Launch HN: Overwatch (YC S22): OSINT platform for cyber and fraud risk
Overwatch began when we were working with risk and threat intel teams at Google, Stripe, and government. We experienced the immense challenge every fraud and cyber threat analyst faces: manually parsing through an ocean of data to find valuable insights and filter out the noise. This included using many of the feeds and tools out there that were often very expensive, noisy, keyword-based, and lacked accurate entity extraction or advanced query features.
Most threat intelligence tools utilize thousands of keywords and teams of analysts to manually sift through torrents of alerts. These alerts are usually individual posts on various platforms across news, social media, deep and dark web sources that have some matching keyword. This is full of false positives, requiring many hours to wade through to figure out what intel matters most to our users, why, and what they can do next.
Overwatch uses an alternative approach by layering AI agents and NLP techniques, including a combination of multifarious datasets, cluster analysis, topic modeling, Retrieval Augmented Language Models (RALM) and domain knowledgeable agents.
This allows us to (1) Filter through OSINT in real time to identify events and narratives that matter to our users, and write reports on what they could do about it; (2) Identify dark web and deep web threats, fraud methods, new tactics, and compromised accounts, stolen checks, and credentials affecting our users or their peers; (3) Send an alert any time one a 3rd party supplier or parts of the tech stack are impacted by a widely exploited vulnerability, ransomware attack, or breach; and (4) Track malware and ransomware groups that are actively targeting your industry including Indicators of Compromise (IOCs).
Our intelligence is actionable because the alert comes with the context and important details that an analyst needs to make an informed decision. Being AI-native, we also have a range of chat and data visualization features to effectively function as an intel co-pilot or industry expert. Finally, our in-house intelligence analysts and investigators can assist threat intelligence teams with HUMINT investigations and darkweb acquisition.
Our current customers include internet platforms, financial institutions, and supply chain companies. Within a day of one breach, one of our customers used Overwatch to surface 18,000+ leaked credentials. Another used us to surface fraudulent checks and learn exactly how threat actors were targeting their specific product features.
Our website says “Request a demo” but if you want to poke around on a very basic example of how we’re aggregating dark web, deep web, social, and surface web, log in at https://app.overwatchdata.io/ using these credentials: username: try_overwatch@overwatchdata.io pw: HelloHNWorld
That login is for an un-personalized feed of cyber threat intel (breaches, vulnerabilities, ransomed organizations, and industry updates) that gives you a flavor of not just the kind of information from which we can collect, but more importantly, how our technology prioritizes, clusters, and summarizes alerts for cyber / fraud analysts. Try the chat agent on the left-hand side to parse through the data.
Or sign up for a longer trial and preview of our email alerts: https://xryl45u9uep.typeform.com/to/pvtZQyS0. You can also check out our clickthrough demo for dark and deep web intelligence: I have all sorts of issues with Vanta/Drata "compliance as a service" tools, but adequate for something like this, at this point in time. Most of my employment has been in the security auditing/testing space, and the difference between “bolting it on later” and “building it in from the start” is incredible from both a purely technical and a process standpoint. This type of information (OSINT of vulns/cves, proof of concepts) is useful for the Blue team side of defending against attackers. With easy to access information in a timely manner, the defenders can proactively put roadblocks and alerts into place for vulnerabilities as opposes to AFTER they are popped/hacked by such. Prevention is ideal; detection, a must. Seems like this is going to become a cat and mouse game similar to evading AV. To your point catching every threat or every alert especially on darkweb is always a cat and mouse game. Our idea is a prioritization problem – how do you mitigate the biggest risks quickly. The existing OSINT tools we used are keyword search based / pretty noisy so we’ve been focusing on the idea that given there’s no way analysts can find or triage every alert, how do you catch the biggest stuff. We do a few things from AI crawlers to continue to expand data collections to AI categorization, clustering, data extraction etc to make it easier to track the cover the most ground. OSINT is about gathering data from public or semi-public places. There are plenty of private dark web forums that these kinds of tools probably don't have visibility into, but the bigger public well-known ones are where you are most likely to see high-profile breaches being sold (since there's a wider audience and actors want to sell data quickly before it devalues), so it's certainly better than nothing... Would this be a service you would ever offer to regular researchers? It looks like you're embedding data from Twitter - are you paying for decahose/enterprise access or just paying for a low volume of high value tweets (i.e. I'm seeing many from FalconFeedsio, DailyDarkWeb) I would hesitate with the name though. Overwatch is also a game series from Blizzard. And Blizzard is known to be a little sue-addicted. > Computer game software, [ computer game discs, ] downloadable computer game programs, computer game software downloadable from a global computer network, electronic games software for wireless devices, interactive multimedia computer game programs, mousepads, computer mouses, headsets for use with computers, computer keyboards > Printed matter, namely, [ computer game strategy guides, ] comic books, graphic novels, novels, art books, calendars, posters, [ notebooks, ] and stickers > Entertainment services, namely, providing on-line computer games; Providing computer games that are accessed via a global computer network > Clothing, and headgear, namely, caps, hats, hooded sweatshirts, jackets, sweaters, and T-shirts > Toys, games, and playthings, namely, action figures, collectible toy figures, dolls, plush toys, and vinyl toy figures https://tsdr.uspto.gov/#caseNumber=86239314&caseSearchType=U... https://tsdr.uspto.gov/#caseNumber=86434530&caseSearchType=U... https://tsdr.uspto.gov/#caseNumber=86239318&caseSearchType=U... https://tsdr.uspto.gov/#caseNumber=86980853&caseSearchType=U... A search for "overwatch" currently matches 191 registered trademarks in the US. Trademarks do not cover all uses of a word -- they only cover the use of a word in relation to a particular field of commerce. This is, likewise, why your grocery store can sell apples without being afraid of the equally litigious Apple Inc. Consider Venn diagrams: the audience for these two homynymous products has small overlap. Further moderated when you consider term stickiness to respective meanings is only high for a small fraction of that audience. In other words, most people aware of both can cope with a mutual name. And some may even think it's cool. Each name enhancing the other through association and analogy. Overwatch is definitely the right choice. Consider the 'OG' meaning originates from military terminology. In this context, "overwatch" refers to a tactical position where one unit provides covering fire and surveillance for another unit as it moves forward or performs an action. The overwatch position is typically elevated or strategically placed to have a clear view of the battlefield, allowing the overwatching unit to detect threats and engage enemies to protect the advancing or exposed units. This concept ensures that the moving or vulnerable unit can operate with reduced risk, as the overwatching unit can neutralize potential dangers and provide critical information about the surroundings. The practice of overwatch is a fundamental tactic in military operations, emphasizing teamwork, communication, and strategic positioning. I don't think of what you call the 'theoretical' aspects as being purely theoretical, I think they're practical and conceptually associative and have provided a great name. I do know of the game (but I haven't played it haha!), but I don't think it's a problem. I understand that you do. We'll see! Hahaha! :) I'm no expert in SEO but it seems like it could go both ways and even boost it. For people's mental aspect, think the recall of this term will be boosted by there also being a famous game, and I don't think people will be confused by these two different categories. What makes you think they will? What other examples have you seen where this happens? Try it and find out? Definitely something to consider, but more in the "send a note to a trademark lawyer and marketing folks" than "rename our entire product and brand". -Personalization: The platform can be fully customized to your interests, e.g. 3rd party vendors, tech stack, products, peers or industry. It’s like having your personalized threat intel org that cuts through the noise. Each of the alerts are ranked and tailored to your interests. -Customization: The platform can be used for a range of use cases, with agents undertaking tasks ranging from finding and extracting check, loan, and credit card fraud, risky narratives about your brand, through to breaches or emerging ransomware groups targeting your tech stack or vendors. Those agents can even identify breaking events that could be near your assets. -So what and now what: Each report provides finished intel, whether finding or extracting relevant indicators of compromise, background on the threat actor and victim, compromised credentials, or compromised credit cards and checks. We're training our agents to be even more specific with answers e.g. "what IOCs relate to malware groups most active in the airline industry". We can even automate workflows through integrations or creating cases/escalations for specific teams. Since the model summaries would still need to be validated against the source results manually, your business' actual viability as a product hinges on whether customers perceive a significant time savings in the data provided via these channels over historical aggregation methods (like keyword analysis that you mentioned) and level of false positives. What do you measure as the largest impact here? Is there a large time savings, is it additional discovery from blindspots that other methods don't cover? Both? Are there additional benefits you see to this model beyond automation and expanded discovery? We not just help with relevant detection, but also automate some of the next two steps as well. Bringing the total weekly time saved down to a few minutes a day. We (https://www.newscatcherapi.com/) also serve the same use case but only for the news analysis part. And we don’t really have a UI: it’s all data accessible via an API. I see a lot of questions here about comparing Overwatch to other OSINT tools. The ability to customize/personalize is a huge difference. In my experience, clients with the most expensive problems are super underserved because there is no “Palantir-like” solutions. Don’t get me wrong: you don’t have to do consulting — just tweak the onboarding/set up. Making bespoke solution for the companies with the biggest problems is a great way to get into the market. And it can work on the huge scale. E.g. Palantir. An example from what we have as a very typical situation at NewsCatcher: a big bank is absolutely blown away because we actually can find news about private companies that they need to track with minimum false positives. And all we have to do is to tweak a bit our entity disambiguation module to work with the data points that the bank actually has. I know platforms like Flare are cool but when you need to monitor hundreds or even thousands of corporate keywords, domains, and assets, it becomes cheaper for CTI to just write the tools themselves. What does your platform look like in regards to this and pricing? For example, your pricing for monitoring 100 keywords and pricing for monitoring 500 keywords. 200k unique telegram channels is an interesting stat. Each Telegram account (if paid Premium account) can only be in 1k channels and groups max. To monitor 200k unique channels/groups, you have a network of at least 200 paid Telegram accounts continuously monitoring? Are you using Pyrogram or Telethon for this? Are these accounts owned by you (Overwatch) or are you just using a bunch of 3rd party Telegram intel feeds? That said, love the initiative and focus on this space and there’s probably an opportunity to sell your data to hedge funds.92 comments
[ 5.1 ms ] story [ 122 ms ] thread