additional support options are available through WitFoo Partners.

WitFoo – SOC of the Future (SOTF)  for US Navy

Fleet Deployments– US Navy shore, mobile expeditionary and afloat nodes, including shore infrastructure and permanently installed shipboard components. Fleet Deployments run in WitFoo Precinct Normal Operating Mode.

Shore SOC – Centralized Security Operation Centers with advance personnel skillsets monitoring many Fleet Deployments. Shore SOC deployments run in WitFoo Precinct Aggregation Mode.

In Fleet Deployments, WitFoo receives data telemetry from Gigamon visibility fabric, FireEye Endpoint & Network solutions and deployment level logging technologies at the ship level. Using WitFoo Precinct adaptive parsing, proprietary message types will be understood by custom semantic frames. All data will be analyzed at the fleet deployment. Fleet deployments will periodically check in with Shore SOC (every minute when communications allow.)  Shore SOC receives full incident data from Fleet Deployments, can publish response actions via FireEye (or other supported integrations) to remediate attacks, queue up search jobs and publish detection logic to those Fleet Deployments. Fleet Deployment readiness is available for review at the Shore SOC.