Threat Center

Available for Enterprise Tier only

The Threat Center in StepSecurity is your central view into all supply chain compromises detected by StepSecurity. It provides a real-time feed of active incidents alongside historical records, making it easier to track, investigate, and respond.

For background on the intelligence powering the Threat Center, see our blog post.

Accessing the Threat Center

Step 1: Open the StepSecurity Dashboard

From the left-hand menu, click Threat Center. The page displays a list of active threats, marked with a red Active badge, along with historical incidents that include their start and close times.

You can also open the Threat Center directly by clicking the 🔔 New Threat notification in the dashboard header

Step 2: Expand Threat Details

Click Show Details on any incident to see:
- A description of the compromise
- Affected packages or Actions
- Recommended remediation steps you can take directly within StepSecurity

Notifications and Integrations

Every new entry in the Threat Center automatically triggers notifications through your existing StepSecurity channels:

Slack
Email
AWS S3
Webhook

This ensures your team is informed immediately.

Because alerts are integrated with your existing systems, you can automate the response process. For example, you can configure your SIEM so that when a new Threat Center event is raised, an on-call engineer is automatically paged.

See an example detection event here

Querying Compromised Components via API

In addition to the dashboard view, you can retrieve the compromised Open Source Software (OSS) components for a specific incident programmatically through the StepSecurity API. This is useful for feeding incident data into your own tooling, automating triage, or correlating compromised packages against your dependency inventory.

The endpoint returns all compromised components tied to an incident, including the package ecosystem, affected version, severity, verification status, and a description of the threat.

GET /github/{owner}/threat-intel/incidents/{incidentId}/compromised-components

The request takes your GitHub organization (owner) and the unique incident identifier (incidentId) as path parameters, and requires a valid StepSecurity API token.

Example Response

{
  "compromised_components": [
    {
      "type": "npm",
      "component_name": "malicious-pkg",
      "version": "1.2.3",
      "incident_group_id": "ig-001",
      "description": "Package contains malicious code that exfiltrates credentials",
      "severity": "critical",
      "verified": true,
      "added_at": "2024-01-15T10:00:00Z",
      "threat_intel_id": "f47ac10b-58cc-4372-a567-0e02b2c3d479"
    }
  ]
}

PreviousOverview NextReports

Last updated 1 day ago

Was this helpful?