Threat Intelligence
Vulcan integrates with multiple threat intelligence feeds to identify malicious indicators in your infrastructure and prioritize risks based on real-world threat data.
Overview
The threat intelligence engine continuously ingests indicators of compromise (IOCs) from free and premium feeds, correlating them against your discovered assets to surface exposure risks.
Supported Feeds
Free Feeds (No API Key Required)
| Feed | Type | Update Frequency |
|---|---|---|
| CISA KEV | Known Exploited Vulnerabilities | Daily |
| Feodo Tracker | Banking Trojan C2 IPs | Hourly |
| URLhaus | Malicious URLs | Hourly |
| ThreatFox | IOCs (IPs, domains, hashes) | Hourly |
BYOK Feeds (API Key Required)
| Feed | Type | Free Tier |
|---|---|---|
| GreyNoise | IP reputation, scanner detection | 50 queries/day |
| Shodan | External attack surface | Basic API |
| AbuseIPDB | Community-reported IPs | 1000 queries/day |
| VirusTotal | Multi-engine malware scanning | 4 requests/min |
GreyNoise integration details
Infracast queries the GreyNoise Community API (GET /v3/community/{ip})
on-demand per public IP (GreyNoise has no bulk download). Lookups are cached;
the free Community tier allows 50 queries/day. The response maps to an
indicator as follows:
| GreyNoise classification | Meaning | Infracast severity |
|---|---|---|
malicious | Directly observed harmful behavior | High |
suspicious | Systematic probing / reconnaissance (between benign and malicious) | Medium |
benign / RIOT (riot: true) | Known-good actor or common business service (Shodan, Censys, search engines, SaaS) | Info |
unknown / not found | Scanning activity with no determination, or IP never observed | Low / skipped |
When an attack-path entry point's public IP is flagged by GreyNoise (or Feodo),
the path's ActiveScanning / EntryPointExposed context is set and its threat
level is raised — see Attack Path Enrichment.
GreyNoise consolidated its API in v3 and renamed its datasets. These do not break our Community API integration, but are worth knowing:
- Datasets renamed: "Noise" → Internet Scanner Intelligence, "RIOT" →
Business Service Intelligence (
trust_level1–2). A single v3 response now combines both. - Four classifications: GreyNoise now distinguishes benign / suspicious /
malicious / unknown (the
suspicioustier was added). Infracast mapssuspiciousto Medium severity. - Legacy v2 endpoints (
/context,/quick,/multi,/riot) reached end-of-life on 1 Jan 2026. Infracast does not use them — we use the Community endpoint, which remains supported. - Richer fields available for future use (paid tiers / full v3 IP lookup):
per-IP
cves(which CVEs a scanner exploits — directly useful for attack-path/vuln correlation),actor,tor/vpn/botflags,spoofable, and behavioraltagswith intent. Newer GreyNoise product features include C2 Detection, IP Timeline (classification change history), and Vulnerability Prioritization. Not yet consumed by Infracast.
Features
Indicator Lookup
Search any IP, domain, URL, or file hash against all configured feeds:
- Real-time lookup across free and BYOK feeds
- Aggregated severity and confidence scores
- Source attribution showing which feeds flagged the indicator
Exposure Analysis
Automatically identifies which of your public-facing assets appear in threat feeds:
- Scans all discovered public IPs
- Highlights assets communicating with known C2 servers
- Flags IPs seen in active scanning campaigns
Dashboard Integration
The dashboard shows a threat intelligence summary:
- Active feeds and total indicators
- Public IPs being monitored
- Assets flagged in threat feeds
- High-severity alerts requiring attention
Attack Path Enrichment
Threat intel data enriches attack path analysis:
- Entry points in threat feeds are flagged
- Active scanning indicators increase path risk scores
- CISA KEV vulnerabilities are highlighted in paths
Configuration
Enabling BYOK Feeds
- Navigate to Threat Intel in the main menu
- Click the Feeds tab
- Click Configure on any BYOK feed
- Enter your API key and enable the feed
API Key Sources
- GreyNoise: greynoise.io/plans
- Shodan: account.shodan.io
- AbuseIPDB: abuseipdb.com/account/api
- VirusTotal: virustotal.com/gui/my-apikey
Use Cases
SOC Triage
When investigating an alert, look up the source IP to see if it's a known scanner, botnet, or malicious host.
Vulnerability Prioritization
Combine threat intel with vulnerability data — CVEs in CISA KEV with active exploitation should be patched immediately.
External Attack Surface Management
Monitor your public IPs for appearance in threat feeds, indicating potential compromise or misconfiguration.
API Reference
# Lookup an indicator
POST /api/v1/tenants/{id}/threat-intel/lookup
{
"value": "192.168.1.1"
}
# Get exposure analysis
GET /api/v1/tenants/{id}/threat-intel/exposure
# List feed status
GET /api/v1/threat-intel/feeds
# Trigger manual sync
POST /api/v1/threat-intel/sync