Threat Intelligence
Vulcan integrates with multiple threat intelligence feeds to identify malicious indicators in your infrastructure and prioritize risks based on real-world threat data.
Overview
The threat intelligence engine continuously ingests indicators of compromise (IOCs) from free and premium feeds, correlating them against your discovered assets to surface exposure risks.
Supported Feeds
Free Feeds (No API Key Required)
| Feed | Type | Update Frequency |
|---|---|---|
| CISA KEV | Known Exploited Vulnerabilities | Daily |
| Feodo Tracker | Banking Trojan C2 IPs | Hourly |
| URLhaus | Malicious URLs | Hourly |
| ThreatFox | IOCs (IPs, domains, hashes) | Hourly |
BYOK Feeds (API Key Required)
| Feed | Type | Free Tier |
|---|---|---|
| GreyNoise | IP reputation, scanner detection | 50 queries/day |
| Shodan | External attack surface | Basic API |
| AbuseIPDB | Community-reported IPs | 1000 queries/day |
| VirusTotal | Multi-engine malware scanning | 4 requests/min |
Features
Indicator Lookup
Search any IP, domain, URL, or file hash against all configured feeds:
- Real-time lookup across free and BYOK feeds
- Aggregated severity and confidence scores
- Source attribution showing which feeds flagged the indicator
Exposure Analysis
Automatically identifies which of your public-facing assets appear in threat feeds:
- Scans all discovered public IPs
- Highlights assets communicating with known C2 servers
- Flags IPs seen in active scanning campaigns
Dashboard Integration
The dashboard shows a threat intelligence summary:
- Active feeds and total indicators
- Public IPs being monitored
- Assets flagged in threat feeds
- High-severity alerts requiring attention
Attack Path Enrichment
Threat intel data enriches attack path analysis:
- Entry points in threat feeds are flagged
- Active scanning indicators increase path risk scores
- CISA KEV vulnerabilities are highlighted in paths
Configuration
Enabling BYOK Feeds
- Navigate to Threat Intel in the main menu
- Click the Feeds tab
- Click Configure on any BYOK feed
- Enter your API key and enable the feed
API Key Sources
- GreyNoise: greynoise.io/plans
- Shodan: account.shodan.io
- AbuseIPDB: abuseipdb.com/account/api
- VirusTotal: virustotal.com/gui/my-apikey
Use Cases
SOC Triage
When investigating an alert, look up the source IP to see if it's a known scanner, botnet, or malicious host.
Vulnerability Prioritization
Combine threat intel with vulnerability data — CVEs in CISA KEV with active exploitation should be patched immediately.
External Attack Surface Management
Monitor your public IPs for appearance in threat feeds, indicating potential compromise or misconfiguration.
API Reference
# Lookup an indicator
POST /api/v1/tenants/{id}/threat-intel/lookup
{
"value": "192.168.1.1"
}
# Get exposure analysis
GET /api/v1/tenants/{id}/threat-intel/exposure
# List feed status
GET /api/v1/threat-intel/feeds
# Trigger manual sync
POST /api/v1/threat-intel/sync