Core Concepts

This page covers the foundational concepts used throughout Stairwell. Use it as a reference whenever you encounter unfamiliar terminology in the platform or documentation.

Objects

Objects are the files and binaries ingested into Stairwell. Every executable, library, and script collected by a forwarder becomes an object in your environment. Each object is uniquely identified by its hash and is analyzed automatically at ingestion.

Assets

Assets are the hosts (endpoints, servers, or workstations) associated with your Stairwell environment. In most cases, an asset is a machine running a Stairwell forwarder. Assets can also be created manually via the API for record-keeping purposes.

Forwarders

Forwarders are lightweight, proprietary agents installed on endpoints. They monitor file activity and upload newly discovered executables to Stairwell's cloud for analysis. The forwarder performs an initial breach assessment (back scan) of all existing executables on disk, then continuously monitors for new file activity. Forwarders are designed to use minimal system resources and do not block or prevent any processes from executing.

Environments

Environments are isolated workspaces within a Stairwell organization. Each environment has its own set of assets, objects, YARA rules, policies, and authentication tokens. Environments can be used to segment data by business unit, subsidiary, or use case. Every organization also receives read access to several shared feed and rule environments maintained by Stairwell.

Mal-Eval

Mal-Eval is Stairwell's proprietary machine learning engine. It analyzes every file at ingestion and produces a malicious likelihood score, a confidence percentage, variant associations, and classification labels. Mal-Eval draws on signals from static analysis, dynamic analysis, YARA matches, behavioral indicators, user opinions, and ongoing rescanning. It runs entirely out-of-band with no cost to the host system.

AI Triage

AI Triage is a 6-stage automated analysis pipeline that produces a comprehensive summary for each object. The stages are: file ingestion, high-signal feature extraction, Mal-Eval ML scoring, variant and prevalence correlation, YARA and threat intelligence matching, and LLM-generated summary. AI Triage is not the same as Mal-Eval -- Mal-Eval is the ML scoring step within the broader AI Triage pipeline.

Opinions / Verdicts

Opinions are human-applied classifications assigned to objects. They represent deliberate analyst decisions that complement automated analysis. The possible values are: NO_OPINION, TRUSTED, GRAYWARE, VULNERABLE, and MALICIOUS. Opinions can be overridden per environment, are mutable as new information emerges, and all changes are tracked in the object's history.

Variants

Variants are files with high structural similarity to known malware families. Stairwell's Mal-Eval engine compares every ingested object against a global corpus of over 630 million objects using static analysis, dynamic analysis, source code comparison, and over a million unique data points. Variant discovery surfaces unknown malware related to known families -- even before those variants are publicly documented.

Sightings

Sightings represent occurrences of a specific object across your environments and assets. When you view an object, sightings show you where it has appeared, on which assets, and when it was first and last seen. This is critical for scoping the impact of a threat across your organization.

YARA Rules

YARA rules are pattern-matching rules used for threat hunting and detection. In Stairwell, YARA rules operate in two directions: every new or newly activated rule is scanned against all objects in your environment (past and present), and every newly ingested object is scanned against all active rules. Stairwell supports both custom rules private to your environment and shared rule feeds maintained by the community and Stairwell's research team.

Threat Reports

Threat reports are curated collections of indicators of compromise (IOCs) and analysis, sourced from published threat intelligence or uploaded by your team. When a threat report is ingested, Stairwell automatically parses its indicators and checks them against every object in your environment. Reports are continuously re-evaluated as new files arrive and new variants are discovered.

Authentication Tokens

Authentication tokens are API keys used to authenticate with the Stairwell API and CLI tools. Tokens are also used by forwarders to authenticate with your Stairwell environment. There are two types: API/CLI tokens (for programmatic access) and file forwarder tokens (for forwarder registration). Tokens are scoped to your organization and should be named descriptively for easy management.

Run-to-Ground

Run-to-Ground is a Stairwell investigation feature for deep analysis of a specific indicator of compromise across your full environment. It allows you to trace an IOC through every asset and time period, identifying all related sightings, variants, and associated objects to fully scope an incident.