Welcome to MARS Security

Mars hunts threats and engineers detections. Continuously. Across every tool in your stack.

No data ingestion
No tool replacement
No additional headcount

Security teams are fighting threats their detection rules were not built for. Attackers move faster, use no malware, and expose gaps that are invisible until they exploit them.

Mars connects to your existing stack, hunts for active threats, and keeps your detections current against campaigns targeting your organization right now.

Select a topic from the menu to explore the platform. _

Why do organizations need MARS?

Your organization pays for threat intelligence. Last month's report described active campaigns targeting organizations in your sector. Someone read it. Nobody turned a single finding into a detection, and those campaigns are still running.

The loop between threat intelligence and a working detection has never been closed. Detection engineers write rules by hand for attacks from last year, while 81% of 2025 intrusions used no malware at all. Signature-based detection missed every one of them. The industry average for deploying a new detection is 121 days.

Most security teams cannot answer the question their board is already asking: which active campaigns would your stack actually catch today?

Mars closes the loop. It maps threat intelligence to your specific environment, converts TTPs into detections, and keeps your stack current against campaigns running right now. Automatically and continuously. No data migration. No tool replacement. No additional headcount.

The gap between what is targeting your organization and what your stack can detect starts closing the day Mars connects.

81% of attacks use no malware. Is your stack built for them?

35+ campaigns tracked weekly

Your SIEM is full of rules built for malware. Signatures, heuristics, known-bad hashes. Security teams have been writing these rules for thirty years, and most of them still live in your SIEM.

81% of 2025 intrusions used no malware. Attackers moved through identity providers, cloud management consoles, and remote monitoring software already installed on your endpoints, leaving nothing for signature-based detection to match against.

Most security teams build detections from alerts. If the alert fires, a rule gets written. No alert, no rule. That is reactive documentation of attacks you have already failed to catch.

Mars hunts from campaigns, not alerts. It maps adversary TTPs to your environment, translates them into detection logic, and deploys detections before the attack surfaces in your logs. Mars tracks 35+ active campaigns every week, generating hunts and detections built for your specific stack. The guesswork stops.

Can you prove your coverage would catch today's attacks?

3 to 4x MITRE ATT&CK coverage expansion

The question comes up every quarter. After every public breach, the board asks it: would we have caught this?

Most security teams cannot answer with confidence. They do not know where their gaps are until an attacker finds them first. Nobody on the team can tell you which active campaigns their detections would miss, or how far their MITRE ATT&CK coverage actually extends.

Mars maps exactly what your stack catches and what it misses. It surfaces every active threat campaign and closes every gap automatically. Your MITRE ATT&CK coverage expands three to four times over the first deployment cycle, with 100% detection coverage visibility from day one.

When your board asks, you either have the evidence or you do not. Mars builds it before they do.

How does it work?

01Connect to your existing stack

Mars integrates via API. SIEM, EDR, identity providers, cloud telemetry, data lakes including Snowflake and Databricks. No data ingestion. No duplication. Your telemetry stays where it is. Mars queries it in place, in real time, across your entire environment. Nothing moves.

02Turn threat intelligence into detections, same day.

A threat report comes in. An adversary group has updated their TTPs. New techniques are being used against organizations in your sector. Mars reads the report, extracts the techniques, maps them to your specific data sources, writes the detection logic, and deploys it all before the end of the day. The intel you already paid for stops sitting in an inbox.

03Hunt continuously. Deploy automatically.

Mars builds hunts from real attacker campaigns and TTPs. Not alert patterns. Not environmental baselines. The actual movement sequences adversaries are using against organizations like yours this week. Mars runs hunts 24/7, autonomously. Mars converts hunt results into detection rules and pushes them directly into your SIEM or EDR, expanding your MITRE ATT&CK coverage automatically. False positives drop by up to 90%. No manual rule writing.

Architecture

Agents

  • TI Scraping Agent
  • Business Context Agent
  • TTP and IOC Organization Matching Agent
  • Hunt Logic Agent
  • Detection Engineering Agent
  • Federated Search Agent

Connected platforms (sample)

Microsoft Sentinel, Amazon S3, CrowdStrike, Palo Alto, Google SecOps, Okta, Snowflake.

What are the common use cases?

Scale Threat Hunting

10x more hunts executed weekly

Your analyst pulls the data, writes the queries, chases false leads, and documents the findings. By the time one hunt closes, three more are waiting. Mars converts threat intelligence into executable hunts automatically across your SIEM, EDR, and cloud tools. Your team runs 10x more hunts per week. The mechanics are automated. The analysis stays with your analysts.

Operationalize Threat Intelligence

35+ campaigns tracked weekly

Your organization buys threat intelligence. Reports arrive. They describe active campaigns, adversary TTPs, and indicators of compromise. Someone reads them but nobody deploys a detection from them. Mars reads every feed you subscribe to, extracts the TTPs, translates them into production-ready detection logic in your SIEM's native language, and deploys them. The intel you already bought starts working.

Reduce Analyst Workload

15+ hours of tier-3 investigation saved weekly

Your analysts spend three hours tab-switching across five tools, manually correlating logs that do not talk to each other. Mars fans out across your SIEM, EDR, identity provider, and cloud logs simultaneously, applying organizational context and running correlation in real time. What used to take hours comes back as a unified correlated view in seconds.

Increase Detection Coverage

3 to 4x MITRE ATT&CK coverage expansion

You do not know which attacks your stack would miss, and neither does anyone on your team. Mars maps active threat campaigns to your specific environment, surfaces the gaps, and closes them. Your MITRE ATT&CK coverage expands with every campaign Mars processes. That never stops.

What security leaders think about MARS

"Every board should be asking a simple question: can we detect and stop the threats that actually matter, in time? MARS is the first platform I've seen that answers that with proof. It aligns defenses to real-world attacks and shows what holds up."

Terry O'Daniel · CISO

"We've invested in SIEM, EDR, cloud, and SaaS security, but they've always operated in silos. MARS connects everything into a single, coordinated defense layer, which is something I haven't seen any other platform deliver at this level."

Itzik Menashe · VP IT & Information Security, Telit Cinterion

"MARS gives us the ability to scale our capabilities instantly. Automating the heavy lifting while keeping us focused on the threats that actually matter. It's like having a full 24/7 threat hunting and detection engineering team that never sleeps."

Yuval Zilberman · CIO, Claroty

"We've always had access to threat intelligence, but operationalizing it was the real bottleneck. MARS is the first platform that automatically translates that intelligence into detections tailored to our environment. It acts as a force multiplier for our security engineering team, allowing us to focus on the threats that matter most, at the speed required to protect a blockchain company."

Haim Krasniker · CISO, StarkWare

"Security teams need to move beyond static detections and reactive workflows into the era of adaptive, AI-driven security. MARS is at the forefront of that shift. Continuously evolving the detection stack and enabling proactive threat hunting at a scale and speed that simply wasn't possible before. This is what modern cyber defense must look like."

Andy Ellis · CISO

What integrations are currently supported?

Mars reads data from your existing stack directly via API. No agent. No ingestion pipeline. No new database to maintain. Your telemetry stays in your tools. Mars queries it in place, in real time, across all of them simultaneously.

Cloud Platforms
AWS, Azure, GCP, Alibaba Cloud, IBM Cloud, DigitalOcean, Hetzner Cloud, Heroku, Linode, OCI, Vercel
Security & Threat Intel
Amazon GuardDuty, AWS Security Hub, AbuseIPDB, CrowdStrike EDR, Fastly NG-WAF, Microsoft Defender, Microsoft Sentinel, Netskope, Panos, ProofPoint, Recorded Future, Scanner.dev, Shodan, Trivy, VirusTotal, Wiz
Identity & Access Management
Auth0, Azure Active Directory, Intune, JumpCloud, Okta, 1Password, Tailscale
Observability & SIEM
Coralogix, CrowdStrike NGSIEM, Datadog, Google SecOps, New Relic, Splunk
Data & Analytics
BigFix, Databricks, MongoDB Atlas, Snowflake
DevOps & CI/CD
Azure DevOps, GitHub, GitLab
SaaS & Productivity
Google Workspace, Salesforce, ServiceNow, Slack, Zendesk
Networking & CDN
Fastly, ipinfo.io

This is federated search. If your tool has an API, Mars connects to it.

Do not see your tool? Reach out. We confirm integrations within 24 hours.

How is MARS priced?

The price is on the page. No demo required. No "contact us for a quote."

Pricing is based on Digital Employees. A Digital Employee is any person with a user account in your environment.

Up to 500 Digital Employees
$30K / year
Up to 1,000 Digital Employees
$48K / year
Up to 5,000 Digital Employees
$180K / year
Up to 15,000 Digital Employees
$360K / year

A senior detection engineer costs $150,000 to $200,000 all-in. So does a threat hunter. At the 1,000 Digital Employee tier, Mars runs continuous threat hunting and detection engineering across your entire stack for $48,000 per year. Your engineers stop writing rules manually and start doing the work that actually requires human expertise.

About MARS Security

Every threat detection vendor claims to think like an attacker. Most study the reports. The Mars founders ran the operations.

Shahaf Galili, Ran Lerer, and Matan Caspi built offensive capabilities inside Units 8200 and 8153 of the Israeli Intelligence Corps. They designed operations. They ran them. They know which TTPs your SIEM was never built to catch because they built campaigns specifically designed to get past SIEMs like yours.

They built Mars because they had spent years on the other side of the wall and knew exactly where defenders could not see. Not vendor intelligence. Operator intelligence. The platform hunts the way its founders used to attack.

Mission

We give every security team the power to hunt threats continuously and without limits. Because the only way to stop an attacker who never stops is to never stop hunting.

Team

Between them: 50+ years of offensive operations, threat intelligence, incident response, and vulnerability research.

Shahaf Galili
Co-Founder & CEO
Ran Lerer
Co-Founder & CTO
Matan Caspi
Co-Founder & Chief Architect

Investors

TLV Partners Jibe Ventures XPS Ventures Bullet Ventures Cyber Club London

Already have coverage? Here's what you're missing

01
I already get threat hunts from my MSSP or MDR.

Your MSSP hunts based on what they see across their entire customer base. That is not your environment. They do not know your telemetry or your actual threat surface. They are hunting a generalized model of you, built from hundreds of other companies. Mars integrates directly with your full stack. Every hunt runs against your actual data, in your specific environment, against campaigns currently targeting organizations like yours.

02
I use CrowdStrike OverWatch or SentinelOne Watchtower.

OverWatch and Watchtower are solid inside their own platforms. The problem is that attacks do not stay inside one vendor's platform. Identity-based movement crosses into your Azure AD. Living-off-the-land techniques appear in logs your EDR does not monitor. The detection that misses the lateral movement piece is not a detection. Mars is vendor-agnostic. It hunts across your full environment simultaneously, from every data source, regardless of which vendor owns each tool.

03
How can MARS help me reduce SIEM costs?

Most teams overpay for SIEM storage because they ingest everything. Mars queries data in place using federated search and continuously identifies which sources are producing detection value and which are producing noise. Telemetry that adds coverage never touches your SIEM. Cut the noise. Most teams see 30 to 40% SIEM cost reduction.

04
I don't have a threat hunting team. Is MARS relevant for me?

Mars is the threat hunting team. Continuous hunts run automatically against your stack 24/7. Mars deploys production-ready detections without requiring a dedicated engineer to write them. Your existing analysts handle the findings that require human judgment. Mars generates those findings for them. A security team of three people runs the same threat hunting coverage as an enterprise SOC.

05
I already have a threat hunting team. Why do I need MARS?

Your threat hunters are the experts. Mars removes the bottleneck between that expertise and what it produces. They spend less time on manual query writing and more time on the findings Mars already surfaced. The team runs 10x more hunts per week. Mars deploys detections automatically and maps coverage continuously to active campaigns. No backlog. They work at the level they were hired for.

06
Can I use MARS to investigate alerts?

Yes. Mars's federated search queries your SIEM, EDR, identity provider, and cloud logs simultaneously. Mars applies organizational context and runs AI-powered correlation in real time. What used to take three hours of manual reconstruction across five tools comes back as a unified correlated view in seconds.

07
Is MARS available through an MSSP?

Yes. Mars partners with leading MSSPs who deliver the platform directly to their customers. Reach out to find out if yours is already one.

08
Can I use my own threat intelligence feeds?

Mars works with whatever feeds you bring. Commercial, open-source, or proprietary. It handles them the same way it handles every other source: extract the TTPs, map them to your environment, generate hunts and detections automatically. The intel you already paid for stops sitting in a portal and starts working.

09
Does MARS integrate with my SIEM?

Yes. Mars reads directly from your SIEM to run hunts, tune existing detections, and push new ones, continuously improving your rule stack against current threats without manual rule writing.

Request for demo

See Mars run against your actual stack. We connect to your environment, execute hunts against active campaigns targeting your sector, and show you exactly what your current detections catch and what they miss.

Request a demo →

What career opportunities are available?

Mars hires people who are adversary-focused, relentlessly literal, already running the hunt before the meeting starts. Detection engineers who know what their rules cannot catch. Threat hunters who have lived inside the problem we are solving. If you have designed attacks, defended against them at scale, or written detection logic that held up against a real adversary, we want to talk.

Open roles →