MITRE ATT&CK content depth
Curated ATT&CK content with OpenText threat-research analyst perspective. Programs get content plus context rather than raw framework data.
OpenText • Security operations
OpenText Core Adversary Signals
Core Adversary Signals delivers MITRE ATT&CK-aligned adversary intelligence, TTP correlation, and actor profiling content into SOC workflows so detection and response anchor on real adversary tradecraft rather than IOC-only patterns.
Through Merito, the MITRE ATT&CK content from Core Adversary Signals gets integrated into Core TDR and Enterprise Security Manager, mapped against existing detection coverage to surface gaps, and operationalized into hunt-program workflows so SOC investigations carry adversary context end to end rather than as shelfware.
- Best for
- SOC leaders adding adversary intelligence to detection and response, Threat hunting team leads using ATT&CK as a hunting framework, IR leads anchoring response on threat-actor and TTP context
- Hosting
- SaaS
- Time to value
- Content live in days. Detection-coverage mapping in two to four weeks. Hunt program operationalization in four to twelve weeks.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
OpenText Core Adversary Signals in the enterprise stack
Core Adversary Signals is the adversary-tracking intelligence product inside the OpenText SecOps line. It pulls MITRE ATT&CK-aligned content (tactics, techniques, procedures, threat-actor profiles) into SOC workflows, correlates observed activity against known adversary tradecraft, and gives SOC analysts actor and TTP context on alerts. Programs running SIEM and UEBA without adversary intelligence detect anomalies; programs adding Adversary Signals detect anomalies in the context of who is doing what.
MITRE ATT&CK alignment is the load-bearing capability. ATT&CK is the industry-standard adversary-tradecraft framework, and SOCs that map detections to ATT&CK techniques get richer triage context, gap analysis (which techniques the SOC is not catching), and threat hunting structured around adversary patterns rather than ad-hoc IOC chasing. Core Adversary Signals provides curated ATT&CK content with OpenText threat-research analyst perspective on top.
Cross-product correlation with the rest of the SecOps line is the platform claim. Adversary intelligence flows into Core Threat Detection and Response (SaaS SIEM), Enterprise Security Manager (on-prem SIEM), Network Detection and Response, Core Behavioral Signals (UEBA), and Threat Intelligence (curated IOCs). Programs running the full line get adversary-aware SOC operations; programs running Core Adversary Signals standalone get the content without the workflow integration.
What stalls Adversary Signals adoption is consuming the content without operationalizing it. Programs that subscribe to ATT&CK content, push it into the SIEM, and never use it for hunt or triage gap analysis end up paying for content that nobody references. Merito's engagement designs the operational pattern: which detections map to which techniques, what the gap analysis cadence is, how hunt programs use adversary content, and how threat-actor profiles inform IR response. Without that, the subscription is shelfware.
Ideal use cases
- MITRE ATT&CK content integrated into SIEM and detection workflows
- Threat-actor profile context for SOC triage and IR response
- Detection-coverage gap analysis against ATT&CK techniques
- Threat hunting structured around adversary tradecraft
- Adversary-aware SOC operations alongside Core TDR or Enterprise Security Manager
What it is best at
Where OpenText Core Adversary Signals earns its seat
Threat-actor profiles
Profiles of major threat actor groups with TTP mapping, target sectors, and historical activity. SOCs anchor IR on actor patterns rather than generic IOC chasing.
Native SecOps integration
Adversary intelligence flows into Core Threat Detection and Response, Enterprise Security Manager, NDR, UEBA, and Threat Intelligence inside the OpenText SecOps line.
Detection-coverage gap analysis
Maps existing detections to ATT&CK techniques and surfaces gaps. Programs see which adversary tradecraft is unmonitored.
Hunt program enablement
Structures threat-hunting programs around adversary content rather than ad-hoc IOC chasing.
Core capabilities
OpenText Core Adversary Signals capabilities, grouped by outcome
Adversary content
What Core Adversary Signals actually delivers as a content stream.
MITRE ATT&CK technique content
Curated ATT&CK content covering tactics, techniques, and procedures across the framework.
Threat-actor profiles
Major threat actor groups with TTP mapping, target sectors, and historical activity.
Campaign and incident analysis
Curated analysis of major campaigns and incidents for IR and detection-engineering reference.
OpenText threat-research perspective
Analyst commentary on top of raw framework content, with sector-specific context where relevant.
Detection and hunt integration
Turning content into operational SOC capability.
Detection-coverage mapping
Maps existing detections to ATT&CK techniques. Surfaces coverage gaps.
Hunt program enablement
Structures threat-hunting around adversary content rather than ad-hoc IOC chasing.
Investigation enrichment
Adversary context attached to SOC investigations for triage acceleration.
Cross-product integration
Adversary content flowing into the SecOps line.
SIEM integration
Adversary content feeds Core Threat Detection and Response and Enterprise Security Manager.
UEBA enrichment
Adversary context enriches Core Behavioral Signals scoring.
Threat-intel integration
Pairs with OpenText Threat Intelligence for IOC plus TTP coverage.
NDR enrichment
Network Detection and Response signals enriched with adversary context.
Where it fits in the stack
How OpenText Core Adversary Signals connects to the rest of your landscape
OpenText SecOps line (native)
Native- OpenText Core Threat Detection and ResponseAdversary content integrated into SaaS SIEM detections and investigations.
- OpenText Enterprise Security ManagerAdversary content integrated into on-prem SIEM detections.
- OpenText Core Behavioral SignalsUEBA scoring enriched with adversary context.
- OpenText Threat IntelligenceIOC plus TTP coverage in one OpenText subscription.
- OpenText Network Detection and ResponseNDR signal enriched with adversary context.
Third-party SOC platforms (certified)
Certified- Splunk, Microsoft Sentinel, IBM QRadarAdversary content delivery to third-party SIEMs.
- Threat-intelligence platformsIntegration with TIPs for unified intel ingestion.
- ServiceNow, JiraInvestigation and case management with adversary context.
Custom integrations
Custom- Internal hunt platforms and detection engineering toolsCustom integration for internal hunt and detection-engineering workflows.
- Sector-specific intelligence sharingIntegration with ISAC and ISAO platforms for sector intelligence sharing.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- Moderate
- Typical time to value
- Content live in days. Detection-coverage mapping in two to four weeks. Hunt program operationalization in four to twelve weeks.
- Prerequisites
- Existing SOC and detection program
- SIEM landscape (Core TDR, ESM, or third-party)
- Named SOC and threat-hunt owner
- Detection-coverage baseline for gap analysis
- Hunt-program operational shape
- What Merito usually handles
- Core Adversary Signals runs as SaaS content delivery integrated into the rest of the OpenText SecOps line. Merito handles content integration, detection-coverage mapping, hunt-program operationalization, and IR-context wiring.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Core Adversary Signals is SaaS-licensed by analyst seat count, content scope, and SecOps integration breadth. Pricing depends on coverage breadth and integration footprint. Merito holds the partner relationship and scopes the SOC operationalization separately.
- Editions and modules
Core Adversary Signals
Standard SaaS edition with curated MITRE ATT&CK content and threat-actor profiles.
Best for: SOCs adding adversary intelligence to detection and response.
Core Adversary Signals with Threat Intelligence
Bundled with OpenText Threat Intelligence for IOC plus TTP coverage.
Best for: Programs consolidating adversary intelligence and threat intelligence subscriptions.
- Common expansion areas
- Add Threat Intelligence for curated IOC feeds
- Add Core Threat Detection and Response or Enterprise Security Manager for SIEM integration
- Add Core Behavioral Signals for UEBA enrichment
- Add Network Detection and Response for traffic-pattern adversary context
Merito services
How Merito helps you win with OpenText Core Adversary Signals
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Core Adversary Signals Implementation
Content integration, detection-coverage mapping, hunt-program operationalization, IR-context wiring.
Explore service02MAPS Assessment
SOC program scoping for Core Adversary Signals alongside Recorded Future, Mandiant Advantage, and specialist providers.
Explore service03DevOps Consulting
Hunt program operationalization and detection-coverage gap analysis.
Explore service04Premium Support
Named engineer, priority SLAs, and release-time coverage for Core Adversary Signals.
Explore service05Managed Services
Long-term run support including content integration maintenance, hunt-program evolution, and detection-coverage updates.
Explore service06Training and Enablement
Role-based training for detection engineers, threat hunters, and IR leads.
Explore service07Staff Augmentation
Merito-placed SOC engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Core Adversary Signals licensing
License the ATT&CK content. Operationalize it. Same engagement.
Core Adversary Signals pricing arrives with content integration, detection-coverage mapping, hunt-program operationalization, and IR-context wiring that turn adversary content into adversary-aware SOC operations rather than shelfware.
Merito point of view
MITRE ATT&CK content is shelfware unless someone operationalizes it.
Merito has audited SOCs that subscribed to ATT&CK content, dropped it into the SIEM, and never referenced it again. Adversary intelligence becomes shelfware when nobody maps existing detections to techniques, runs gap analysis on coverage, or anchors threat hunts on adversary tradecraft. Core Adversary Signals is the right product for programs willing to operationalize ATT&CK; for programs that just want a checkbox subscription, the value is muted.
Merito recommends Core Adversary Signals specifically for programs running OpenText SecOps line, when threat-hunting and detection engineering are real disciplines, and when IR response anchors on actor profiles. For programs picking specialist threat intelligence breadth, Recorded Future and Mandiant Advantage are competitive depending on the program shape. Merito surfaces those alternatives honestly during scoping.
The pairing with OpenText Threat Intelligence is the load-bearing move on adversary-aware SecOps. Threat Intelligence covers IOC depth (specific known-bad infrastructure); Core Adversary Signals covers TTP depth (how adversaries operate). Programs running both get IOC-plus-TTP coverage; programs running only one get half the picture.
What buyers usually underestimate
- Subscribing to adversary content without operationalizing it through detection mapping or hunt programs.
- Adopting Core Adversary Signals without integration into Core TDR or Enterprise Security Manager, isolating the content.
- Treating ATT&CK as a checklist rather than a hunt and detection-engineering framework.
- Skipping detection-coverage gap analysis, leaving unmonitored adversary tradecraft uncatalogued.
- Adopting Adversary Signals without Threat Intelligence, getting TTP coverage without IOC depth.
Related from Merito
Continue exploring OpenText Core Adversary Signals on Merito
Related solutions
Related services
Related products
- OpenText Core Threat Detection and ResponseSaaS SIEM that consumes adversary content for detection.
- OpenText Enterprise Security ManagerOn-prem SIEM that consumes adversary content for detection.
- OpenText Threat IntelligenceCurated IOC feeds paired with adversary content.
- OpenText Core Behavioral SignalsUEBA scoring enriched with adversary context.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Core Adversary Signals FAQs
Consultation request
Talk to Merito about OpenText Core Adversary Signals
Share your SOC operating model, threat-hunting maturity, and IR program shape. A Merito OpenText specialist follows up within one business day.
MITRE ATT&CK depth
TTP and actor content
Curated ATT&CK content, threat-actor profiles, and OpenText threat-research perspective.
Operationalize
Detection mapping plus hunt enablement
Content alone is shelfware. Merito wires it into detection coverage, hunt programs, and IR context.
Next step
Operationalize ATT&CK or expect shelfware.
A Merito Core Adversary Signals engagement starts with detection-coverage mapping and hunt-program design. Adversary content without operational integration is a checkbox subscription.