A cybersecurity provider built around a large-scale IP reputation + relationship intelligence graph, delivered as a database and embedded into products that can block malicious connections in real time at the network layer.

General idea / business model

·       Maintain a continuously updated threat intelligence repository that profiles billions of IP addresses with historical behavior, associations, and reputation signals.

·       Package that intelligence in two main ways:

1.    Operational prevention: a SaaS network security layer that inspects inbound/outbound connections and automatically blocks (“kills”) connections deemed high-risk.

2.    Investigative/visibility tooling: big-data and monitoring products that let security teams explore IP relationships, trace activity across the internet, and flag suspicious traffic in real time.

·       Sell through a mix of channel partners (VARs/MSPs) plus direct sales, targeting both enterprises and government users.

What’s unique about the model

·       IP-centric threat graph as the core asset: rather than starting from endpoints, identities, or signatures, it treats the internet’s IP space as a primary signal and builds a long-history intelligence layer around it.

·       Fusion of intelligence + enforcement: the same dataset that supports investigation is also wired directly into automated, real-time mitigation, so it’s not “intel-only,” and not “tool-only,” but both.

·       Network-level “connection kill” posture: emphasis on stopping attacks by blocking risky connections (inbound and outbound) at the network edge, which can reduce dwell time and limit lateral movement.

·       Designed for unknowns/novel threats: positioning is less about matching known malware patterns and more about using reputation/association behavior to disrupt suspicious activity even when the specific exploit is new.

Why it’s different

Many cybersecurity stacks separate:

·       threat intelligence feeds (data)

·       SIEM/monitoring (visibility)

·       firewall/EDR (enforcement)

This model differentiates by making a single IP-intelligence backbone do double duty, powering both analysis and instant blocking, with products built to operationalize the dataset instead of treating it as an add-on feed.