Our ambitions were never modest. Since day one, our vision has been to democratize cyber threat intelligence by making the most powerful tools and techniques accessible to all. Anyone, regardless of their technical expertise, should be able to contribute to making the web a safer place.

Naively, we thought we could build such a service from scratch without first generating a source of income. But as we approach the three-year anniversary of writing our first lines of code, the platform we envisioned is still not in sight.

Looking back, we've made many costly mistakes – both financially, but also in terms of scope and direction: We've developed and then discarded comprehensive user interfaces; we've gone viral without adequate preparation; and we've been featured on BlackHat during system outage. Yet, they all pale in comparison to the biggest of them all: not realizing sooner that we will never come close to our vision without first establishing a sustainable business.

As our time and money are running out, we are faced with an existential dilemma: either we transition from enthusiasts to entrepreneurs, or we put our vision to rest.

This article reflects our newly formed strategy for embracing this reality. It outlines a significant shift towards focusing on what we do best: enriching and contextualizing web selectors on a grand scale. We are not putting our vision to rest, but we are pacing ourselves for a marathon; not a sprint.

The story of Hermeus

A few weeks ago, we watched a video from Real Engineering that really resonated with us. The video was about Hermeus, an American hardware startup with an even crazier vision than ours. They wanted to build the world’s first hypersonic airliner. 

Hermeus recruited the best engineers, secured hundreds of millions of dollars in funding, and worked tirelessly towards their goal. Yet, they fell short. Way short. With surmounting costs and no product on the market, they realized that if they didn’t start to generate revenue quick, they would be on the fast-track to bankruptcy.

But Hermeus had an ace up their sleeve. Though they had failed to create the airplane they had envisioned, they had managed to build something that could propel an airplane to hypersonic speeds: a fully functioning ramjet engine. This marvel of engineering, appropriately named CHIMERA, was once considered impossible to recreate outside secretive, billion-dollar labs such as that of Pratt & Whitney.

Hermeus' founders came to the conclusion that to ensure survival, their best bet was to double-down on this unique capability. Swiftly, they pivoted from their grand vision of hypersonic passenger flight to a much more targeted niche: making simple objects move at incredible speeds. But who could be in the market for a technologies capable of propelling metal rods to hypersonic velocities? The answer was clear. Hermeus found its niche in the national security space.

They quickly landed their first defense contract, securing a vital source of income to fuel their ambitions. By concentrating on their greatest strength instead of the noble vision of high-speed travel, they found a path to sustainable growth. And as such, their dream was back on track.

Webscout’s Ramjet engine 

Perhaps dissappoingtly to some, this is not where we announce that we have pivoted from cybersecurity to ramjet engineering. However, we do see important similarities between ourselves and Hermeus, and we plan to learn from their refocused go-to-market strategy.

Our equivalent of Hermeus' ramjet engine is our ability to enrich and contextualize a variety of web selectors, such as IP addresses and domain names, using a wide range of sources - lightning fast and at scale.

We may not match Shodan's detailed port scans, DomainTools' extensive historical DNS data, or Spur's vast catalog of anonymization infrastructure. However, we do excel in providing rich and meaningful context to internet data in bulk. In fact, we haven't seen anyone do it better.

Consider the following firewall log sample. Where is the forensically interesting entry?

It's impossible to say. Without the ability to enrich the key data points, in this case IP addresses, the investigation will be tedious, error prone, and take a lot longer than it should: Each IP address would have to be extracted and analyzed using third-party services such as Shodan, VirusTotal, Censys, and others.

Gaining a high-level overview of the digital evidence at hand is one of the most challenging yet critical tasks in any investigation. Considering the difficulty of making sense of fewer than 10 entries, imagine the complexity of analyzing a log file containing millions of lines—a scenario that is far from uncommon.

This is where we excel. Just as Hermeus required a capable jet engine before they could construct a plane, we needed an immense volume of internet data to power our vision of democratizing cyber threat intelligence. The outcome was a massive enrichment system capable of contextualizing millions of web selectors in milliseconds.

Here is what the exact same firewall log looks like when passed through that system:

Our strength lies in our ability to add meaningful tags to otherwise inaccessible data points, significantly reducing the scope and complexity of the investigation. Imagine having this enrichment capability in your Splunk, Elastic, MISP, or which ever tool you use.

Doesn't the breadth of enrichment sources result in a reduced level of detail on individual selectors?

Yes, and that is precisely the point. At a physical crime scene, focusing narrowly on isolated pieces of evidence before systematically identifying vital leads could be disastrous. Using the metaphor of finding a needle in a haystack, Webscout doesn't provide in-depth details on individual straws of hay; instead, it acts like a magnet that sweeps through the haystack, highlighting all the potentially relevant pieces that warrant further examination. This approach allows for a much faster, risk-based analysis and assessment of the data at hand.

Upwards and onwards

The service goes live on webscout.io as soon as we publish this article, and everyone who signs up can try the platform for free. To explore its capabilities, try entering a query like subdomains = reddit.com or ip = 20.50.2.91, 34.251.228.145, 34.249.200.254, 149.102.237.82.

We are also excited to announce that we are seeking organizations with mature SOC, IR, or threat intelligence capabilities, preferably based in Denmark, to join a limited pioneer program. In exchange for your feedback and suggestions, we will provide premium access for a limited time. We are offering this opportunity to only five organizations, and the first two slots have already been taken. If you're interested in extended access, please reach out to info@webscout.io.

Finally, we want to extend a sincere thank you to all of you for your continued support—it truly means everything to us. Thank you for believing in us and for following our journey. We are just getting started!

Note: If you encounter any bugs, please report them to feedback@webscout.io. Thank you!