What can I provide?
Content developed by you as a person or by eligible partner companies for the purpose of threat detection, threat hunting and incident response. In SIEM terms we are talking about Sigma Rules, correlation rules, queries, dashboards, parsers. In EDR & Endpoint Protection - Yara rules, Network Based detection - Snort rules. Attack simulation content for open-source instruments is also supported.
(such as Atomic Red Team)
SIEM rule packages
(.ARB, .gzip etc.)
(logstash configs, Flex connectors, technology add-ons, DSM’s etc.)
Data enrichers & response actions
(e.g. python, bash, powershell scripts)
Incident Response playbooks
How to earn money with Threat Bounty
TDM Developer Program has transitioned to the rank based rewards. Key unlocks did not work so we have removed a reward per unlock as per July 1st 2019 and informed all developers in email.
What happened in the backend is that SOC Prime team has reached out to every client we have, shared the Threat Bounty story, advised which rules would be of high use to clients. Some clients proceeded with Key unlocks but the majority provided feedback on the difficulty of such system for enterprise. Our TAMs have further collected feedback from customers to see what we can do better and this is how the Wanted! list was created. A monthly tradition that we intend to follow.
As our mission is to build and back an active and involved community with fair compensation to the developers. Unlocks were low and initial plan was to provide Payouts only from new sales generated monthly. So to live up to the promise we have provided payouts for June even if some things did not work. You may have had 0 unlocks and still received a payout, as we highly value your effort and want to get things right. Most important news is that Threat Bounty is live and working on both ends, even though there are some initial bumps to overcome. July and onwards rewards will be paid based on the ranking system. Here is how to increase your rank: create requested content, address the latest threats, build detections for latest exploits before patches are available (with or without CVE), create content that correlates with Wanted! list (threats and log sources of interest for paying clients), create resilient rules which are hard to circumvent and remain accurate for long time (a rule based on IP address will have a short lifespan as opposed to behavior rule). All of these actions will impact both monthly reward and long-term reputation. Free and paid rules matter, so it is up to you to decide how to balance it. On our end, SOC Prime equally supports free and paid content.
Nate GuagentiEndpoint & NSM & Elastic
The Threat Bounty Program provides similar benefits as to how IDS rulesets are already used in thousands of organizations
Florian RothNextron Systems
New rule authors, that haven’t been in the market before, add content to market places like TDM and more content...
Go ahead, do some cool reseach and make a Sigma rule out if it.
EXAMPLES OF THREAT DETECTION CONTENT
With Developer program for TDM you can get your content in front of 5000+ users from 2700+ organizations from 128 countries. We have created the 1st cross-platform cyber threat detection security marketplace in the world so that defenders can fight the adversaries together. SOC Prime has proven its capabilities many times by sprinting the cutting-edge detection content for threats like WannaCry, NotPetya as well as leveraging MITRE ATT&CK™ since 2016 for threat actor attribution. We know exactly how much hard work it goes into making the good rules, testing them and hunting for the next threat or exploitation technique.
Our mission is to help the security researchers with reaching to global customers and get rewarded for their work on regular basis. While SOC Prime handles the QA and sales, we want you to help us with content! If we talk numbers we get 2000+ content views and 700+ downloads per months. Top authors on TDM have 1000+ views and downloads of their content and receive special spotlight at the Leaderboards. Over 95% of the content is tagged with ATT&CK using the marketplace engine so that clients can see both technical and strategic value of the rules. See the most popular rules below.
- Sigma rules
- Yara rules
- Snort rules
- Red tests (such as Atomic Red Team)
- SIEM rule packages (.ARB, .gzip etc.)
- Parsers (logstash configs, Flex connectors, technology add-ons, DSM’s etc.)
- Data enrichers and response actions (e.g. python, bash, powershell scripts)
- Incident Response playbooks
Sigma is a generic rule format for SIEM systems. Just like Yara for binaries and Snort for network. In 2018 Sigma was acknowledged by MISP to be a de-facto standard for SIEM queries. In 2019 SANS has recommended Sigma for threat hunting with MITRE ATT&CK.