Clue is a centralized framework that can be integrated into other applications to provide users with enrichments and insights to help them in the discovery, investigation, triaging and reporting of cyber security incidents.
Clue was developed by the Canadian Centre for Cyber Security (Cyber Centre) and released in October 2025. Clue can be integrated with other Cyber Centre open-source tools such as Howler and AssemblyLine.
How Clue works
Clue delivers pertinent insights to analysts whenever they engage with its companion applications like Howler and AssemblyLine.
Integration is achieved through high-level abstractions of the following common concepts:
- Enrichment: returns insights about a given identifier
- Actions: delegate work from one application to another
- Fetchers: retrieve a new form of data when given input parameters
- Pivots: navigate to other tools or data while maintaining the current context
The framework provides the ability to develop plugins to achieve interoperability. Each plugin is a Docker container for which Clue offers the following:
- orchestration
- scaling
- caching
- service discovery
Benefits of Clue
Clue aims to streamline and improve the way analysts view and interact with data. With standardized enrichments, actions, annotation and more, cyber defence analysts can work more quickly, efficiently and effectively.
By implementing these capabilities, analysts and their teams receive the information they need to make efficient decisions and have the autonomy to manage their own modules. The opportunities are endless with Clue.
How Clue was developed
The Cyber Centre built Clue using public-domain and open-source software. Most of the code was developed in-house. Clue does not contain any commercial technology and can be easily integrated into existing cyber defence technologies. Clue is open-source software and businesses can modify it to suit their requirements. The Cyber Centre continues to actively develop and improve Clue.
Where to find Clue
Clue is available on Github, an open-source software repository available to everyone with an account.