ThreatResponder® is an endpoint security technology for detecting, responding to, and preventing advanced cyber attacks and data breaches in real-time. Running in the operating system kernel (kernel-mode) with minimal footprint on the endpoint—less than 1% CPU and 100MB of RAM—ThreatResponder® monitors, intercepts and, if necessary, blocks activities such as: file system changes, registry changes, process executions, modules loading, drivers loading, network connections, handles creations, process memory changes, services changes, API calls/hooks, and other activities. The data/forensics analytics module ingests threat data from millions of enterprise endpoints. Using machine learning as well as behavior-based and signature-based algorithms, the product provides situational awareness of enterprise threats. The technology contains or quarantines a compromised endpoint to prevent the spread of an attack. The threat response module allows an Analyst to interact live with an endpoint and perform forensics investigations. The Threat Intelligence Platform (TRIP) module ingests threat intelligence feeds from US-CERT, commercial organizations, and open source communities. ThreatResponder®’s threat hunting capabilities allow complex queries based upon a hypothesis or other attack indicator to be performed across millions of endpoints with results rendered within seconds. Our natural language processor (“CURIOSITY”) allows an Analyst to conduct queries using spoken language.