Solutions Matrix

Endless Possibilities

Our products are very flexible and can be combined in many ways to build the optimal solution or integrate seamlessly into your existing infrastructure and workstream.

THOR as a Plugin

The flexible and portable character of THOR allows deploying it in many different ways. Our customers have integrated THOR as an additional scanner in their malware analysis pipeline, use it in their EDR to scan collected samples and deploy it in live response sessions.

Proof of Concepts with Free Versions

To provide a proof-of-concept or demo environment, you can always use the free versions of THOR or VALHALLA to get things going. 

Use Cases and Solutions

Use Case Description Recommended Products Remarks
Lab Scanning
(Forensic Images)
Accelerated forensic analysis of images collected from end systems THOR
(Forensic Lab License)
  • Requires images to be mounted by 3rd party products
  • Supports multiple instances running on a single forensic workstation
  • Supports YARA scans on memory dumps
    (in DeepDive mode)

 

Lab Scanning
(Malware Analysis Pipeline)
Integration of Nextrons signature matching into a malware analysis pipeline THOR in Dropzone Mode
(Forensic Lab License)
  • THOR Forensic Lab License is 4 times cheaper than the full VALHALLA rule feed
  • Dropzone mode monitors a directory for dropped samples and outputs Text or JSON
VALHALLA YARA Rule Feed
  • Use with command line “yara” tool or custom scan engine
  • 5 categories of Nextron’s YARA rule set
  • Category “Threat Hunting” not included (requires partner assessment)
Single System Live Forensics On-demand live forensic scans to verify findings from your SOC team THOR
(SOC Toolkit License Pack)
  • Affordable pricing
  • Optimal license lifetime (1 day per endpoint)
  • Requires a method to deploy and run THOR on a suspicious endpoint (e.g. scripting)
THOR Cloud
(SOC Toolkit License Pack)
  • Easy integration with EDRs
  • No setup costs
  • No servers or agents required
THOR with ASGARD
  • ASGARD server and agent required
  • Central management
  • Evidence collection features
    (memory, files etc.)
  • IOC management
  • Response playbooks
  • Full remote command line via HTTPs
  • Flexible API to integrate into your SOAR solution
Triage Network wide scans with custom indicators to evaluate the extent of a compromise THOR
(Compromise Assessment or Incident Response License Pack)
  • Requires some scripting to execute THOR on multiple end systems
  • Requires log analysis in 3rd party system, e.g. (Splunk, Elastic)
THOR with ASGARD and Analysis Cockpit
  • ASGARD server and agent required
  • Central management
  • MISP integration
  • Custom IOC and YARA rule management
Continuous Compromise Assessment Recurring compromise assessments with a thorough initial analysis and minimal effort after the first baselining   THOR with ASGARD and Analysis Cockpit
  • ASGARD server and agent required
  • Scheduling of scans on groups of endpoints
  • Analysis Cockpit is optimized for the analysis of recurring scans
Supercharged Detection in 3rd Party Products Integration of Nextrons signature matching into 3rd party products VALHALLA YARA Rule Feed
  • Integrate into your 3rd party appliance (Sandbox, EDR sample collection etc.)
  • Use on end systems is not permitted
Incident Response and Evidence Collection Run custom playbooks and evidence collection tasks on an unlimited amount of endpoints ASGARD
  • ASGARD server and agent required
  • Evidence collection at scale
    (memory, files etc.)
  • Response playbooks
  • Full remote command line via HTTPs
  • Flexible API to integrate into your SOAR solution

Integration Examples

Microsoft Defender and THOR Cloud

Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious process starts and network connections. THOR shines as a live forensic scanner that scans the local filesystem, registry, logs and other elements for traces of hacking activity.

You can find more information on that integration here

VALHALLA YARA rules and FireEye NX/EX

Customers retrieve our rule sets and integrate them into their FireEye appliances. The command line client for VALHALLA supports filters that make it easy to get only the rules that are supported by the appliances. Remember that you can test the integration of over 2000 open source rules using the DEMO API key. 

MISP Integration into ASGARD

ASGARD v2 features a neat and fast MISP integration that allows you to check the IOCs of one or more MISP events in a triage on hundreds or thousands of endpoints. We’ve showcased this feature in a short animated GIF that highlights the integration.