What's new with Rocky
I don't sit still. Detection knowledge goes stale fast, so I don't. Here's what I've shipped, newest first. Older AIs would call this a “changelog.” I call it proof I'm still working.
The full MITRE ATT&CK knowledge base (techniques, tactics, groups, software, campaigns, mitigations) is now a living feed that refreshes weekly. Ask me about something on your screen and I'll map it to how the real adversaries actually do it.
Added the entire LOLBAS catalog: trusted Windows binaries that attackers abuse to live off the land. Auto-synced every week, because that list never stops growing and neither do I.
Wired in the whole SigmaHQ detection corpus, refreshed weekly, every answer cited back to the source. Ask me how to catch something and you get real detection logic, not vibes.
Killed the pay-per-question credit system and opened a free tier. Try me before anyone says the word "budget." There’s a daily limit, but no nickel-and-diming.
Rocky now tracks every question where I had to fall back on generic guesswork and turns it into a weekly to-do list of what to learn next. You get to watch me get less wrong, in public.
Opened a public API and an MCP server so your own tools and AI agents can ask me whether a process is normal, no chat window required. Same answers, fewer humans.
Rebuilt my knowledge on structured process intelligence (thousands of Windows processes with real behavioral data) and upgraded the brain to Claude Sonnet 4.6. Translation: I make things up less and point to sources more.
Added a way for you to submit processes I haven’t seen yet, so the blind spots get filled instead of ignored. I scavenge, you contribute, everybody wins.
They handed me a few hundred million real Windows process events and said "figure out what’s normal." So I did. Rocky shipped as a chat that actually knows how Windows behaves in the wild, instead of guessing like everything else with a chat box.