Entering Investigation Mode
Loading incident timeline data...
Timeline Cases Parallel Reality Perspectives Ecosystem Enter Timeline
New Explore CT Timeline — Incident Intelligence Platform

Every Attack
Has A Story.

CT Timeline transforms cyber incidents into immersive, explorable experiences. Not reading history — traveling through it, decision by decision.

CT Timeline — Incident Archive
Live · Reconstructed
Initial Recon
Initial Access
Lateral Movement
Exfiltration
Detection
Containment
Day 0Day 12Day 31Day 58Day 71Day 89
01 / THE PROBLEM
Cyber incidents are buried in PDFs nobody reads.
Threat reports. Post-mortems. Advisories. Essential intelligence locked inside formats that flatten every dimension of an attack into static paragraphs.
02 / THE SHIFT
History should be explored, not summarized.
Every incident has momentum. Decisions. Pivots. Moments where everything could have been different. That story demands an interactive medium.
03 / THE ANSWER
CT Timeline brings cyber history to life.
Travel through reconstructed incidents minute by minute. Pause. Branch. Compare decisions. Understand not just what happened — but why, and what could have changed it.
The Cyber Time Machine

Travel Through
Cyber History.

Drag, zoom, and pause across a living archive of reconstructed cyber incidents. Every node is an explorable investigation.

2020 — Q1
Case Library

Reconstruct
Real Incidents.

From supply chain compromises to nation-state campaigns — every case fully reconstructed and ready to explore.

Supply ChainCritical
The Cascade Compromise
A trusted software update mechanism becomes the entry point for thousands of downstream victims across government and enterprise.
18,000Victims
9 moUndetected
247Events
RansomwareCritical
Critical Infrastructure Lockdown
A ransomware group shuts down fuel pipeline operations across the Eastern Seaboard, triggering national emergency protocols.
$4.4MRansom
6 daysDisruption
89Events
Cloud BreachHigh
The Misconfigured Kingdom
A single misconfigured S3 bucket exposes customer records for 106 million individuals across 14 countries.
106MRecords
105 daysExposed
44Events
Nation-StateCritical
Operation Ghost Protocol
A multi-year espionage campaign infiltrates defense contractors across five allied nations, exfiltrating classified weapons specifications.
3 yrsDuration
5Nations
412Events
Crypto HeistHigh
The Invisible Withdrawal
Attackers compromise a cryptocurrency exchange's hot wallet infrastructure, draining $620M over 72 hours completely undetected.
$620MStolen
72 hrsWindow
156Events
HealthcareCritical
Patient Zero
A ransomware attack cripples hospital networks across a major health system, forcing surgical cancellations and diverting emergency patients.
400+Hospitals
21 daysRecovery
203Events
Incident Reconstruction

Explore Every Phase
Of An Attack.

Walk through each MITRE ATT&CK phase with full context — evidence, indicators, decisions, and missed opportunities.

Phase 01
Initial Access
Day 0 — 02:14 UTC
Signature Feature

Parallel Reality.
Rewrite History.

Replay famous incidents with one decision changed. See exactly how different actions could have altered the outcome.

What Actually Happened
Historical Record
MFA was not enabled on the VPN portal.
Day 0 — 02:14 UTC
Credential stuffing attack succeeds
Attacker authenticates with compromised credentials. No additional verification required.
Day 0 — 04:31 UTC
Internal network access established
Attacker pivots to internal systems. Discovery phase begins. No alerts triggered.
Day 3 — 11:08 UTC
Lateral movement to domain controller
Domain admin credentials harvested. Attack reaches critical infrastructure.
Day 11 — 03:44 UTC
Ransomware deployed — full encryption
Complete operational shutdown. $4.4M ransom demanded. Business continuity lost.
Parallel Reality
If MFA Was Enabled
What if MFA had been enforced on the VPN portal?
Day 0 — 02:14 UTC
Authentication challenge triggered — blocked
Credential stuffing attempt fails. MFA challenge issued. Attacker cannot proceed.
Day 0 — 02:19 UTC
Anomalous login alert generated
SIEM detects repeated failed MFA from foreign IP. SOC reviews within 12 minutes.
Day 0 — 02:41 UTC
Attack contained — threat actor pivots away
IP blocked. Intelligence shared. Incident closed. Zero business impact.
Ask the Parallel Reality Engine
Global Attack Cartography

Watch Attacks
Unfold Globally.

An animated visualization of how cyber campaigns propagate across regions over time. Storytelling through geography.

Event Types
Active Attack Origin
Targeted Victim
Intelligence Source
Contained / Remediated
0
Incidents Mapped
0
Nations Affected
Role-Based Intelligence

One Incident.
Many Perspectives.

CISO / Executive
Business Risk.
Board-Ready Context.
Understand the financial impact, regulatory exposure, and strategic decisions that defined the outcome. Designed for executives who need intelligence without noise.
$47MBusiness Impact
3Regulatory Actions
11Critical Decisions
Critical Missed Decision
Board approved MFA deferral 6 months before breach to avoid user friction. That decision cost $47M and triggered an SEC investigation.
Regulatory Exposure
GDPR Article 32 violation. 72-hour notification window was missed. CISO resigned 3 weeks post-breach.
Strategic Lesson
Organizations that invested in identity security in the prior 12 months experienced 84% lower breach costs in similar incidents.
SOC Analyst
Every Alert.
Every Signal. Reviewed.
Walk through the exact alerts that fired — and the ones that didn't. Understand detection gaps, false negative patterns, and the alerts the SOC missed at 2AM.
847Alerts Generated
3Key Signals Missed
12 minPossible MTTD
Missed Detection
Alert #4471 fired at 02:31 UTC. Classified as false positive due to SIEM tuning. In reality: the first lateral movement indicator.
Alert Fatigue Factor
SOC processing 2,400 alerts per day. Analyst on duty reviewed 380 alerts before the key signal appeared.
Detection Opportunity
Behavioral deviation was 3.8σ at 04:11 UTC. A UEBA rule would have flagged this automatically with zero analyst effort.
DFIR Investigator
Evidence. Artifacts.
Attribution.
Examine the forensic evidence trail — file artifacts, registry modifications, memory captures, PCAP analysis, and TTPs mapped to MITRE ATT&CK.
2,847Evidence Artifacts
APT41Attribution
94%Confidence Level
Malware Family
DEADEYE dropper deployed at Day 0. Connects to infrastructure previously attributed to APT41 in 2021 campaigns.
Persistence Mechanism
Registry Run key modified. Scheduled task created with SYSTEM privileges. WMI subscription as secondary persistence.
C2 Infrastructure
3 C2 domains identified on bulletproof hosting in Eastern Europe. TTL manipulation used for detection evasion.
Threat Hunter
Hunt Hypotheses.
Validated In History.
Use real incident data to validate hunting hypotheses. Understand which TTPs were used, which detections would have found them, and what to hunt for next.
23ATT&CK Techniques
7Novel Techniques
11Hunt Queries
Living Off The Land
certutil.exe for payload delivery. PowerShell -EncodedCommand for execution. WMI for lateral movement — all native binaries.
Novel Evasion
DLL side-loading via legitimate signed application not previously observed in this threat group. First documented use.
Hunt Opportunity
svchost.exe spawning certutil.exe — unusual parent-child relationship. High-fidelity hunt signal across this entire campaign.
Student / Researcher
Learn From
Real History.
Every incident is a complete case study. Explore the attack chain step by step, understand the decisions, and build real-world intuition for how breaches unfold.
12Attack Phases
47Key Concepts
8Lessons Extracted
Learning Moment #1
Credential reuse from an unrelated breach was the initial vector. Unique passwords would have prevented entry entirely.
MITRE Mapping
T1078 Valid Accounts → T1021 Remote Services → T1053 Scheduled Tasks. Classic initial access to persistence chain.
Quiz Yourself
At which phase could this attack have been stopped with the lowest effort? Explore the Parallel Reality engine to find out.
Cyber Toddler Ecosystem

Every Platform.
One Living Archive.

CT Timeline is the historical intelligence layer of the Cyber Toddler ecosystem. Every platform enriches every incident.

CT Intel
Global Threat Intelligence
Enriches every incident with real-time threat actor profiles, campaign data, and IOCs.
CT Forensics
Digital Investigation
Contributes forensic artifacts, evidence chains, and attribution data to completed investigations.
CT Hunt
Vulnerability Discovery
Surfaces which vulnerabilities were exploited and maps them against your current attack surface.
CT Reality
Predictive Cybersecurity
Uses historical incident patterns to predict which attacks are most likely to affect you next.
CT Intelligence
AI Platform
Explains tactics, provides context, and answers questions about every phase of every incident.
CT Space
Experience Platform
Transforms historical incidents into live training exercises and tabletop simulations.
CT Advisory
Strategic Advisory
Uses incident history to benchmark your security posture and prioritize investments effectively.

History is the greatest cybersecurity teacher.

Every incident leaves lessons. Every lesson deserves exploration.

From Reports to Reality
Cyber incidents should not be read through static PDFs. They should be experienced through interactive reconstruction.
Investigation Over Summary
Headlines compress months of attacker activity into a single sentence. CT Timeline expands every moment back to full resolution.
History That Protects
Understanding yesterday's attacks is the most reliable way to defend against tomorrow's campaigns.

Understand Yesterday.
Protect Tomorrow.

The next cyber incident starts somewhere. Make sure your organization has already walked through one like it.

No credit card required · Enterprise plans available · SOC 2 Type II compliant