Skip to main content

Threat Intelligence

Vulcan integrates with multiple threat intelligence feeds to identify malicious indicators in your infrastructure and prioritize risks based on real-world threat data.

Overview

The threat intelligence engine continuously ingests indicators of compromise (IOCs) from free and premium feeds, correlating them against your discovered assets to surface exposure risks.

Supported Feeds

Free Feeds (No API Key Required)

FeedTypeUpdate Frequency
CISA KEVKnown Exploited VulnerabilitiesDaily
Feodo TrackerBanking Trojan C2 IPsHourly
URLhausMalicious URLsHourly
ThreatFoxIOCs (IPs, domains, hashes)Hourly

BYOK Feeds (API Key Required)

FeedTypeFree Tier
GreyNoiseIP reputation, scanner detection50 queries/day
ShodanExternal attack surfaceBasic API
AbuseIPDBCommunity-reported IPs1000 queries/day
VirusTotalMulti-engine malware scanning4 requests/min

GreyNoise integration details

Infracast queries the GreyNoise Community API (GET /v3/community/{ip}) on-demand per public IP (GreyNoise has no bulk download). Lookups are cached; the free Community tier allows 50 queries/day. The response maps to an indicator as follows:

GreyNoise classificationMeaningInfracast severity
maliciousDirectly observed harmful behaviorHigh
suspiciousSystematic probing / reconnaissance (between benign and malicious)Medium
benign / RIOT (riot: true)Known-good actor or common business service (Shodan, Censys, search engines, SaaS)Info
unknown / not foundScanning activity with no determination, or IP never observedLow / skipped

When an attack-path entry point's public IP is flagged by GreyNoise (or Feodo), the path's ActiveScanning / EntryPointExposed context is set and its threat level is raised — see Attack Path Enrichment.

GreyNoise API v3 (2025–2026 updates)

GreyNoise consolidated its API in v3 and renamed its datasets. These do not break our Community API integration, but are worth knowing:

  • Datasets renamed: "Noise" → Internet Scanner Intelligence, "RIOT" → Business Service Intelligence (trust_level 1–2). A single v3 response now combines both.
  • Four classifications: GreyNoise now distinguishes benign / suspicious / malicious / unknown (the suspicious tier was added). Infracast maps suspicious to Medium severity.
  • Legacy v2 endpoints (/context, /quick, /multi, /riot) reached end-of-life on 1 Jan 2026. Infracast does not use them — we use the Community endpoint, which remains supported.
  • Richer fields available for future use (paid tiers / full v3 IP lookup): per-IP cves (which CVEs a scanner exploits — directly useful for attack-path/vuln correlation), actor, tor / vpn / bot flags, spoofable, and behavioral tags with intent. Newer GreyNoise product features include C2 Detection, IP Timeline (classification change history), and Vulnerability Prioritization. Not yet consumed by Infracast.

Features

Indicator Lookup

Search any IP, domain, URL, or file hash against all configured feeds:

  • Real-time lookup across free and BYOK feeds
  • Aggregated severity and confidence scores
  • Source attribution showing which feeds flagged the indicator

Exposure Analysis

Automatically identifies which of your public-facing assets appear in threat feeds:

  • Scans all discovered public IPs
  • Highlights assets communicating with known C2 servers
  • Flags IPs seen in active scanning campaigns

Dashboard Integration

The dashboard shows a threat intelligence summary:

  • Active feeds and total indicators
  • Public IPs being monitored
  • Assets flagged in threat feeds
  • High-severity alerts requiring attention

Attack Path Enrichment

Threat intel data enriches attack path analysis:

  • Entry points in threat feeds are flagged
  • Active scanning indicators increase path risk scores
  • CISA KEV vulnerabilities are highlighted in paths

Configuration

Enabling BYOK Feeds

  1. Navigate to Threat Intel in the main menu
  2. Click the Feeds tab
  3. Click Configure on any BYOK feed
  4. Enter your API key and enable the feed

API Key Sources

Use Cases

SOC Triage

When investigating an alert, look up the source IP to see if it's a known scanner, botnet, or malicious host.

Vulnerability Prioritization

Combine threat intel with vulnerability data — CVEs in CISA KEV with active exploitation should be patched immediately.

External Attack Surface Management

Monitor your public IPs for appearance in threat feeds, indicating potential compromise or misconfiguration.

API Reference

# Lookup an indicator
POST /api/v1/tenants/{id}/threat-intel/lookup
{
"value": "192.168.1.1"
}

# Get exposure analysis
GET /api/v1/tenants/{id}/threat-intel/exposure

# List feed status
GET /api/v1/threat-intel/feeds

# Trigger manual sync
POST /api/v1/threat-intel/sync