SwarmHawk Enterprise · EASM + Breach Path Intelligence

See Every Attack Path
Before Attackers Do

SwarmHawk Enterprise maps your entire external attack surface, computes breach paths across your organization graph, and delivers CTEM-aligned remediation — at internet scale.

Domains Monitored
Organizations Mapped
High-Risk Domains
Breach Paths Found
The Problem

The Gap No One Is Watching

Traditional security tools protect what's inside. Attackers enter from the outside. SwarmHawk closes the gap.

INTERNET (unmonitored) 👤 ATTACKER mail. acme.com vpn. acme.com api. acme.com ← BLIND SPOT → PERIMETER ERP / Database AD / Identity Source Code SIEM / EDR covers this → ← SwarmHawk covers this attack surface (external)
🔓
Unknown Exposure
On average, organizations have 30% more internet-facing assets than their security team knows about. Shadow IT, forgotten subdomains, and acquired infrastructure create invisible entry points.
🧭
No Attack Path Visibility
Knowing a domain has a CVE is not enough. Security teams need to understand which vulnerabilities form a connected breach path to crown-jewel assets — and which are just noise.
Alert Fatigue
Legacy EASM tools generate thousands of findings with no prioritization logic. SwarmHawk computes choke points — the fewest remediations that break the most breach paths.
🌍
No Organizational Context
Individual domain scans don't show blast radius across an entire organization. SwarmHawk clusters all subsidiary domains, brands, and acquired assets into a single org risk graph.
Platform Capabilities

Enterprise-Grade Attack Surface Intelligence

Six integrated modules that work together to give you complete external threat visibility.

🌐
Continuous Asset Discovery
Automated scanning of 100M+ global domains using CT logs, CZDS feeds, passive DNS, and certificate transparency. New assets appear in your dashboard within hours of registration.
Live Now
🏢
Organization Graph
Clusters all internet-facing domains to their parent organization using eTLD+1 analysis, WHOIS correlation, ASN grouping, and TLS certificate fingerprinting. Builds an org-wide risk score.
Live Now
Breach Path Engine
Builds a directed attack graph: entry nodes (CVE/blacklisted domains) → pivot nodes (related subdomains) → critical assets (admin panels, exposed APIs). Enumerates all viable breach paths with MITRE ATT&CK labels.
Live Now
🎯
Choke Point Analysis
Identifies the minimum set of remediation actions that eliminate the maximum number of breach paths. Prioritize by choke point score to get maximum risk reduction per fix.
Live Now
📊
CTEM Workflow Engine
Gartner CTEM-aligned pipeline: Scoping → Discovery → Validation → Prioritization → Mobilization. Integrates with your ticketing system to track remediation progress through all five stages.
Beta
🔌
XDR Correlation Bridge
Feeds external exposure context into your XDR platform. When an endpoint alert fires, instantly see if the affected host is also an internet entry point, choke point, or critical asset in the breach path graph.
Q2 2026
Breach Path Visualization

See the Attack Path. Break the Chain.

Interactive force-directed graph maps every viable breach route across your organization's external assets.

Live Attack Graph — acme-corp.com Organization
Entry Point
Pivot Node
Critical Asset
Safe Domain
3
Entry Points
4
Choke Points
2
Critical Assets
11
Breach Paths
78
Org Risk Score
CTEM Workflow

Continuous Threat Exposure Management

SwarmHawk operationalizes the full Gartner CTEM cycle — from discovery to remediation tracking.

01
Scoping
Define which organizations, domains, and asset classes to monitor. Set risk thresholds and SLA targets per org.
→ Org Graph Config
02
Discovery
Continuous passive and active scanning. CT logs, DNS, WHOIS, certificate transparency, subdomain enumeration.
→ 100M+ Domains
03
Validation
22-check scan engine validates each finding: CVE exploit status, blacklist confirmation, live DAST probes.
→ 22-Check Engine
04
Prioritization
Breach path graph ranks remediations by choke point score. Fix 3 domains to break 80% of paths.
→ Choke Points
05
Mobilization
Push findings to Jira, ServiceNow, or PagerDuty. Track remediation SLA. Recompute graph after each fix.
→ Ticket Integration
XDR & SIEM Integrations

Plug Into Your Existing Security Stack

Every integration sends the complete external attack surface picture — 22-check scan results, CVE list, software fingerprints, email security chain, threat classification, blacklist status, domain age, and per-check remediation steps. Configure in one click from Account → Integrations.

Bitdefender GravityZone
Endpoint + EASM XDR
Live Now
CrowdStrike Falcon
EDR / XDR Platform
Live Now
Microsoft Sentinel
SIEM / SOAR
Live Now
Palo Alto Cortex
Cortex XDR + Xpanse
Live Now
Splunk SIEM
Security Analytics
Live Now
Jira / ServiceNow
Ticketing / SOAR
Live Now
Webhook / REST API
Custom Integration
Live Now
STIX / TAXII 2.1
Threat Intel Feed
Live Now
Splunk SIEM
Blind spot filled: external → internal correlation
CIM-aligned events land in your existing index. Write SPL queries across your entire domain footprint: find all phishing-ready domains, track Log4Shell exposure, correlate "employee browsed X" with "X is blacklisted + has unpatched CVE."
SPF/DMARC/DKIM chain CVE list per domain Software fingerprints CIM-aligned fields Threat type tags
Microsoft Sentinel
Blind spot filled: cross-source identity + domain correlation
Creates a typed SwarmHawk_CL table — every field KQL-queryable. Build analytic rules that fire when an AAD user browses a domain SwarmHawk has flagged as phishing-ready. NIS2 compliance flag auto-populated.
KQL-ready fields SOAR playbook triggers NIS2-Art21 flag Cross-AAD correlation Custom workbooks
CrowdStrike Falcon
Blind spot filled: proactive blocking before threat feeds catch up
Domain IOCs pushed 90 days before they appear in standard threat feeds. Action set to "prevent" for confirmed malware, "detect" for exposure. Tags include threat types so Falcon analysts filter by phishing/malware/CVE class. Auto-expires and refreshes on rescan.
Threat-classified IOCs Prevent vs detect logic 90-day auto-refresh Endpoint correlation
Palo Alto Cortex XDR
Blind spot filled: external alerts in the investigation timeline
External alerts appear in Cortex's unified investigation view alongside endpoint detections. MITRE ATT&CK techniques auto-mapped: T1566 Phishing, T1190 Public-Facing Exploit, T1557 AiTM. Your SOC sees domain exposure + endpoint telemetry in the same pane.
MITRE ATT&CK mapping Unified timeline XQL correlation Alert enrichment
Jira / ServiceNow
Blind spot filled: zero-copy remediation workflow
Fully-structured tickets with CVE tables, software stack, per-check remediation steps, and NIS2 compliance notes. Assignee has everything needed to remediate without ever opening SwarmHawk. Urgency/impact auto-mapped from risk score. Only fires for risk ≥ 70.
CVE remediation table Per-check fix steps NIS2 compliance note Auto-urgency mapping SLA guidance
STIX / TAXII 2.1
Blind spot filled: standardised intel sharing with your sector ISAC
Domain findings served as STIX 2.1 bundles (DomainName + Vulnerability + Relationship objects). Ingest natively into MISP, OpenCTI, Anomali, or Recorded Future. Share domain IOCs with your sector ISAC without exposing raw data. Queryable via standard TAXII 2.1 endpoint.
STIX 2.1 bundles TAXII 2.1 endpoint MISP / OpenCTI ready ISAC sharing
📖  FULL INTEGRATION GUIDE WITH KQL + SPL EXAMPLES → ⬇  DOWNLOAD SDK ADAPTER SCRIPTS →
API v2.0 & SDK

Build On SwarmHawk In Minutes

REST API v2.0, a native Python SDK, and seven ready-to-run adapter scripts for every major SIEM and ticketing platform. No glue code. No re-parsing. Just results.

API v2.0 — Key Endpoints
Interactive Docs ↗
Endpoint Description Auth
GET /api/v1/scan Bulk domain query — filter by min_risk, country, priority, limit 500 X-API-Key
GET /api/v1/scan/{domain} Full detail for one domain — 23 checks, CVE list, MITRE labels, AI context X-API-Key
GET /stream/alerts SSE real-time push — receive risk ≥ 80 findings the moment they complete Bearer
GET /taxii/collections/ TAXII 2.1 discovery — ingest into MISP, OpenCTI, Anomali, Recorded Future Bearer
POST /integrations/{service} Save XDR/SIEM connector config — auto-fires after each critical finding Bearer
POST /integrations/{service}/test Verify connector reaches platform — returns {ok, message} without writing data Bearer
Python SDK — Quickstart
pip install httpx

from swarmhawk_sdk import SwarmHawkClient

client = SwarmHawkClient(api_key="swh_...")

# Paginated high-risk domains
for domain in client.domains(min_risk=70):
    print(domain["domain"], domain["risk_score"])

# Single domain detail
detail = client.domain("example.com")

# New criticals since yesterday
from datetime import datetime, timedelta
alerts = client.alerts(
    since=datetime.utcnow() - timedelta(hours=24)
)

# STIX 2.1 bundle for MISP / OpenCTI
bundle = client.stix_bundle()
Full SDK docs →
Adapter Scripts — Download & Run
Splunk TA
Modular input → HEC
docs →
Microsoft Sentinel
DCR / Log Analytics Workspace
docs →
CrowdStrike Falcon
IOC ingestion via Fusion SOAR
docs →
Palo Alto Cortex XDR
External alerts + MITRE mapping
docs →
Bitdefender GravityZone
Custom block / report rules
docs →
Jira
Rich ADF tickets with CVE tables
docs →
ServiceNow
Incidents with urgency/SLA mapping
docs →
Download All Adapters →
SSE Real-Time Alerts — /stream/alerts

Receive critical findings (risk ≥ 80) the moment scans complete — no polling. The SSE stream delivers JSON events with full domain detail. Works in any language with a standard HTTP client.

const es = new EventSource(
  'https://swarmhawk.com/api/stream/alerts?min_risk=80',
  { headers: { Authorization: 'Bearer swh_...' } }
);
es.onmessage = e => {
  const alert = JSON.parse(e.data);
  // { type:"alert", domain:"...", risk_score:92, priority:"CRITICAL", ... }
  console.log(alert.domain, alert.risk_score);
};
Competitive Landscape

Why SwarmHawk Enterprise?

Purpose-built for the global mid-market — not an afterthought module in a $200k/yr enterprise suite.

Capability SwarmHawk Enterprise Bitdefender Breach Path XM Cyber Palo Alto Xpanse CrowdStrike Surface
External Asset Discovery
Continuous, internet-wide scanning
 Partial
Breach Path Visualization
Attack graph with MITRE labels
Organization Graph Clustering
Multi-subsidiary asset grouping
 Partial Partial Partial
Choke Point Prioritization
Min remediations → max path reduction
Global Domain Coverage
All ccTLDs + gTLDs, 150+ countries
 ✓ 100M+ Partial Partial Partial Partial
CTEM Workflow Engine
All 5 Gartner stages
 Partial Partial
Mid-Market Pricing
Accessible without $200k+ contracts
API v2.0 + Python SDK + Webhooks
REST, SSE stream, TAXII 2.1, adapter scripts
 Limited
Pricing

Simple, Transparent Pricing

No per-seat fees. No hidden modules. Price scales with your monitored domain footprint.

Business
$2,400/mo
100 – 1,000 domains monitored
  • Continuous asset discovery
  • 22-check scan engine
  • Breach path visualization
  • Organization graph clustering
  • Choke point prioritization
  • CTEM workflow engine
  • Webhook / SIEM integration
  • 5 organization workspaces
  • Priority support (4h SLA)
Platform
Custom
Unlimited domains · White-label
  • Everything in Business
  • Unlimited monitored domains
  • White-label / OEM licensing
  • XDR platform integration
  • STIX/TAXII threat intel feed
  • Dedicated success manager
  • Custom SLA (1h response)
  • On-premise deployment option