ThreatSpire logoThreatSpire

Platform · Evidence Timeline

Every claim, traced back to its source.

The Evidence Timeline is a chronological, source-linked record of what an adversary has actually done. Every entry ties back to the exact report it came from — so your intelligence holds up whether it's feeding a hunt or a board briefing.

Back to platform

threatspire / actors / SILVERSCALE-117 / timeline

Evidence Timeline

SILVERSCALE-117

5 SOURCED EVENTS

  1. 26 May 2026

    · Today
    Initial AccessT1566.001

    Phishing campaign targeting Nordic logistics with weaponized ISO attachments.

  2. 18 May 2026

    · 8d ago
    C2T1071.001

    Beaconing to fastflux .top domain cluster; TLS JA3 matches prior campaign.

  3. 11 May 2026

    · 15d ago
    ImpactT1486

    Ransomware deployment observed at two manufacturing subsidiaries.

  4. 03 May 2026

    · 23d ago
    Disclosure

    Stolen credentials posted on darkforum thread tied to actor alias.

  5. 22 Apr 2026

    · 34d ago
    PersistenceT1547.001

    Registry run key modification detected on compromised endpoints.

The problem

“Trust me” isn't intelligence.

When a finding can't be traced to a source, it can't be defended. Analysts paste claims from a dozen feeds with no link back to the original, duplicates pile up, and the moment someone asks “how do we know this?” the answer is a shrug. Unsourced intel erodes trust exactly when decisions depend on it.

Pain

Claims without provenance

Intel arrives as bullet points with no way to verify where they came from.

Cost

Trust erosion under pressure

The moment a finding is questioned, the team has nothing to stand on.

How it works

From raw reporting to defensible timeline.

  1. 01

    Ingest

    Continuously pulls in reporting from across the web — security news, vendor research, and disclosure feeds.

  2. 02

    Extract

    Turns raw articles and reports into discrete, dated activity events instead of walls of text.

  3. 03

    Link

    Binds every event to the exact source it came from, with publisher and date preserved.

  4. 04

    Sequence

    Assembles events into a clean, deduplicated, recency-ranked timeline per actor.

What you get

What the timeline gives you.

Source-linked entries

Every event carries a link to its origin. One click takes an analyst — or an auditor — straight to the report it's based on.

Multi-source ingestion

News, vendor reporting, and ransomware/disclosure feeds flow into one timeline, so the picture isn't dependent on a single source.

Categorized & ATT&CK-tagged

Events are typed (initial access, C2, impact, disclosure, and more) and aligned to MITRE ATT&CK so behavior is searchable, not buried.

Deduplicated & recency-ranked

Near-duplicate reporting is collapsed and the freshest, most relevant activity rises to the top — signal over noise.

Source tiering & confidence

Entries are weighted by the quality of the source, so a vendor advisory and an unverified post aren't treated as equals.

Why it's different

Built differently from the ground up.

Evidence-first by construction.

ThreatSpire won't surface a claim it can't attribute. Source-linking isn't a feature you turn on — it's how the timeline is built.

Auditable end to end.

From any finding, trace the full chain back to the original report. Defensible to a hunt lead, a customer, or a regulator.

Always current.

The timeline refreshes as new reporting lands, so what your team sees reflects the latest known activity — not last quarter's snapshot.

It feeds everything

Every entry source-linkedNews + vendor + disclosure feedsATT&CK-tagged eventsDeduplicated & recency-ranked

The Evidence Timeline is the spine of every actor profile, priority question, and decision trace in ThreatSpire.

See the evidence behind every finding.

Pick an actor — we'll show you the sourced timeline ThreatSpire builds.