FAQ

What is Atlas?

A reference for security analysts answering one question fast: is this Windows process normal, or should I worry? Look up a process and see its expected paths, launch ancestry, and known abuse patterns.

Where does the data come from?

Records are hand-curated from authoritative sources (Microsoft documentation, MITRE ATT&CK, LOLBAS, vendor research) and cited on every profile. Profiles are also enriched automatically from LOLBAS (abuse commands), MITRE ATT&CK (techniques and the groups and software that use them), and the Sigma project (detection rules). Measured telemetry is on the roadmap.

Where do the detections come from?

The Detections tab lists open detection rules from the Sigma project that name the process, under the Detection Rule License. Each rule links back to its source.

Does dropping a file upload it?

No. The file is hashed locally in your browser (SHA-256 via the Web Crypto API) and only the hash is looked up. The file itself never leaves your machine.

What does "not observed" mean?

The identifier you searched is valid but has no record. That is information in itself: the binary is either rare or not yet curated, and worth a closer look.

What do the prevalence labels mean?

ubiquitous, common, uncommon, rare and unknown describe how often a process is typically seen running. They are qualitative bands, not precise statistics.

Can I add or fix a record?

Yes. The dataset is open source, and each process is one small YAML file. See the Docs page.