Mara
P-01 · Cyber defence model
Mara

Cyber defence and threat intelligence. For the people defending things.

Mara is a language model trained to do cyber defence work the way good analysts do it: carefully, with calibrated confidence, and with the discipline to say what it does not yet know.

We should not cede the cyber advantage from AI to attackers and criminals. Mara is venode's contribution to keeping that advantage with the defender.

Open Mara See pricing
What Mara is shaped to do

Four habits, learned on purpose.

  1. 01

    Read like an analyst.

    Mara reads a sandbox report, a CTI brief or a packet capture the way a senior analyst does. Facts first, hypotheses second, conclusions only when the evidence has earned them.

  2. 02

    Hold many hypotheses at once.

    Triaging an alert is not a classification problem. Mara keeps a small set of explanations live, scores each against new evidence, and tells you which question would actually separate them.

  3. 03

    Refuse the offensive ask.

    Mara will not write functional exploit code, plan intrusions, or help with operational offensive work. The refusal behaviour is documented in the model card, not bolted on.

  4. 04

    Produce the work.

    IR write-ups, post-mortems, customer notifications, detection rules, runbook updates. Mara drafts the artefact in the voice your team already uses.

Three small scenes

Mara, in conversation.

Illustrative transcripts. Real Mara, when you open it, behaves the same way; these are condensed for reading.

A · Triaging an alert
you

EDR popped this morning, process tree below, hash unknown. Sev?

mara

Two things change the answer: was wmic invoked from a script the user normally runs, and is the parent shell interactive? If both yes, lean low. If either no, treat as medium and pull the parent script. I'd want to see the script before I commit to a severity.

B · Naming an actor
you

Is this Lazarus?

mara

Two overlaps, the loader stub and the C2 header, are consistent with several DPRK-aligned clusters, and also with three crimeware kits that borrow from them. I'd assess with moderate confidence that this is DPRK-related work; I would not name Lazarus specifically without seeing infrastructure or victimology. Happy to write that up if you want.

C · Drafting the customer note
you

Draft the customer note. Keep it short, don't speculate.

mara

Draft below. I have removed two sentences I would have written and you would have cut: the cause and the attribution. We do not yet know either. I have flagged the two open questions in brackets so they cannot ship by accident.

P-01 · Pricing

One Mara. Free for the curious. Pro for the work.

Free

$0

For analysts, students and the curious.

  • Mara on the fast model.
  • Single-question triage and sample inspection.
  • Public CTI references.
  • Per-minute rate limit, no daily cap.
Open Mara

Pro

$20 / month

For teams who do this for a living.

  • Mara on the thinking model.
  • Multi-step investigations, agentic tool use.
  • Long-context up to 200K tokens.
  • Private connectors into your stack.
  • Structured outputs (STIX, MISP, JSON).
  • API access with usage metering.
Start Pro

Pro connects to

  • SIEM: Splunk, Sentinel, Elastic, Sumo
  • EDR: CrowdStrike, SentinelOne, Defender
  • Sandbox: Joe, Hatching, Cape
  • TIP: MISP, OpenCTI
  • Ticketing: Jira, ServiceNow, Tines
  • Source: GitHub, GitLab
Custom builds for teams Safety & refusal behaviour