Advanced Threat Monitoring Platform

Advanced analyst tool for advanced threat detection.

Adaptive and intelligent human adversaries are behind every advanced threat. Rapidly adapt your defenses and enable your defenders to detect threats and create intelligence in a single platform.



Arena ATM for Advanced Threat Monitoring

Arena ATM™ is a specialized, file-centric threat detection platform for advanced cyber analysts. It’s built to provide analysts robust network visibility and email-focused intrusion detection capabilities. Arena ATM presents the analyst with a web-based user interface enabling the capture, search, and review of file-centric threats on the network.

There are three key elements to the Arena ATM platform. Passive sensors collect network metadata at key internet points of presence, and extract emails. The file centric scanner performs recursive analysis on these emails to isolate malicious code and create metadata for future analysis. Metadata is stored on the central server providing long-term data storage, and the central server forwards scan findings to SIEM for high confidence alerting.

Arena ATM includes three main tools:

  1. Search: Using the interface analysts can search network logs, NetFlow data and object scan results. Visual reporting of collected network metadata enables analysts to connect the dots that other tools miss.
  2. File Scan: The scanner performs recursive object scanning exposing hidden sub-objects that evade detection through obfuscation, encapsulation, and encoding. All email file attachments are scanned, and a tree view of the embedded objects is created.
  3. Signatures: Using known threat intelligence and insight from previous file scan results, analysts develop new YARA signatures for future malware detection.

Arena ATM empowers analysts to gather intelligence and develop capabilities needed to hunt adversaries by:

  • delivering in-depth network visibility
  • enabling email-focused intrusion detection and malware analysis
  • allowing creation of new rules, scanner modules, and automated workflows
  • enabling effective threat intelligence consumption
  • fostering the production of your own analyst-based intelligence


  • Gain architecture-agnostic enterprise-wide network visibility
  • Recursive static object scanning approach helps defeat exploits that are VM-aware
  • Platform developed by cyber security practitioners not researchers
Flexibility & Control
  • Eliminate vendor dependencies – quickly create new detections and adapt defenses as needed
  • Reduces false-positives over time
  • Customized scanning workflows help automate repeatable detections and maintain consistency of analysis


metadata search

Metadata Search

Passive network sensors and file scanning results give cyber analysts the needed visibility and required metadata to build context around potential malicious activities. 

Analysts run searches against this metadata to correlate discovered malicious activity identified by the recursive scanning of emails and attachments. Metadata search results can identify traffic flows or machines that have been compromised.


file scan

File Scan Results

The file scan function recursively invokes various modules that break down attachments or files to atomic elements, analyzing the content against analyst defined YARA rules, antivirus signatures and other scanning modules. It then makes a determination based on user defined classifications. All findings are provided to the SIEM to trigger alerts based on classification.

When analysis reveals a new threat, an existing rule is modified or a new rule is created to cover the exploit. Future file scans will now benefit from the discovery.

File Scan Results

Evolving Detections

Post-analysis of known classified threats provide content and context for the analyst to manage signatures and create new detections. By applying signatures directly to sub-objects of interest, future malware variants are detected regardless of changes in encapsulation. Analysts can further develop new modules and workflows to enhance their detection capabilities.


Create your own detections and increase analyst efficiency.

Request a consult with a cybersecurity expert today.