THREAT INTELLIGENCE
ANSWERS.
NOT ASSUMPTIONS.
Stairwell is a search engine for file analysis and threat intelligence, built to answer the hard questions log-based tools cannot answer quickly.
It gives threat intel, SOC, and incident response teams fast, defensible visibility into what is actually in your environment.
Just as important, Stairwell proves the negative. You can confirm both the presence and the absence of a known IOC or piece of threat intel.
HOW IT WORKS
IMMEDIATE ANSWERS
Answers to security, compliance, and IT questions. Fast.
PRIVATE BY DESIGN
Stored in a private vault. Your threat intelligence stays yours, and nobody else’s.
INVISIBLE TO ADVERSARIES
Attackers reverse engineer endpoint tools, but cannot study a SaaS system they cannot access.
ANSWERS FOR YOUR SECURITY TEAM. IN SECONDS.
Which machines are affected?
When did the malware first show up?
Any more files used in the infection campaign?
What files are associated with this file?
What happened before and after this file arrived?
Is this file rare?
Are we certain that none of the IOCs are in our environment?
What does this file do?
What characteristics does this file have that is bad?
Should I detonate this file in a sandbox?
Can this file intelligence be integrated into my SOC/SIEM/SOAR workflow?
ENGINEERED FOR PLANET-SCALE
Built by Google and intelligence veterans. Web-scale indexing, YARA at ludicrous speed, and structured AI reasoning turn raw artifacts into instant understanding across everything you’ve ever seen.
LEARN MORE ABOUT STAIRWELL
FREQUENTLY ASKED QUESTIONS
What security questions should a threat intelligence platform be able to answer quickly?
A threat intelligence platform should answer the questions analysts actually ask during investigations: Is this file malicious? Have we seen this hash or domain before? Which machines in our environment have that file? Are there variants of this malware anywhere in our enterprise? Did any IOCs from that threat report appear in our files? These questions come up constantly across SOC triage, threat hunting, and incident response workflows.
The defining capability of a strong threat intelligence platform is the ability to prove both presence and absence. Confirming that a known-bad IOC appears in your environment is valuable; confirming with confidence that it does not appear is equally valuable, especially for compliance reporting, executive briefings, and post-incident attestation. Platforms that can return a clear negative finding, backed by a query against your complete file history, give security teams a defensible answer they can act on rather than an uncertain non-response.
How do you check whether an indicator of compromise exists in your enterprise environment?
Checking whether an indicator of compromise exists in your environment requires querying your file telemetry, network logs, or endpoint data for any match against the IOC, whether that is a file hash, an IP address, a domain, or a file path. The speed and reliability of this check depends entirely on how completely your environment is instrumented and how current your telemetry is.
The operational gap most organizations face is incomplete coverage: logs capture some events, but not every file that ever ran on every endpoint. Platforms that store the actual executables from your environment rather than just log records about them can answer IOC questions against the full file history rather than the partial record that logs provide. When Stairwell ingests IOCs from a newly published threat report, it immediately cross-references them against your Private Vault, so you get a definitive answer about exposure without manual lookups or analyst time spent parsing log data. This operationalizing of threat intelligence saves SOC teams time and no longer requires manually chasing every IOC.
How does a threat intelligence platform help prove that a known IOC is not in your environment?
Proving the absence of a known IOC requires complete, reliable telemetry coverage and a query engine that can confidently report no matches. Most security teams can confirm presence when logs or alerts include an indicator, but confirming absence is much harder because gaps in coverage could mean either that the IOC is truly absent or that it was present but not captured.
A threat intelligence platform like Stairwell addresses this by maintaining a complete file history from every enrolled endpoint, continuously re-evaluated against current intelligence. When that coverage is comprehensive, a negative result carries real confidence: if the IOC were present in any executable that ran on any enrolled device, it would appear in the query results. Stairwell shows a clear confirmation when an enterprise is clean of a given indicator, which gives security teams the documented evidence they need for compliance, executive reporting, and post-incident assurance.
How do SOC analysts use file prevalence to prioritize investigation work?
File prevalence tells analysts how commonly a given file appears across the enterprise and across a broader malware corpus. Files that appear on every endpoint are almost always legitimate system components. Files that appear on only one endpoint and have never been observed broadly are outliers that deserve scrutiny, especially when they match no known software catalog and were not deployed through standard IT channels.
Prevalence becomes a fast triage signal in high-volume environments because it eliminates an entire category of work: alerts on high-prevalence files from known-good software can be deprioritized quickly, freeing analyst time for the genuinely rare files that are more likely to represent a threat. When prevalence is calculated continuously against both your environment and a global malware corpus, the signal is always current. A file that was rare last week but has since spread to dozens of hosts is a very different story from a file that has been rare and stable for months.
What threat intelligence tools help security teams answer IT hygiene and compliance questions?
IT hygiene questions, such as which devices have a vulnerable version of a specific library, whether unauthorized software is installed on any endpoints, or whether a deprecated file type is running anywhere in the environment, can be answered by the same file telemetry that supports security investigations. A threat intelligence platform with complete file coverage provides a searchable inventory of executables that spans both security and IT operations use cases.
Compliance and hygiene use cases benefit significantly from having a continuously updated file history rather than point-in-time scans. When a vulnerability advisory identifies a specific file version as vulnerable, a platform with full file history can immediately answer which devices have ever had that file, whether it was recently installed or long-standing, and whether it is still present today. This kind of query takes minutes rather than days and does not require scheduling a new scan across the environment.
How does variant discovery help answer questions about related threats in an environment?
Variant discovery takes a single file hash and identifies other files in your environment and in the broader malware corpus that share structural similarity, even when their exact hashes differ. This answers the question that always follows a confirmed malware find: are there other related files we missed, and if so, which systems have them?
Without variant discovery, investigating a malware incident means tracking each modified version of a file separately, often missing related samples entirely because they evade hash-based detection. Variant discovery shifts the investigation from individual files to malware families, giving analysts a campaign-level view rather than a single-file verdict. Starting from one known-malicious file, investigators can rapidly identify all related samples across the environment, map which hosts were touched, and build a complete scope picture that drives containment and remediation decisions.
What is hash lookup and how does it fit into a threat intelligence investigation workflow?
Hash lookup is the process of submitting a file’s cryptographic hash (typically MD5, SHA-1, or SHA-256) to a threat intelligence service to check whether that specific file has been previously observed and what verdict or context is associated with it. It is one of the fastest initial checks in a triage workflow because it requires no file upload and returns results in milliseconds.
The limitation of hash lookup is that it only matches exact files. A single byte change produces a completely different hash, which is why threat actors frequently repack or re-sign their malware specifically to defeat hash-based detection. In a mature investigation workflow, hash lookup serves as a first step that either confirms a known-bad file or returns no result, at which point the analyst needs deeper analysis tools. Platforms that combine hash lookup with structural similarity search and AI triage provide a fallback path for files that would otherwise pass a hash check cleanly despite being modified variants of known malware.