Mobula · Attack Storyline

A wall of alerts,
told as one story.

Mobula correlates alerts across time, hosts, and identities into a single attack narrative - then writes it up, maps it to the MITRE kill chain, and predicts the attacker's next move. Analysts read a story, not a queue.

14→1

Alerts to one story

Entities mapped

Next move

Predicted

Storylines / STORY-2026-0188

HIGHCredential harvesting → lateral movement to finance

✦ RESEMBLES APT29 · 71%

14 alerts · 6 entities · started 2d ago · last activity 12m agoACTIVE

Narrationv3 · claude-opus-4 · 12m ago

Initial foothold

A phishing message ●3f9c1a delivered a macro-laden attachment to p.alvarez, who then entered credentials on a spoofed portal●7b2e44.

Lateral movement

Those credentials authenticated to WIN-HR-07 and pivoted into the finance subnet ●c10ad8, where the actor began staging data on FIN-DB-03.

Alerts arrive already grouped into stories

The correlation engine follows the entity graph and the kill chain - not just shared indicators - so related alerts across hosts, users, and time land as one storyline. Split by Users and Hosts, ranked by severity.

Storylines

Storylines

AI kill-chain - related alerts stitched into a single narrative.

UsersHosts

Severity	User	Title	Alerts	Entities	Last activity	Status
HIGH	p.alvarezENTRY	Credential harvesting → lateral movement to finance T1566 · T1078 · T1021 +3	14	6	12m ago	ACTIVE
CRITICAL	svc-backupPIVOT	Service-account abuse → ransomware staging T1078 · T1486 +2	22	9	3m ago	ACTIVE
MEDIUM	m.chenTARGET	Impossible-travel sign-in cluster T1078 · T1110	5	2	1h ago	DORMANT
HIGH	DC-01PIVOT	Kerberoasting → domain-controller enumeration T1558 · T1087 +1	9	4	26m ago	PROMOTED

Every stage, on the ATT&CK kill chain

Each alert is plotted against the MITRE tactic it belongs to and the moment it happened - so the recon → access → lateral-movement → exfil arc is obvious at a glance. Dimmed dots are precursor “hunting” signals.

Storyline / ATT&CK Kill Chain

Initial Access

Execution

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

09:1411:0014:3018:0523:40

CriticalHighMediumLow14 alerts · click a dot to inspect

Know the next move before it happens

The AI reads how the attack has unfolded and forecasts the most likely next tactics - each with a confidence score and a concrete step to harden before the attacker gets there.

Storyline / Projected Next Moves

Projected next movesAI · claude-opus-4 · 12m ago

Exfiltration78%

T1567 · Exfiltration Over Web Service

HARDEN NOW

Block egress to unsanctioned cloud-storage domains from the finance segment.

Impact52%

T1486 · Data Encrypted for Impact

HARDEN NOW

Confirm offline backups for FIN-DB-03 and verify the restore window.

Persistence33%

T1547 · Boot or Logon Autostart

HARDEN NOW

Alert on new Run-key and scheduled-task creation across the pivot hosts.

See exactly who's connected - and why

The blast-radius map pins every host and identity by its role - entry, pivot, target - and labels each link with the reason two alerts were joined. The scope of a breach in one picture.

Storyline / Blast Radius

Shared assetShared userIOC overlapMITRE adjacencyTime proximity

Each line explains why two alerts were joined - E entry · P pivot · T target.

Correlated · narrated · predicted

From noise to narrative - automatically.

Attack Storyline turns scattered alerts into one attributed, readable incident, with the attacker's next move already on the board. Promote the whole story to a case in a click.

Mobula SOAR · runs fully air-gapped · no customer data leaves the tenant