SPNT

Threat Intelligence Layer

External threat context, automatically correlated to your environment.

Threat intelligence feeds provide valuable context — who's attacking, how, and what they're targeting. But raw threat intel is noise without correlation. A feed of 50,000 malware hashes is useless if you can't instantly answer: "Do any of these affect us?"

SPNT's Threat Intelligence Layer ingests external threat signals and correlates them to your substrate in real time. When a new threat emerges, you know within minutes whether you're affected — not after an analyst manually queries five different systems.

What the layer ingests

  • Threat actor TTPs. MITRE ATT&CK mappings, adversary playbooks, known attack patterns attributed to specific groups.
  • Malware indicators. File hashes, network indicators, behavioral signatures from malware intelligence feeds.
  • Campaign tracking. Active attack campaigns, targeted industries, geographic focus, evolution over time.
  • Vulnerability exploitation. Which CVEs are being actively exploited in the wild, by whom, and how.
  • Infrastructure indicators. Command-and-control servers, malicious domains, attacker infrastructure.

Automatic correlation

When a new threat signal arrives, the layer automatically correlates it against your substrate:

  • Asset matching. Does this threat target technologies you use? Services you expose? Regions you operate in?
  • Finding linkage. Do you have existing vulnerabilities that this threat actor is known to exploit?
  • Priority adjustment. Findings linked to actively exploited threats get priority boosts automatically.

Correlation happens without analyst intervention. The substrate updates. ISTRAGA incorporates the new context into its reasoning. Dashboards reflect the change.

Feed sources

The Threat Intelligence Layer aggregates from multiple source categories:

  • Commercial threat intel feeds. Premium feeds from leading threat intelligence providers.
  • Government sources. CISA KEV, EU CERT advisories, national CERT feeds.
  • Open source intelligence. Community threat sharing, research publications, disclosed campaigns.
  • Industry-specific feeds. Sector-focused threat intelligence for financial services, healthcare, critical infrastructure.
Threat intelligence enrichment happens at the substrate level — the same threat context that powers ISTRAGA reasoning also powers REGULATIVA compliance mapping and ODBRANA detection prioritization.

See threat intelligence correlation in action

A demonstration showing how a new threat campaign is automatically correlated to your environment and incorporated into prioritization.

Schedule a technical reviewNext: Exposure Intelligence