Indicators that
go where you need them.

Every article that enters the pipeline is extracted for IOCs, validated for confidence, and made available wherever your analysts and tooling need them. STIX, MISP, REST, RSS, CLI.

View the format matrix How it works

Every article, extracted twice.

The unambiguous indicators come out first. IPs, domains, URLs, hashes, CVE IDs, crypto wallets. Anything with a predictable shape gets captured with a script, not a model.

AI then handles the contextual layer. Threat actors, malware families, MITRE techniques, tools, industries, and targets. Benign domains, invalid hashes, and known false positives are filtered out up front, so the validation queue stays clean.

IOC extraction output for an article click to expand
image · 1
Extraction output
List of extracted entities for one article showing type / value / mentions / first-seen / last-seen.

Confidence on every indicator.

Every IOC is assigned a confidence level. High, medium, low, or false positive. Each carries a written justification so analysts know why the model graded it that way.

Confidence feeds every downstream filter, so analysts only see what's been verified. Pending IOCs surface separately for the analyst on triage duty, with an X-IOC-Pending-Count header on every API response so SIEM ingestion can see the validation lag in flight.

High Medium Low False positive
IOC validation card on an entity page click to expand
image · 2
IOC Validation card
"Confirmed IOC, High confidence" badge with one-sentence reason on an entity page.

Per-cluster or in bulk.

One cluster's IOCs as TXT for a firewall blocklist, CSV for a spreadsheet, JSON for a script, or STIX 2.1 with TLP marking for a TIP. Or query in bulk by type, confidence, and time window.

Defang on or off per request. ATT&CK Navigator layer for the techniques in the cluster. The full format matrix with auth, tier, and confidence defaults sits at /formats.

TXT
CSV
JSON
STIX 2.1
MISP
ATT&CK Navigator
Export modal showing format options click to expand
image · 3
Export modal
Cluster page export submenu with type filter, format buttons, defang toggle.

Native MISP feed.

ThreatCluster ships a native MISP-compatible feed with manifest, hashes index, and event JSON. UUIDs are stable across regenerations, so MISP correlation works cleanly and event re-pulls don't generate duplicate records.

Authenticated tier carries 50 events with historical replay via ?since= and ?days=. Public tier carries 10 recent events. MISP Galaxy clusters auto-attach for recognised threat actors and ransomware groups.

MISP feed configuration in a third-party MISP instance click to expand
image · 4
MISP feed
MISP UI showing ThreatCluster feed configured. Or screenshot of the manifest.json output.

Into your SIEM, however you ingest.

REST API for direct pulls. RSS for feed-based ingestion. Webhook push into Splunk, Microsoft Sentinel, Elastic, or OpenSearch. Filter by confidence, type, and freshness on the wire so you don't have to filter post-ingest.

Hunting queries for the same IOCs export natively in KQL, SPL, and Lucene from the Hunt page.

IOC feed flowing into a SIEM click to expand
image · 5
SIEM ingestion
Splunk / Sentinel / Elastic logos with arrows from the ThreatCluster feed.

More of the platform

Exposure ManagementAsset inventory ranked by CISA SSVC Threat HuntingIndustry threat models with SIEM-ready queries Dark Web MonitoringIn-house collection across leak sites and forums The Exploits DatabaseCVEs ranked by what defenders care about CLI and HeadlessREST API, tc command, agent tool Format matrixEvery IOC endpoint, format, and tier in one table

Pipe the IOCs
where they need to go.

Eleven consumption surfaces, one entity graph behind them. STIX for your TIP, MISP for your sharing community, REST for your scripts, RSS for your dashboard.

View the format matrix Read the brochure