Cyber Threat
Intel Feed
A network of IPS sensors around the world feeds CTIF a steady stream of attacking addresses. We work out where each one comes from, who runs it, whether it hides behind Tor, and which MITRE ATT&CK techniques it maps to, then deliver all of that to the tools your team already uses.
Right now, something is scanning your network.
Brute force attempts, port scans, credential stuffing and exploit probes run every hour of every day, from everywhere, against everyone. By the time an address turns up on a public blocklist, it has usually been hitting networks for hours. The teams that stay ahead are the ones watching the whole internet, with context, as it happens.
attacks hit the average company every day
between one attack and the next
websites are hacked every day
of malware arrives over the network
Based on widely cited industry figures.
We do the analysis
so your analysts don’t have to.
From the second a sensor spots an address to the second it appears in your dashboard, CTIF handles everything in between. It collects the indicator, looks up what is known about it, and works out how much it should worry you. There are no manual steps and nothing left for your team to stitch together.
Real-time Global Capture
Sensors spread across several regions watch live attack traffic and report each address the instant they see it, not hours later when it reaches a public list.
Automatic Enrichment
Every address is checked against geolocation, ASN and ISP, reverse DNS, RDAP and WHOIS, Tor exit status, and the MITRE ATT&CK framework.
Hostility Scoring
Every indicator carries a hostility score from 0 to 100, so your team can sort by real risk instead of working through flat, unranked alerts.
More Services
New services beyond the core feed, from a Splunk add-on to broader threat coverage, always being added.
Sensors on the routes that matter.
Attacks come from everywhere, so our sensors sit everywhere that counts. The network is already live across several regions and still growing, and every node feeds the same enrichment pipeline the moment it captures something.
What happens between a sensor and your dashboard.
Every address we report travels the same short path before it reaches you. Follow it from the first packet a sensor sees to the moment your tools can query it.
Capture
Sensors across the world spot hostile behaviour and flag the source address the instant they see it.
Enrich
Geolocation, ASN and ISP, reverse DNS, RDAP and WHOIS, Tor and CDN status, then a map to MITRE ATT&CK.
Score and store
Each indicator gets a hostility score from 0 to 100, then it is stored with its sighting count, first and last seen, and the reasons it was flagged.
Deliver
Pull the feed however suits you: a rate limited REST API and STIX 2.1 bundles, every indicator carrying its hostility score. A Splunk add-on is on the way.
Follow one attack through the pipeline.
At 03:14 UTC a sensor in our Middle East region picks up a burst of failed SSH logins, all coming from one address hammering port 22. Here is what CTIF makes of it in the next second.
Block at the perimeter and flag any successful SSH or RDP login from this ASN for review.
Plug it into your SOC tools.
Today CTIF ships a rate limited REST API that drops into the SOC tools you already run, with every indicator carrying its hostility score, geolocation and ATT&CK mapping. A Splunk add-on for automatic enrichment is on the way.
A REST API today
Pull enriched, scored indicators into the tools you already run over a simple, authenticated REST API.
Hostility scoring
Every indicator carries a hostility score from 0 to 100, so your team triages by real risk instead of raw volume.
Splunk add-on, soon
An add-on that enriches your events automatically inside Splunk is on the way.
index=network | `non_special_ip(src_ip)` | `ctif_lookup(src_ip)` | search context_score>60 | table ip country attack_tactic context_score | sort -context_score
We keep adding new services.
CTIF is built to grow. We are steadily broadening what the feed covers, adding new services and threat sources so it keeps pace with what your team actually faces.
More services on the way
We are steadily broadening what CTIF covers.
Spam & relay abuse
Open relays and bulk senders that abuse mail infrastructure.
Splunk integration
An add-on that enriches your events automatically, right inside Splunk.
Broader coverage
New threat sources and services, added as the feed keeps growing.
Priced by how much you query.
Plans scale with how many requests your team makes each day. Every tier ships the full feed and enrichment; higher tiers add API access and deeper support.
Base
For focused teams adding global context through the dashboard.
- Real-time global feed
- Full IP enrichment
- MITRE ATT&CK mapping
- Hostility scoring
- Dashboard access
- Email support
SMB
For growing security teams running active detection.
- Everything in Base
- REST API + STIX 2.1
- Extended sighting history
- Priority support
SOC
For MSSPs and 24/7 SOCs operating at scale.
- Everything in SMB
- Highest request volume
- Dedicated support channel
- Onboarding assistance
Start on any plan and upgrade whenever your team needs more. No need to commit to a higher tier up front. Billed monthly or annually (two months free on annual) and exclude VAT. Need a blocklist for your edge devices or a private instance? See more ways to deploy.
Service guarantee: if the feed ever goes down or fails to meet its commitment, we either extend your subscription to make up for the disruption or refund the unused balance of your plan. Your choice.
Beyond the feed, two more options.
Not every team consumes intelligence the same way. Push it into your network gear, or get a private, fully managed instance dedicated to your team.
Blocklist Feed
A curated blocklist you drop straight into your edge devices, firewalls, IPS and gateways. It stops common, known-bad traffic before it ever reaches your network.
- Ready for edge firewalls, IPS and gateways
- Blocks known threats upstream, before they act
- Less noise for your analysts and operations team
- Updated continuously from the live feed
Private Instance
A dedicated CTIF instance we spin up and run in your region, just for you. Fully managed by us, single-tenant, and isolated to your team, without the burden of hosting it yourself.
- Deployed and operated in your region
- Single-tenant, isolated to your team only
- Fully managed, no infrastructure to run
- Custom request volume and dedicated keys
Give your SOC a
head start.
Bring global, enriched and scored threat intelligence into your tools, and get ahead of the traffic that is already probing your network.
Five sensor regions, MITRE ATT&CK mapping, a REST API and STIX 2.1 export.