How Sysdig is Using the ThreatQ Platform to Enhance Cloud Threat Detection and Response

Michael Clark, Director of Threat Research at Sysdig

It is always interesting to learn about real-world examples of technologies at work. So, when ThreatQuotient invited me to share how we at Sysdig are using the ThreatQ Platform to enhance our cloud detection and response solutions, I was happy to participate.

Let’s start with a little context around Sysdig. Anyone reading this blog knows that threat detection and response has been a foundational security technology for years. However,  as more companies move their operations from on-prem to the cloud they are turning to Sysdig for cloud security and container security of their modern architecture. Sysdig scans for thousands of indicators of compromise (IoCs) from a variety of sources including strategically placed honeypots, data collection systems, commercial threat intelligence feeds, and open-source feeds to enrich and provide more context to the detections. Informed by this continuously evolving threat intelligence, the Sysdig Threat Research Team writes, tunes, and pushes rules out to customers via the Sysdig platform to detect threats in containers, cloud infrastructure, and the Kubernetes control plane, and implement response. 

Organizations rely on the Sysdig Secure to improve their cloud security posture. So, Sysdig is always looking for ways to improve its own threat intelligence and detection capabilities that leverage the open-source Falco project. As the volume of threat data the company ingests continues to grow, Sysdig wanted a better way to manage threat intelligence and improve detection rules.

That’s where ThreatQuotient’s ThreatQ Platform comes in: 

  • The ThreatQ Platform with the DataLinq Engine ingests data from external data sources and automatically deduplicates and normalizes all that data so that it is in a uniform format for analysis and action. 
  • Because these threat feeds will inevitably contain some data that isn’t relevant, ThreatQ scores and prioritizes threat data based on parameters the Sysdig team sets and automatically filters out the noise. 
  • Expiration strategies that consider that different pieces of intelligence have different lifecycles, ensure threat intelligence remains accurate and timely. This allows Sysdig to generate rich contextual data about threats that are relevant to Sysdig Secure users. 
  • The ThreatQ Threat Library serves as organizational memory, storing the data collected, curating data collection for custom systems, and reprioritizing data based on new data and learnings from previous detections, investigations, and incidents to improve over time.

After reviewing the main platform providers, Sysdig selected the ThreatQ Platform for the following key reasons:

  • Architecture: Despite the fact that we are a cloud-first company, ThreatQ’s single tenant architecture was important to Sysdig because it allows the provision for a separate instance facilitating maximum control, efficiency, and speed.


  • Flexibility: ThreatQ’s very broad set of APIs and custom connectors that can be written and deployed quickly, make it easy to import data from a variety of sources including custom indicator types. The ability to build and automate workflows, manage threat intelligence expiration, and export threat data to existing tools to generate rule sets, allows the Sysdig Threat Research Team to make sense of and operationalize vast amounts of indicators and other threat data efficiently and effectively. When writing reports and blogs, visualization through custom dashboards is also extremely valuable to measure and categorize data.
  • Team: The expertise and responsiveness of the ThreatQ team came through during the evaluation period and beyond. Support for custom workflows and integrations is fast, often in just a few hours or less, so we can move at “cloud speed” and help users get ahead of threats. 

In the future, Sysdig is planning to expand its integrations to include non-machine-readable threat intelligence. And as Sysdig continues to grow, the addition of ThreatQ Data Exchange will allow us to scale sharing of intelligence data across many, different teams. 

To learn more about why Sysdig selected the ThreatQ Platform, how it is being used, and the value it is delivering, save your seat at our joint webinar.


Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This