Every system understood. Any initiative solved.
May 2026Platform Overview
Legacy, Homegrown, 3rd Party, AI Generated
Access your data anywhere. Move freely between vendors.
Structured context from systems with no official/sufficient API/MCP
Bridge tech debt to unlock modern observability and productivity capabilities
CRM data was leaking live on Telegram — and with no visibility into who was acting in the application, they had no way to stop it.
Self Hosted CRM, one of the market leader vendors
Combined efforts of internal and external IR teams
Classified records leakage, from a gov agency that has huge potential damage, continuously leaking to the public.
Internal team trying to correlate between multiple resources (The asset, security products - EDR, FW, SIEM)
Reach out and hire 2 premium IR companies in order to accelerate the investigation process
After multiple weeks of manual investigation, they can't still determine who is the actor and what is the root cause
Trying to reach out and interact with attacker in order to stop the incident
Using the Unfolding process, unfold learned the CRM deeply - its events, entities, protocols, and operational patterns.
Unfold Maps every user activity to any product functionality - Answering the question - which user triggered the export and from which IP.
Immediately after the next export attempt, The Team was able to block the specific actor using the FW.
Telemetry pipeline from the CRM to the Customer's SIEM was built and continuously monitoring the asset.
{
"data" : "INFO 192.168.4.22 2026-03-07T09:42:15 /api/v3/reports/customers/export"
}
{
"timestamp": "2026-03-07T09:42:15",
"event_id": 4055,
"target_id": "crm_core_prod",
"actor_name": "sarah.connor",
"source_ip": "192.168.4.22",
"action_category": "data_export",
"action_name": "mass_customer_export",
"resource_accessed": "customer_database",
"export_format": "CSV",
"records_exported": 84591,
"request_uri": "/api/v3/reports/customers/export",
"severity": "HIGH",
"risk_flag": "bulk_data_extraction"
}
An OT System Integrator wanted to add threat detection on top of their HMI's.
Application Owner left the organization, legacy outdated documentation only
Core business is industrial operations, not software. Security talent is scarce, expensive, and hard to retain
Team was worried the consultants are generalists, not OT or HMI specialists
8-12 month engagement
Security consultancy spends 3-4 months just understanding the HMI architecture, protocols, and data flows.
Find a product that support their HMI's (Complex Deployment, Multiple Program Language's)
Pushing a firmware update will cause parser to break, detections stop firing. Start the project all over.
Their customers are asking for security visibility. If you can't offer it, someone else will package it into their HMI.
Using the Unfolding process, unfold learned the HMI deeply - its events, entities, protocols, and operational patterns.
Supports the architecture, programming language and complex deployment environment.
Support and adapt to any firmware update - make sure parsers not break, detections are running.
Installed on 3 beta customers instances in weeks.
A pen test exposed what everyone missed — red team moved through the organization's most critical CI/CD system with zero detection.
Code executed, new account created, role assigned, privileges escalated. Standard attack chain. Zero detection.
Who was the admin? What user was created? What permissions were granted? When? Jenkins logs couldn't answer any of it.
No connector in any marketplace. No structured audit trail. Data buried in flat text files — unstructured, incomplete.
The most important system in the software supply chain. Zero detection coverage. Zero investigation capability.
Track down who owns Jenkins. Request access. Wait. Schedule meetings. Weeks before security work starts.
Inspect runtime behavior. Modify logging config. Coordinate every change with DevOps.
Pull raw events. Write a custom parser. Structure the output manually. Test. It breaks on edge cases. Repeat for weeks.
Build a custom SIEM connector. Write detection rules without knowing what normal looks like. Months of work.
The Unfolding process mapped every entity: user creation, role assignment, admin actions, code execution, pipeline triggers.
Normalized data in the SIEM. The pen test scenario fully visible, queryable, alertable.
Every entity, action, and relationship already structured. Detection team writes rules against clean, semantic data.
No chasing owners. No parsing flat logs. Next pen test? The SOC sees it in real time.
Feb 19, 2026 12:31:53.251 PM/securityRealm/createAccountByAdmin by admin from 172.19.0.1
{
"timestamp": "2026-02-24T14:22:08",
"event_id": 8213,
"target_id": "jenkins_PROD_01",
"actor_name": "mchen",
"source_ip": "10.142.8.47",
"action_category": "user_management",
"action_name": "user_created",
"target_user": "apatil",
"auth_realm": "jenkins_internal",
"permissions_granted": ["Overall/Read"],
"request_uri": "/securityRealm/createAccountByAdmin",
"http_method": "POST"
}
A healthcare medical clinic company wanted to integrate different EMR's into a centralized Data-lake.
Intention to expand and accelerate the M&A Process.
Some are EOL, others blocking access due to competitive reasons.
Budgeted Project run BI Analytics using AI on top of the data lake.
A dedicated integration team of 4 engineers assigned full-time. Their job: reverse-engineer each EMR and build a custom pipeline.
Each EMR takes 4-6 weeks. Different schemas, different formats. Every connector is built from scratch.
When a vendor pushes an update, pipelines break. The team spends 30% of their time fixing what already worked.
No APIs exposed. No documentation shared. No official connector exists.
Using the Unfolding process, unfold learned the EMR deeply - its events, entities, protocols, and operational patterns.
Once app is Unfolded, all the data it extracts is already normalized.
AI initiative unblocked. Analytics and models running on clean, unified data from every clinic.
Using Unfold, Org now not tied down to single EMR. Next acquisition? Same process. Hours, not months.