• 90%

    of companies have a shortage of information security professionals
  • 71%

    of non-tolerable events can be realized by threat actors within one month
  • 100%

    of corporate infrastructures can be hijacked by internal malicious actors
  • 93%

    of network perimeters can be penetrated, allowing threat actors to gain access to the local network


Positive Technologies metaproducts

Help companies build result-driven cybersecurity and deliver comprehensive automated protection with minimal human involvement. Bring together Positive Technologies products and maintain control over the security of IT infrastructure and business processes by dynamically determining attack vectors and capabilities, stopping intrusions before irreparable harm is done to the company.
  • MaxPatrol O2

    Attack prevention

    Automatically detects and stops attacks before the company suffers unacceptable damage.

    Already available

  • MaxPatrol Carbon*

    Total protection

    Keeps IT infrastructure and business processes secure. Provides recommendations for maintaining the optimal level of security to prevent non-tolerable events.

    * Commercial version scheduled for release in 2024.

  • MaxPatrol 1-2-3**

    Automated protection

    Automatically orchestrates the security infrastructure and keeps it ready to repel hacker attacks.

    ** MVP scheduled for release in 2024.


MaxPatrol O2 overview

The MaxPatrol O2 metaproduct detects attackers, identifies breached assets, predicts attack scenarios based on company-specific non-tolerable events, and stops attacks before irreparable damage is done.
  • Result-driven

    Rules out non-tolerable events for business.
  • Automates SOC activities

    Reduces the human factor in detection, investigation, and incident response processes, and automates routine actions.
  • Knows how attackers operate

    Utilizes Positive Technologies' unique expertise gained from regular cyberexercises (including Standoff), and bug bounty programs (including Positive dream hunting).

Metaproducts form a new class of solutions


What's the concept of metaproducts, and why can't they be classified as SIEM/SOAR/XDR? We explore autopilot mechanisms for result-driven cybersecurity in conversation with a Positive Technologies expert.

Key features


Models potential attacker actions

  • Predicts the non-tolerable events that suspicious activity may lead to and how many steps are left until risks are realized.
  • Prediction is based on:
    • Network reachability of hosts: routing, access lists, NAT rules
    • Account permissions for remote login
    • RCE vulnerabilities on hosts
    • Remote login opportunities through VPN
    • Read access to lsass.exe process memory
SMM scheme

Detects hacker activity chains

  • Analyzes data from Positive Technologies sensors in the metaproduct and demarcates attacking, targeted, and captured resources.
  • Correlates resources to build activity chains informed by knowledge of threat actor TPPs.
  • Each chain contains a visualization of the attackers' path, plus a prediction of where they will move next.
Activity chains

Automates investigations

  • Uses data from Positive Technologies sensors to build the full attack context and conduct an investigation.
  • Obtains enrichment of the following activities:
    • Process startup: process -> session -> user
    • Remote login: RDP, SMB, WMI
    • Movement in the infrastructure: IP -> IP
    • VPN session creation: client IP -> external IP + username

Assesses threat severity

  • MaxPatrol O2 views captured resources and assesses the proximity of a non-tolerable event.
    Upon receiving this information, the system escalates attack chain status to "Attention required" before stopping the hacker or prompting the operator to make a decision.
  • The threat severity assessment algorithm continues to improve thanks to regular Positive Technologies cyberexercises and the contributions of Standoff 365 Bug Bounty participants.
Assesses threat severity

Stops attackers

  • Considers risks to business processes and suggests the optimal response scenario.
    The scenario can be implemented automatically or manually if adjustments are needed.
  • Possible response actions:
    • Lock account: in the domain or locally, in Windows, Linux, or Mac.
    • Block IP address in the firewall: incoming/outgoing traffic.
    • Isolate host on the network.
    • Stop running process.
    • Revoke OpenVPN token.
    • Delete email message.

How the metaproduct works


How the metaproduct works
  1. Based on the network topology and reachability of hosts, MaxPatrol O2 factors in vulnerability intelligence and models ways in which non-tolerable events might be realized. If risks haven't been identified in advance, the system calculates the attack vectors to the most critical hosts in the infrastructure.
  2. MaxPatrol O2 analyzes sensor triggerings and identifies captured, targeted, and attacking resources, such as accounts, hosts, sessions, processes, files, and emails.
  3. To assemble an in-depth chain of attacker activity, MaxPatrol O2 queries the relevant sensors for intelligence to build the full attack context, prioritize chains, and decide how to respond.
  4. MaxPatrol O2 analyzes the data and correctly links new sensor triggerings with activity chains already in the system. If none of the existing activity chains can be extended with the new data, MaxPatrol O2 creates a new chain to link the triggering received from the sensor.
  5. Based on data from the threat prediction module, MaxPatrol O2 assesses the severity level of the attack chain. If it exceeds the threshold value, the system switches the chain to the "Attention required" status and prompts the operator to select response measures.
  6. MaxPatrol O2 provides the operator with response options for each resource type to stop the hacker and regain control of the captured resources. All that remains for the operator is to verify the chain and accept the proposed response scenario designed to minimize the impact on the company's critical business processes.

MaxPatrol O2 benefits

  • No niche skills required

    For the metaproduct to work effectively, it's enough to have an operations analyst and expert in system administration and maintenance.
  • Lowers the threshold of entry to the world of result-driven cybersecurity

    Enables companies to address result-driven cybersecurity issues without the need to hire additional experts or automate SOC processes.
  • Replaces manual investigation

    Automates the investigation process by providing the operator with ready chains of attacker activity with full context.
  • Detects advanced targeted attacks

    MaxPatrol O2 links all attacker actions into one chain, while traditional solutions create independent incidents within the framework of the targeted attack.
  • Considers non-tolerable events

    Predicts the attackers' path before they can realize a non-tolerable event. Determines the threat level based on the attackers' proximity to the target system. Adapts to evolving business risks in ever-changing corporate infrastructures.
  • Knocks out hackers in an instant

    Thanks to PT XDR agents located in the corporate infrastructure, MaxPatrol O2 responds in seconds, preventing the realization of non-tolerable events.
  • Positive Technologies ecosystem

    Brings together Positive Technologies products that function as sensors, exchange knowledge, and provide comprehensive IT system protection with minimal human involvement.
  • Positive Technologies expertise

    Regularly updated with new methods for modeling attack vectors, improved algorithms for incident linking and enrichment, and automated response actions.
  • Single-window operation

    The operator doesn't need separate products to detect traces of intrusion and investigate incidents. The system does this automatically by building activity chains and querying Positive Technologies sensors for further attack context.
  • Domestic solution

    The MaxPatrol O2 product suite is made entirely in Russia, included in the Register of Russian Software, and certified by the Federal Service for Technical and Export Control (FSTEC) of Russia (certification for PT MultiScanner is currently in progress).
  • Suitable for all infrastructures

    Protects corporate infrastructures and meets the demands of all industrial sectors: energy, transportation, metals, manufacturing, medicine, and utilities. The suite includes solutions specially designed for ICS (SCADA) network hosts.
  • Interfaces with any system

    During implementation of the metaproduct, Positive Technologies experts will connect any business and IT systems, including custom and in-house systems related to target or key sources.

Interaction scheme


Interaction scheme


MaxPatrol O2 products


An extended detection and response solution for detecting cyberthreats and responding to them. An effective and convenient tool for SOC teams.
Learn more

PT Sandbox

The first sandbox with tailored protection for your infrastructure
Learn more


Makes hidden threats visible
Learn more


A simple, effective solution for ICS cybersecurity
Learn more


PT Application Inspector is the only source code analyzer providing high-quality analysis and convenient tools to automatically confirm vulnerabilities.
Learn more

Get in touch

Fill in the form and our specialists
will contact you shortly