Gjallarhorn — Blue Team Platform - AllSafe Security Solutions

Blue Team Platform — AllSafe

The bottleneck of every Blue Team isn’t intelligence. It’s the time lost switching between tools.

The average SOC analyst uses between 6 and 12 different tools to investigate a single incident.
Opens VirusTotal, then Shodan, then AbuseIPDB, then TheHive to open the case, then Wazuh to view correlated alerts.
Gjallarhorn was built to end that problem. A single platform that centralizes investigation, analysis, forensics, and case management — with all the SOC integrations a Blue Team needs.

Request access

6–12different tools a SOC analyst uses per incident

40%of an analyst’s time is lost on manual tasks and context switching

20+threat intelligence sources integrated in Gjallarhorn

Capabilities

Everything a Blue Team analyst needs. In one place.

Every Gjallarhorn module exists because an analyst needed it in production. Not catalog features — real tools for real threats.

IOC Investigation

Enter an IP, domain, hash, or URL and Gjallarhorn crosses it in real time against 20+ threat intelligence sources: VirusTotal, Shodan, AbuseIPDB, AlienVault OTX, GreyNoise, Criminal IP, URLScan, and more. In seconds you get the consolidated score, each source’s verdict, and the team’s complete investigation history. What used to mean copying and pasting between tabs is now a single click.

VirusTotal · Shodan · AbuseIPDB · OTX · GreyNoise · Criminal IP

Malware Analysis

Static analysis of suspicious files without executing them — zero contamination risk. Supports PE files (.exe, .dll, .sys), scripts (.ps1, .bat, .js, .vbs), Office documents, PDFs, and compressed archives. Detects known ransomware signatures, Cobalt Strike beacons, C2 frameworks, obfuscation techniques, and malicious behavior. Each analysis stored with SHA-256 hash, score, and verdict for future correlation.

PE · Scripts · PDF · Office · ZIP · Ransomware · C2 detection

Email Forensics

Drag in a .eml file and Gjallarhorn dissects it completely. Validates SPF, DKIM, and DMARC authentication. Extracts and analyzes all IOCs in headers, body, and attachments. Detects phishing patterns, BEC (Business Email Compromise), and social engineering. Traces the complete message path across relay servers. What used to take an expert analyst 30 minutes now takes seconds.

SPF · DKIM · DMARC · Phishing · BEC · IOC extraction · Header analysis

Case Management

Every security incident and finding managed in one place: opening, assignment, severity, status, and closure. Bidirectional sync with TheHive — cases created in Gjallarhorn appear automatically in TheHive, and vice versa. Classification by TLP (AMBER, RED, GREEN, WHITE), filters by status and severity, and complete lifecycle traceability for every incident.

TheHive sync · TLP · Severity · Traceability · Lifecycle

Native SOC Integrations

Gjallarhorn connects with the tools you already use. TheHive for case management, Wazuh for SIEM and EDR, Velociraptor for live endpoint forensics, Nessus and OpenVAS for vulnerabilities. Configuration via API key — no additional agents, no complex setups. The dashboard shows the status of each integration in real time and consolidates all events in a unified view.

TheHive · Wazuh · Velociraptor · Nessus · OpenVAS / GVM

Automatic Correlation

When Wazuh detects a security event, Gjallarhorn automatically investigates the involved IOCs and — if the score exceeds the configured threshold — opens the case in TheHive without human intervention. The analyst arrives to find the incident already investigated, enriched, and classified. Not alerts to review: cases ready to act on.

Wazuh → IOC → TheHive · Playbooks · Automated alerts

Phishing Simulation

Native phishing campaign engine built directly into Gjallarhorn — no third-party wrappers. Create target groups, design custom HTML templates, launch rate-limited campaigns, and measure real user behavior: who opened, who clicked, who submitted credentials. Every event is logged with IP and timestamp in the team timeline, correlated with the IOC history.

HTML templates · Tracking pixel · Credential capture · Awareness emails · RBAC phishing_analyst

WiFi Phishing Simulation

WiFi phishing campaigns against corporate networks with the Munin agent integrated in Gjallarhorn. Each simulation generates a unique pre-configured agent with the target SSID — the agent raises a fake portal, captures WiFi credentials in real time, and reports each event to the team. International access points, password capture, and per-session metrics. No agent reuse: each campaign, a new agent.

Munin agent · Target SSID · Fake portal · WiFi credential capture · Rate per session

The platform in action

This is not a prototype. This is Gjallarhorn running in production.

Each screenshot shows the system operating with real data from active security investigations.

Gjallarhorn SOC Dashboard with WiFi Phishing module

Control PanelUnified dashboard with SOC integrations, active cases, phishing campaigns, WiFi simulations, and real-time intelligence sources

Unified operations center

One view.
The full operation.

The dashboard consolidates all module activity in real time. The analyst arrives and already knows what happened, what’s happening, and what needs attention — without switching tools or losing context.

→Real-time SOC integrations: TheHive, Wazuh, Velociraptor, Nessus

→Active cases with severity, assignment, and lifecycle status

→Phishing campaigns and ongoing WiFi simulations

→Active threat intelligence sources with last-seen activity

Every feature exists because an analyst needed it in a real investigation. No empty demos.

IOC InvestigationHistory of investigated IPs, domains and hashes with consolidated score, verdict, and detection source

Gjallarhorn Settings and SOC Integrations

Settings & IntegrationsSOC integration panel: TheHive, Wazuh, Velociraptor, Nessus/OpenVAS and SMTP — configurable via API key from the UI

What used to mean copying and pasting between tabs is now a single click. What took 30 minutes takes seconds.

Email ForensicsFull .eml analysis: authentication, IOC extraction, and phishing or BEC detection

Case ManagementIncidents and findings with severity, TLP, status, and automatic sync with TheHive

Static analysis: without executing the file, without contamination risk. Results in seconds.

Gjallarhorn File Analysis — static without execution

File AnalysisStatic analysis of PE files, scripts, documents, and archives — without executing, without contamination risk

Malware analysis

No execution.
No risk.

Static analysis doesn’t run the file — it dissects it. Detects malicious behavior, known signatures, and evasion techniques before the file reaches a production endpoint.

→PE (.exe, .dll, .sys) · Scripts (PS1, BAT, JS, VBS)

→Office documents · PDFs · Compressed archives

→Ransomware signatures and Cobalt Strike beacons

→C2 frameworks and obfuscation techniques detected

Reconnaissance starts weeks before the attack. Training has to start before the reconnaissance.

Phishing Simulation

Template Editor
Customizable HTML templates with dynamic variables — name, company, role — for realistic awareness campaigns

Phishing Simulation

From send
to verdict.

Native engine built into Gjallarhorn — no third-party wrappers. From campaign design to analyzing who clicked and who submitted credentials, all in one place.

→Target groups configurable by department or hierarchy

→HTML templates with variables: name, company, role

→Configurable rate limiting for realistic campaigns

→Per-user metrics: opened · clicked · credentials submitted

Corporate WiFi networks are attack surface. Munin turns them into a training ground.

WiFi Phishing Simulation

WiFi Simulation Management
WiFi phishing campaigns against corporate networks: SSID, template, status, captures, and drop rate — each simulation generates a unique Munin agent

Munin Agent
Configurable fake portal, real-time WiFi credential capture, international access points, and session tied to the simulation — downloadable and non-reusable

Continuous evolution

Gjallarhorn grows with every real investigation

It’s not a finished platform — it’s a living system that incorporates new capabilities as AllSafe’s analysts need them in production.

Available

v1.0 — Core SOC

JWT Auth + 2FA, RBAC (admin/analyst/viewer), IOC investigation, malware analysis, email forensics, case management, TheHive / Wazuh / Velociraptor / Nessus / OpenVAS integrations, automatic correlation, MITRE ATT&CK reports.

Available

v1.1 — Phishing Simulation + WiFi

Native phishing engine integrated into Gjallarhorn: customizable HTML templates, credential capture landing pages, tracking pixel, post-campaign awareness emails, and full campaign lifecycle management. Includes WiFi Phishing Simulation with Munin agent for corporate networks.

Coming soon

v2.0 — AI Investigation Agent

AI investigation agent with ReAct reasoning (Ollama / Claude) that analyzes IOCs, proposes hypotheses, and executes investigation steps autonomously. Natural language investigation chat integrated into case context.

Why Gjallarhorn

Not another layer on top of your tools. The layer that was missing.

Built by security analysts who got tired of losing time between tools that don’t talk to each other.

Integration, not replacement

Connects with TheHive, Wazuh, Velociraptor, and Nessus via API. It doesn’t replace your tools — it makes them work together for the first time.

Designed for real SOCs

Every feature exists because an AllSafe analyst needed it in a real investigation. No empty demos, no catalog features.

RBAC + 2FA from day one

JWT with TOTP two-factor authentication, role-based access control, and rate limiting. The security of the security tool is not optional.

Support from those who built it

You’re not buying a license and being left alone. The AllSafe team that developed Gjallarhorn supports you through implementation, configuration, and integration.

I want Gjallarhorn in my SOC

Fill out the form and an AllSafe specialist will contact you to evaluate your environment, demonstrate the platform in action, and design the implementation for your team.