Filigran

Assess threat intel operations before you scale OpenCTI or integrations

Threat intel programmes often accumulate sources, portals, and tickets without a measurable link to enrichment speed, prioritisation, or detection improvement. Teams buy OpenCTI hoping structure appears — while Splunk ES and SOAR workflows stay unchanged.

Request an intel operations assessment See Filigran services

People and process OpenCTI fit SOC outcomes Practical roadmap

Why this matters

Without an operations assessment, deployments recreate the same chaos in a new tool — and detection engineering on the ES hub never receives trustworthy, timely intel.

Feeds without lifecycle management overload analysts — assessment targets enrichment and prioritisation outcomes.

OpenCTI value depends on roles, data model, and connectors — not licence installation alone.

Splunk ES is often the system of record — assessment clarifies intel-to-SIEM handoffs without duplicating ES detection engineering here.

What you get

Clear outputs you can use

A bounded threat intel operations assessment: current people/process/tool posture, desired intel outcomes, OpenCTI fit, and a prioritised roadmap — workflow outcomes over “install OpenCTI,” with Splunk ES integration as the primary downstream story.

✓ Current-state intel operations map: sources, workflows, tools, and gaps
✓ Outcome-aligned recommendations for OpenCTI adoption, deployment, or integration sequencing
✓ Prioritised backlog for deployment, pipeline integration, or ES hub follow-on work

Why teams talk to GKC

Calm, practical, and grounded in the environment you already have

Cyber defence positioning — complements Splunk ES and general detection services

Independent delivery — not Filigran licence resale or Cisco portfolio bundling

Workflow outcomes — faster enrichment and prioritisation, not vendor feature tours

What happens next

A straightforward first step

We keep the first step straightforward so you can understand fit, scope, and likely value before deciding what to do next.

1

Establish intel outcomes

We align with SOC and intel leads on enrichment speed, prioritisation, cases, and detection improvement goals.

2

Review operations and tooling

We assess sources, analyst workflows, existing platforms, and OpenCTI readiness across agreed scope.

3

Deliver the roadmap

You receive prioritised options for scoped OpenCTI deployment, pipeline integration, or ES coordination.

Questions teams often have

Common questions

We already bought OpenCTI. Is assessment redundant?

Purchase does not mean operations are mature. Assessment prioritises connectors, roles, and SIEM handoffs that actually change analyst work.

Should Splunk ES hub run this instead?

ES hub owns SIEM depth and detection engineering. This assessment is intel operations and OpenCTI fit — integration is scoped on the Filigran hub or ES hub as appropriate.

Does this include OpenBAS adversary simulation?

OpenBAS setup is out of phase-1 scope. Assessment may note BAS adjacency; delivery is separately scoped when you choose that path.

Related services

If this is close, these may be relevant too

Filigran

Start with a practical conversation

We can talk through the environment, what is making this feel urgent or uncertain, and whether this service is the right fit. If another starting point makes more sense, we will say so.