ABTDS
Start pilot
Closed beta · 10 founder spots

Security alerts
that show their work.

Windows endpoint detection for companies without a SOC. Every alert comes with the math, the MITRE technique, and the next step — in plain English.

Start your 30-day pilot See a live alert breakdown →
30 days free No card required Your data, your VPS
HIGHT1110.001 · Brute Force: Password Guessing

Brute Force Attack

Failed logins from foreign infrastructure

Risk score
72
/ 100
User
j.morton
Source IP
203.0.113.42
Country
Bulgaria
IF AnomalyFailed LoginsGeo RiskTime RiskBaseline DevContext FlagsVelocityInteractionVT Intel
IF Anomaly
18/25
Failed Logins
20/20
Geo Risk
11/15
Time Risk
6/8
Baseline Dev
2/8
Context Flags
5/10
Velocity
3/4
Interaction
3/5
VT Intel
4/5
AI Analysis · high
Credential brute force

Twelve failed Windows logon attempts in 4 minutes from a hosting-provider IP in Bulgaria, off-hours, against a privileged account. Velocity and geography both deviate from this user's baseline.

Block 203.0.113.42 at the firewallForce MFA reset on j.mortonReview related Sysmon 4624 events for any successful followup

Speaks the language of every Windows shop

Windows Server Sysmon Winlogbeat Elasticsearch MITRE ATT&CK Sigma VirusTotal

The problem

Your security tool just told you something's wrong.
It won't tell you what.

Alert fatigue

Defender's noise has trained you to mute the one that matters. By the time you read the alert that's actually real, it's been sitting unread for three days.

87

Black-box EDR

"Risk: 87" is not security — it's a number. CrowdStrike, SentinelOne, and Sentinel won't show you why they fired, what factors matter, or what to do next.

The price of safety

Enterprise EDR costs $60–180 per endpoint, per year. For 200 endpoints that's $36k. You don't have $36k. You have a Defender license and a feeling.

Read the difference

Same threat.
Three very different answers.

A brute-force attempt against a real Windows endpoint. Here's what each tool says when it fires.

D
Says
Microsoft Defender

"Medium risk."

That's it. That's the whole alert.

C
Says
CrowdStrike

"Score: 87."

From what? Threshold for what? On a curve calibrated when?

A
Says
ABTDS

"Failed login from Bulgaria, off-hours, new ASN. 4 of 9 factors above baseline. Likely brute force."

Block the IP. Force MFA reset on j.morton. Review the next 4 Sysmon 4624s.

We're not better at detecting brute force. We're better at explaining the one you're already detecting.

The plan

Three steps. Fifteen minutes to your first alert.

01

Connect

5 minutes per machine

One PowerShell script installs Winlogbeat and points it at your ABTDS endpoint. Standard Microsoft tooling — your sysadmins already know it.

PS> .\install-abtds-agent.ps1 -Endpoint app.abtds.io
02

Watch

Alerts arrive in 30 seconds

Every alert lands with the 9-factor breakdown, the matched MITRE technique, and the AI-generated next step. The math is on the page.

03

Close

ABTDS learns from you

Mark false positives once. ABTDS suppresses the same signature next time, automatically. Your alert queue gets quieter every week.

Built differently

Three things every EDR should do.
Three things only ABTDS does at this price.

01 / 03

9-Factor Explainable Scoring

The radar that ends 'why did this fire?'

Every alert is decomposed into 9 weighted factors — IF anomaly, failed logins, geo risk, time risk, baseline deviation, context flags, velocity, interaction bonus, threat intel. Each one shows its math, its threshold, and the per-user baseline it's measured against. Caps sum to exactly 100. No mystery scores.

IF anomaly · 25failed logins · 20geo risk · 15+6 more
02 / 03

Gemini-Powered Triage

An on-call analyst on every CRITICAL

When an alert crosses HIGH, we ship the structured event to Gemini for analysis. Out comes the attack-type classification, a likely-actor verdict (self / external / unknown), a plain-English summary, and concrete SOC + user action recommendations. Indexed back onto the alert. Schema-locked. Nothing to read between lines.

Attack typeLikely actorSOC actionsUser actions
03 / 03

MITRE + Sigma + ML

Signature meets anomaly, not either-or

Every event tagged with its MITRE technique and tactic. Sigma rules layer on top of Isolation Forest — so a known-bad command line fires HIGH even if the user's behaviour looks fine. Anomaly catches the novel; signatures catch the known. Both surface in the same triage queue with provenance shown.

T1110.001r001 · Encoded PST1041T1543.003

A tour

Four pages.
Everything you need. Nothing you don't.

Command Center 01 / 04

Live operational pulse

Severity counts, alert volume by hour, top-risk users, world map of foreign sources, adaptive defence state — one page. Updates every 10 seconds. Built for the IT manager who has 90 seconds between meetings.

Alert Inspector 02 / 04

Every alert, fully shown

9-factor radar. MITRE technique chip. Sigma rule provenance. Gemini analysis. Matched playbook from your library. Triage controls. WHOIS network ownership. VirusTotal verdict. All on one screen. No second clicks.

Investigation 03 / 04

Per-user baseline ribbons

When you drill into a user, every feature shows their median, IQR, and the deviation of recent events. Red traces where they crossed the 95th percentile. No more 'is this normal for j.morton?' — the answer is on the page.

Model Health 04 / 04

Adaptive defence, transparent

See the clean-event buffer fill. Watch retrains land — or get rejected by the canary check. The adversarial drift guard log shows every rejected poisoning sample with the user and reason. Auditable ML, not 'trust us'.

REJECTED

Pricing

Honest per-endpoint pricing.
No "contact us for a quote" games.

up to 50 endpoints

Starter

$4 /endpoint/mo
  • 9-factor explainable scoring
  • MITRE ATT&CK + Sigma starter pack
  • Gemini LLM analysis on CRITICAL
  • Weekly adaptive retraining
  • Email support · 48h
Start free pilot
Most popular
up to 500 endpoints

Pro

$7 /endpoint/mo
  • Everything in Starter
  • Full Sigma rule library + custom
  • Gemini analysis on CRITICAL + HIGH
  • Dedicated VPS, your region
  • SSO (Google, Microsoft)
  • Email + chat support · 12h
Start free pilot
unlimited endpoints

Enterprise

Custom
  • Everything in Pro
  • On-prem / your cloud
  • SAML / Okta / SCIM
  • Private LLM (no Gemini)
  • Bring-your-own Sigma + canaries
  • Dedicated CSM · 4h SLA
Talk to founders

Billed annually, with 2 months free. Or monthly — your choice. See full pricing details →

Founder's deal limited

First 10 customers get lifetime 30% off Pro — and a co-authored case study.

We're early. We need real customers more than we need top-tier margins. Help us prove the product works in the field — and pay 30% less every year you stay. Forever.

10 /10 spots remaining
Claim a founder spot Read the fine print →

Honest about stage

We're new.
Here's exactly how new.

Most security vendors hide their stage behind logos and "trusted by" walls. We won't. ABTDS started as a capstone research project at Edith Cowan University in Perth, became a real product when we realised SMBs have no good options, and is now accepting its first 10 pilot customers.

If you sign up today, you get the founders' phone numbers, a co-authored case study, and a 30% lifetime discount in exchange for honest feedback during a phase that defines the product.

We won't claim Fortune-500 logos we don't have. When we have a customer, you'll be able to read their incident report.

0
Production customers

Yet. You could be the first.

100%
Founder access

Email goes to a real person. With a name.

open
Roadmap

Public. You vote on what we build next.

$0
Lock-in fees

Export everything, anytime. Apache 2.0 SDK.

The right decision

If you're tired of alerts you can't explain,
starting an ABTDS pilot is the right decision.

30 days. Up to 50 endpoints. No card. No call required to start. Real data, your VPS, your decision at the end.

Start your pilot See the demo first

Or email founders@abtds.io — we read every one