Powering Managed Services with Avalon
K&U logo- white green

Powering Managed Services with Avalon

About King & Union

Headquartered in Alexandria, VA, and founded in 2017, King & Union is outsmarting cyber adversaries by uniting security professionals and amplifying the power of the cybersecurity analyst.

The founders of King & Union grew up in Security Operations Centers (SOCs). They are security analysts, developers, and engineers and formed King & Union to address their frustrations with security operations inefficiencies.

The company’s flagship product, Avalon, is the first enterprise platform built to integrate link analysis, collaboration, and reporting. It offers clients the ability to streamline the investigative process to spend less time on manual processes and administrative tasks and more time on security.

Avalon helps managed security service providers (MSSP) and managed detection and response (MDR) analysts streamline threat investigations by providing the data, intelligence, tools, and collaboration required to perform and disseminate their analyses efficiently.

Differentiated Service Offering

Avalon can immediately impact bottom-line ROI for a managed services provider by enabling optimized and augmented threat-intelligence data access via the marketplace, additional and differentiated service offerings in threat information requests and investigations, and real-time collaboration and rich information sharing between and across clients.

Investigative and Threat Research

  • Conduct analysis on indicators and observables revealed from investigations and alerts
  • Gain counterintelligence visibility of threats impacting or emerging across all customers
  • Provide collaborative awareness, visual analysis, and associated indicators to all or a segment of customers curated from anonymized incidents worked in the SOC
  • Perform centralized analysis and reporting of customers for simultaneous notification and collective defense

Threat Intelligence Detection

  • Reveal and distribute actionable results and reporting of incidents to customers simultaneously
  • Utilize on-demand access to a wide range of threat intelligence for fractional purchase in support of enriching Incident Response analysis
  • Augment analytical support to a customer’s investigation with real-time workspace engagement

Threat Intelligence Reporting

  • Author, share and deliver intelligence reporting within a multi-tenant customer environment
  • Expand analysis for threat intelligence reporting leveraging Marketplace data sources on a per report basis (request for information, RFI)
  • Provide collaboration services to all clients for crowdsourced reporting to strengthen collective defense

Threat Intelligence Enrichment

  • Utilize one or multiple workspaces and real-time collaboration for Cyber Exercises and Red-on-Blue scenarios where response and investigative steps are shared and preserved
  • Deliver indicators and observables to workspaces designed for customer SOC’s to enhance timely and effective security decisions
  • Provide ad-hoc reporting (raw situation reports) authored and delivered within dedicated workspaces for IT departments for immediate global awareness of cyber threats

Powering Managed Services With Avalon

The Managed Security Service Providers (MSSP) and Managed Detection and Response (MDR) providers have become increasingly important partners for enterprises that choose to outsource some or all of their information security organization. However, there are many challenges for these service providers when they enter a new engagement. Service providers are being asked to protect their clients’ most sensitive assets but typically without the necessary organizational or institutional knowledge to be effective from day one. As a result, the service providers and their clients often get off on the wrong foot and can have a challenging time recovering and ultimately becoming the valued partner. Coupled with the fact that the managed services market is highly competitive and essential security services are becoming commodities, service providers face a potential risk for churn toward the lowest cost, technically acceptable alternative. That is unless they can provide superior service across the traditional processes and offer premium differentiated services providing additional value to their client base.

In addition to the challenges between the service provider and the client stated above, service providers also manage many clients and often lack sufficient solutions to collaborate across their client base and collectively strengthen security processes and effectively disseminate information. One specific example is threat investigations and reports. Threat intel data is fast-moving and fast-changing, often becoming stale by the time a report is present to the customer. Many service providers address these challenges by building a custom solution. However, this is a costly endeavor and focuses on a sharing repository of data rather than real collaboration on threat investigations. Each investigation is generated independently from another, leveraging the centralized repository of data without reusing or elaborating on prior work.

King & Union and the Avalon Collaborative Investigation Platform can immediately help service providers provide a scalable solution for performing and delivering threat investigations effectively and efficiently. With anywhere access and fully contextualized investigation sharing, collaboration on investigations becomes seamless and easily understood once shared. Analysts can more quickly respond to requests, generate reports, and perform analyses, thereby directly increasing value to the bottom line. Additionally, Avalon helps service providers make more sound investments in threat intelligence without massive upfront cash outlays for annual contracts. With data usage monitoring across investigations and analysts, providers gain insights into which data sources are being used most frequently and for what purpose. Ultimately, Avalon is the connective, collaborative tissue to make client relationships stronger.

King & Union’s Avalon platform, based on multi-tenancy relationships between organizational entities and, is uniquely suited to support the connections between MSSP/MDR and their clients. MSSP/MDRs now have a cost-effective solution to access threat intel data and manage the dissemination of threat information to their clients securely and directly. Additionally, analysts from King & Union or other organizations can support surge capabilities, so the MSSP/MDR does not have to make an upfront personnel investment until demand requires it. A typical in-house Threat Intel capability for an MSSP/MDR Cybersecurity Operations Center (CSOC) would cost $1M to $3M+ annually. A traditional service provider typically leverages one or two threat intel feeds, a threat intel platform, and open-source intelligence (OSINT) datasets. Along with 5-10 analysts to utilize the feeds and provide that data to their customers, typically through manual processes using email, spreadsheets, and .pdf documents. With Avalon and partners, MSSPs/MDRs could offer this capability at a fraction of that cost by leveraging external analyst services and an out-ofbox investigation platform to remove process inefficiencies.

Additionally, Avalon’s marketplace allows service providers to acquire threat intel data a la carte along with threat intel services so service providers relying on OSINT can flex into premium and purpose-built data sources. Data sources are often cost-prohibitive and require lengthy and complicated contract terms that restrict how or which customers a service provider can share certain pieces of data or costly per-customer pricing. Using the fractional, on-demand marketplace, service providers can now provide reliable, relevant, curated data to their clients, making the service faster, more reliable, and most importantly, actionable.

Below is an example of a typical MSSP/MDR workflow regarding providing threat intel to a customer. The primary communications mechanism is through the SOC operations:


A client’s state of security, their needs from their service provider, and their need for threat information can come together in a collaborative, visualized manner – giving a shared picture across all necessary stakeholders. Yes, a “single pane of glass” is an excellent idea, but the reality is not the pane of glass; it’s the interconnected picture that tells the story. Using Avalon, analysts can create those visualizations and reports and help MSSP/MDRs collaboratively support their clients. Understanding client needs and their business enables analysts to do their work. With Avalon, they can provide relevant and actionable visualizations and reports for immediate ingestion into the SOC to operationalize the data. Analysts can directly access threat intelligence data from the MSSP/MDR TIP or repository, pull in data from a SIEM or SOAR, and enrich the data using a plethora of external OSINT and premium threat intelligence. The resulting analysis is immediately sent back to those system systems for enhancing detection and prevention.

Actionable intelligence and immediate, effective response are only possible if a third party has insight into a client’s business that only an insider would know. By tracking client stakeholder requirements, the MSSP/MDR team will know what information the client needs, and more importantly, why they need it. Understanding the requirement and using Avalon to fuse internal client data with external feeds provides the most relevant and actional insights. Just like Indicators of Compromise (IOCs), real intelligence is measured in quality, not quantity. By aligning to customer requirements, Avalon provides a single point of understanding for intelligence providers, the MSSP/MDR team, and the client customers who need the information most.

When Avalon powers an MSSP/MDR, the service provider can collaborate in real-time with their customers as needed. Each member of the engagement team has access to the investigation, the data, and the report in a single platform to effectively engage with their client and leverage the work done for one client across many. Avalon makes possible, attributed, and non-attributed data sharing across clients with a shared vertical or technology safely and securely. Using Avalon’s centralized investigation capability, analysts are more efficient, analysts reuse investigations across clients, and a fully outfitted threat intel capability is supplemented with fractional data and analyst support at a fraction of the cost.

MSSP/MDRs “must adapt to their customers’ needs and budgets, provide fast, efficient threat detection and response solutions and custom reports and offer support via phone, email and other communication methods.”i King & Union enables MSSP/MDRs with the platform, access to best threat intel data, and analysts to enhance their current capabilities through real-time collaboration and sharing of threat intel with a turnkey solution. Avalon integrates with external data, SIEM, SOAR, and EDR to provide an efficient and cost-effective approach to managed security services delivery and client communication.

Ranging from the largest threat intel providers to very granular sources, King & Union partners with a broad set of industry-leading threat intel data providers to provide by-the-drink threat intel data queries to our customers. These partnerships allow King & Union to price the on-demand data in the Avalon platform at a fraction of what a typical threat intel data provider would cost through annual subscriptions, providing flexibility, cost savings, and demonstrable value across the threat intelligence landscape. Instead of spending budget on data feeds that may or may not be used, Avalon allows customers to optimize their threat intel spend and purchase only what is needed when it is needed. Threat intelligence is critical to make informed decisions, and Avalon provides a way to access, integrate, analyze, and investigate the data using a common, understandable ontology. Using Avalon, the data makes sense for humans and is immediately actionable for security defense. King & Union helps MSSP/MDRs bring intelligence information to the masses in an accessible, consumable, and affordable way.