Every security program, regardless of its size, budget, or maturity, ultimately faces the same difficult question: Can we defend against the adversaries targeting us today? For years, CISOs and security teams have been expected to answer whether they can withstand Akira, Scattered Spider, APT groups, and an endless stream of ransomware gangs, yet the answers have almost always been educated guesses rather than data-driven assessments. The industry has been overwhelmed by exploding vulnerability counts, noisy alerts, staffing shortages, and the complexity of evolving attack surfaces.

Tidal Cyber was founded to eliminate that uncertainty. “We’re giving defenders the ability to answer the most basic and most important question in security: “Can we defend against the tradecraft being used against us?” says the company’s Co-Founder & CEO Rick Gordon. Today, Tidal Cyber delivers the industry’s first true Threat-Led Defense platform, empowering security teams to understand, prioritize, and defend against real adversary behavior and the techniques they use with precision. By fusing cyber threat intelligence, cyber defense intelligence, and the industry’s most comprehensive Procedures Library, Tidal provides continuous coverage mapping, automated compliance evidence, and actionable insights that strengthen defenses, optimize resources, and transform how organizations reduce risk.

In fact, the company’s central philosophy is built on a simple idea: the best way to defend is to start with the adversary, not the vulnerabilities, controls, or compliance checklists. This is the foundation of Threat-Led Defense, a discipline that Tidal Cyber has shaped, operationalized, and elevated into an entirely new category of cybersecurity.

Born from MITRE: A Team that Understands Adversaries Better than Anyone

Tidal Cyber’s founding team—Rick Gordon, Chief Executive Officer, Frank Duff, Chief Innovation Officer, and Richard Struse, Chief Technology Officer share a deep and uncommon heritage. All three spent years at MITRE, contributing to and shaping the research and frameworks that define today’s cybersecurity landscape. Their experience includes hands-on adversary emulation, the creation of MITRE ATT&CK evaluations, and co-founding the Center for Threat_Informed Defense, all leading to an unparalleled understanding how to defend against how attackers truly operate. That background exposed a major gap in the industry. Organizations had endless data, excellent frameworks, and powerful tools, yet they lacked a way to connect those elements into a cohesive, operational system. Security teams couldn’t easily translate adversary behavior into defensive action. Struse puts it plainly: “It’s impossible to defend efficiently when you’re drowning in vulnerabilities, alerts, and controls that may not even matter. Threat-led defense cuts through all of that.”

Their shared frustration became their mission: bring clarity, precision, and relevance back to defense by grounding everything in real adversary behavior.

At the heart of Tidal Cyber’s platform lies the fusion of two powerful intelligence engines. The first is Cyber Threat Intelligence (CTI), curated from extensive open-source research and enriched with customer-provided closed-source feeds. CTI reveals which adversaries are active, which industries they target, and the exact techniques, tactics, and procedures they rely on. The second engine is Cyber Defense Intelligence (CDI), a Tidal-specific breakthrough that catalogs more than 500 security tools across more than 200 vendors. Duff and his team studied each product’s capabilities and mapped them to the MITRE ATT&CK framework, digging into configuration nuances, defensive postures, and whether certain protections are active or disabled. CDI provides the missing context for understanding whether an environment is actually defended against specific techniques.

When these two knowledge systems are fused, Tidal Cyber generates highly accurate coverage maps showing where a security program is strong, where it is weak, and what specific steps can strengthen defenses. The platform offers a dynamic, evidence-driven view of defensive readiness rather than assumptions or static reports.

Introducing the Industry’s First Comprehensive Procedures Library

Since MITRE ATT&CK was released publicly in 2015, techniques and sub-techniques have helped defenders describe and categorize adversary behavior. A detection engineer cannot write a rule around an entire technique, nor can a red teamer emulate a technique without understanding the specific commands an adversary actually uses. This missing layer-Procedures-has long been the industry’s blind spot. Tidal Cyber has now filled it.

Procedures represent the exact (Sub-)Techniques attackers use. They include command lines, registry manipulations, file system interactions, and network behavior. “We built the world’s first real procedural knowledge base because defenders needed precision, not abstraction,” says Duff. “Detection engineers don’t defend against a technique,they defend against the exact actions attackers take.”

Tidal Cyber’s Procedures Library was made possible through its acquisition of Zero-Shot Security and the application of proprietary AI that processed more than 1,500 technical threat reports. This extraction work translated scattered, unstructured intel into more than 20,000 structured Procedure Sightings and more than 2,300 analytical Clusters. Each procedure is mapped to tactics, sub-techniques, threat actors, data components, technology platforms, and defensive capabilities. This breakthrough finally operationalizes the full TTP spectrum and provides the granularity needed for detection engineering, threat hunting, and adversary simulation at a level previously inaccessible to most security teams.

The Procedures Library is powerful on its own, but its value multiplies when integrated into Tidal’s Coverage Map. For the first time, defenders can examine how a specific adversary performs a specific behavior and immediately see which of their tools defend against that behavior and whether those tools are properly configured.

Tidal Cyber transforms threat intelligence from a reference resource into an operational engine. This means that teams can prioritize actual threats, eliminate guesswork, and make targeted improvements. As Duff explains, “Our goal is to help defenders squeeze more juice out of the oranges they already own.” The platform elevates the efficiency and accuracy of security investments, especially for teams with limited resources.

A New Approach to Compliance

One of Tidal Cyber’s most unexpected but transformative contributions is automated compliance evidence. By continuously analyzing tool inventories, configurations, and defensive coverage, the platform automatically maps evidence to frameworks such as NIST CSF, NIST 800-53, CIS Controls, and SOC 2. This eliminates the tedious cycles of manual screenshot collection and disconnected audit preparation. According to Struse, “Compliance evidence becomes a byproduct of doing security correctly.” This helps organizations spend less effort on documentation and more on actual risk reduction.

Tidal Cyber’s versatility is proven by its impact across radically different customer profiles. One notable example involved a small insurance company with a junior security team overwhelmed by chasing IOCs from their ISAC. After adopting Tidal Cyber, the team shifted from reactive IOC chasing to structured, behavior-based threat hunting. Within months, their capability had advanced by what they described as two years. At the other extreme, an advanced enterprise with more than 1,200 custom analytics used Tidal Cyber to catalog, categorize, and prioritize detection engineering efforts. By mapping every new rule against existing coverage, the organization eliminated duplication and increased efficiency. “If our platform can be that expert for them,connecting the dots and explaining what it means, that’s a huge level-up,” Duff says. Tidal Cyber becomes a force multiplier, elevating both inexperienced teams and highly mature ones.

Expanding a Category they Created

Tidal Cyber didn’t enter the threat-led defense category, they created it. The company recently secured a major venture round and tripled its top-line growth, validating the market’s hunger for a new approach to defense. International expansion, deeper AI-driven automation, and broader partnerships are all in motion as the company scales rapidly. Customers have become some of the most powerful advocates. As Gordon notes, “It’s incredibly gratifying when CISOs start recommending Tidal Cyber to peers because the platform has made such a tangible difference.”

For decades, defenders have been reacting, overwhelmed by volume, noise, and limited visibility. Tidal Cyber is shifting that dynamic, giving teams clarity, focus, and control. “We’re helping defenders move from reacting to driving the agenda,” Struse reflects. That shift is the essence of Threat-Led Defense—a model grounded in real adversary behavior, powered by data, and designed to give defenders the advantage they’ve long lacked.