Detection Validation Platform

Does your SIEM
actually catch attacks?

Harrier simulates real TTPs on an ephemeral AWS range, queries your SIEM for detections, and auto-generates draft rules for every gap — in under an hour.

Run first simulation — $49See how it works
No agents required
First report in ~1 hour
Splunk · Elastic · Sentinel
Range destroyed after run
app.harriersec.io/overview
Run Simulation
Coverage
74%
↑ 6% vs last run
TTPs tested
48
of 142 in scope
Critical gaps
7
↓ 2 rules drafted
Run cost
$0.74
from AWS credits
Coverage by tactic
Execution
80%
Persistence
71%
Credential Access
28%
Command & Control
15%
Critical gaps
LSASS Memory Dump
T1003.001 · Cred. Access
▷ Replay
C2 over DNS
T1071.004 · C&C
▷ Replay
Lateral Movement SMB
T1021.002 · Lat. Mov.
▷ Replay
~1 hr
From SIEM connection to first gap report
$0.74
Average AWS infrastructure cost per simulation run
3+
SIEM platforms supported Splunk · Elastic · Sentinel
142
MITRE ATT&CK techniques in the simulation library
How it works

First value in under an hour

No agents to deploy. No complex onboarding. Connect your SIEM, pick a preset, and Harrier handles everything else — including cleanup.

01
Connect your SIEM
Paste your Splunk, Elastic, or Sentinel API token. Harrier verifies read access and maps your available indexes.
~5 min
02
Pick a TTP preset
Choose Ransomware Readiness, Credential Theft, Lateral Movement, or build a custom set from 142 MITRE techniques.
~2 min
03
Harrier simulates attacks
An ephemeral EC2 range spins up in your AWS account, runs Atomic Red Team techniques, and forwards telemetry to your SIEM.
~40 min
04
AI gap report + draft rules
Every missed detection gets an AI analysis, a draft SPL/EQL rule, and a GitLab MR. Range is destroyed — you pay ~$0.75 total.
~5 min
Features

Built for detection engineers

Not another compliance checkbox tool. Every feature is designed to make your detection rules actually better — faster.

Single-TTP Replay
Fixed a detection rule? Replay just that one technique in ~5 minutes instead of running the full 45-minute cycle again.
killer feature
Auto-draft Detection Rules
For every gap, Harrier generates a draft SPL, EQL, or KQL rule and opens a GitLab MR — ready for your review.
ships MRs automatically
Multi-SIEM Support
Splunk Cloud, Elastic SIEM, and Microsoft Sentinel via a single universal connector API. More platforms coming Q3 2026.
Cortex XSIAM coming soon
Bring Your Own Config
Upload your Sysmon XML, auditd rules, or EDR install script. Harrier applies your configs before every run — testing your real stack, not a demo environment.
your configs, not ours
AI-powered Analysis
Amazon Bedrock (Claude Sonnet) explains why each technique was missed, what telemetry is absent, and exactly what needs to change.
powered by Bedrock
Ephemeral by Design
Every simulation range is torn down automatically after the run. No persistent infrastructure, no ongoing EC2 cost, clean state every time.
destroy after run
Detected
SIEM rule fired within detection window
Missed
Zero events — confirmed detection gap
Prevented
EDR blocked before telemetry generated
Inconclusive
Events found, requires analyst review
Pricing

Pay for what you actually run

No annual contracts. No $30k commitments. Start with a single run — upgrade when you see the value.

Starter
$49
per run
Perfect for a first look or quarterly validation. Run when you need it, pay only for what you use.
  • Up to 10 TTPs per run
  • Splunk or Elastic connector
  • AI gap report (PDF + Slack)
  • Draft detection rules
  • Bring your own BYOC configs
Most popular
Team
$299
per month · 20 runs included
For detection engineering teams that run weekly. Scheduled automation, coverage trends, and replay library included.
  • 20 runs/month included
  • Splunk + Elastic + Sentinel
  • Single-TTP Replay
  • Scheduled weekly runs
  • GitLab MR auto-creation
  • Coverage trend dashboard
Enterprise
$999
per month · unlimited runs
For larger SOC teams and MSSPs. Unlimited runs, multi-tenant workspaces, and Cortex XSIAM support.
  • Unlimited runs
  • All SIEMs incl. Cortex XSIAM
  • Multi-tenant (MSSP ready)
  • macOS endpoint add-on
  • SSO + audit log
  • Priority Slack support
All plans include ephemeral infrastructure — ranges are destroyed after every run. No hidden EC2 costs.
Get started

Find your detection gaps
before attackers do

First run is $49 — no account needed upfront, no agents to install. Connect your SIEM and get a full gap report in under an hour.

Run first simulation — $49Request a demo
Range destroyed after run · ~$0.74 AWS cost · No persistent infrastructure