Smart Grouping

Our system analyzes article content to find semantic similarities. Articles about the same incident will be grouped together, even if they use different words or come from different sources.

Why Clustering Matters

• Reduce Information Overload: See 10 articles about the same breach as one cluster
• Track Campaign Evolution: Follow how attacks develop across multiple sources
• Identify Patterns: Spot trends when similar attacks target multiple organizations
• Prioritize Response: Focus on unique incidents rather than duplicate reporting

The Clustering Process

1. Article Preparation: Articles are cleaned and entities extracted (CVEs, APT groups, malware)
2. Content Analysis: Each article is analyzed for meaning and context
3. Similarity Calculation: Compare articles to find related content (0-100% similarity)
4. Cluster Formation: Group articles with >75% similarity
5. Quality Validation: Ensure clusters meet size, time, and coherence requirements
6. Smart Naming: Generate descriptive names from top entities and keywords

Understanding Similarity Scores

• 90-100% Nearly identical content or same source
• 75-89% Same incident, different reporting
• 65-74% Related but distinct events
• <65% Unrelated (won't be clustered)

Cluster Components

• Primary Article: The most representative article (center of the cluster)
• Article Count: Number of related articles (typically 2-12)
• Coherence Score: How well articles fit together (65-100%)
• Time Window: Articles must be within 72 hours of each other
• Shared Entities: Common IOCs, threat actors, vulnerabilities

Cluster Naming

Clusters are automatically named using top entities and keywords:

• "Lazarus Group - CVE-2023-1234 - Ransomware"
• "McLaren Health Care - ALPHV - Data Breach"
• "Microsoft Exchange - Critical Vulnerability - RCE"

DEVELOPING Badge

Clusters show a DEVELOPING +N badge when:

• New related articles were added in the last 24 hours
• The number shows how many new articles joined the cluster
• Helps you identify actively evolving security situations

High-Quality Clusters

Look for these indicators of well-formed clusters:

• High Coherence: >80% similarity between articles
• Entity Overlap: Multiple shared security entities
• Time Consistency: Articles published close together
• Clear Focus: Single incident or campaign

Edge Cases

Some articles might not cluster well:

• Unique Incidents: First reports of new attacks
• General Updates: Broad security advisories
• Opinion Pieces: Analysis without specific incident focus
• Old News: Articles outside the 72-hour window

Technical Specifications

• Update Frequency: Every 30 minutes
• Cluster Size: 2-12 articles per cluster
• Time Window: 72 hours
• Similarity Threshold: 75% minimum

CVEs (Common Vulnerabilities and Exposures)

Standardized identifiers for security vulnerabilities (e.g., CVE-2024-1234)

• Track specific vulnerabilities across multiple articles
• See which products and vendors are affected
• Monitor patch releases and exploit development

IP Addresses

Network addresses associated with attacks or command & control servers

• Identify malicious infrastructure
• Track botnet servers and C2 domains
• Build blocklists for network defense

Domains

Website addresses used in attacks or hosting malicious content

• Phishing and scam websites
• Malware distribution sites
• Command & control domains

File Hashes

Unique identifiers for malicious files (MD5, SHA1, SHA256)

• Track specific malware samples
• Share threat indicators with security tools
• Verify file integrity and detect tampering

APT Groups (Advanced Persistent Threats)

Nation-state and sophisticated threat actors (e.g., Lazarus, APT29, Cozy Bear)

• Track campaigns by specific threat groups
• Understand targeting patterns and techniques
• Monitor evolving tactics and tools

Ransomware Groups

Criminal organizations deploying ransomware (e.g., LockBit, ALPHV, Clop)

• Monitor active ransomware campaigns
• Track victim organizations and sectors
• Identify new variants and techniques

Malware Families

Specific malware strains and variants (e.g., Emotet, Cobalt Strike, Mimikatz)

• Track malware evolution and variants
• Understand infection chains
• Monitor detection and remediation guidance

Companies

Organizations mentioned in security contexts (victims, vendors, researchers)

• Track breaches affecting specific companies
• Monitor supply chain impacts
• Understand industry targeting patterns

Industry Sectors

Business sectors targeted by threats (Healthcare, Finance, Energy, etc.)

• Identify sector-specific threats
• Track industry-wide campaigns
• Understand vertical-specific risks

Platforms

Technology platforms and operating systems (Windows, Linux, AWS, etc.)

• Track platform-specific vulnerabilities
• Monitor patch releases and updates
• Understand technology stack risks

Security Vendors

Companies providing security products and services

• Track vendor advisories and updates
• Monitor security product vulnerabilities
• Follow industry research and reports

MITRE ATT&CK

Tactics, techniques, and procedures used by threat actors

• Map attacks to specific techniques
• Understand attack patterns
• Improve defensive strategies

Security Standards

Compliance frameworks and security standards (NIST, ISO, PCI-DSS)

• Track standard updates and changes
• Monitor compliance requirements
• Understand regulatory impacts

Attack Types

Categories of attacks (Phishing, DDoS, Supply Chain, Zero-Day)

• Understand attack methodologies
• Track trending attack vectors
• Focus defensive preparations

Clusters vs Articles

• Clusters (▣): Groups of related articles about the same security event or threat
• Articles (▪): Individual security news items and reports
• Look for the DEVELOPING badge on clusters with recent updates

Severity Levels

• CRITICAL: Immediate threats requiring urgent attention (score 80-100)
• HIGH: Significant security issues (score 60-79)
• MEDIUM: Notable vulnerabilities or threats (score 40-59)
• LOW: Minor security updates (score 0-39)

Threat Scores

Each item has a threat score (0-100) calculated from:

• Severity: Keywords indicating threat level (exploit, zero-day, critical)
• Recency: How recently the threat was reported
• Source Credibility: Reputation of the news source
• Entity Importance: Significance of mentioned CVEs, APT groups, malware

Left Sidebar

• Search Bar: Quick search for threats, CVEs, or keywords
• Feed: Main intelligence feed with latest threats
• Saved: Your bookmarked articles and clusters
• Threat Hunting: Technical indicators (domains, IPs, hashes, CVEs)
• Threat Intelligence: Threat actors, malware families, attack types
• Business Intelligence: Companies, sectors, vendors affected

Feed Filters

Use the dropdown menu to filter your feed:

• All Feeds: Complete intelligence feed
• Critical Only: High-priority threats (score 70+)
• Clusters Only: Grouped related articles
• Articles Only: Individual news items
• Custom Feeds: Your personalized entity-based feeds

Similarity Scores

Within clusters, you'll see similarity percentages showing how closely related articles are to each other. Higher percentages mean stronger semantic connections.

Entity Tags

Colored tags show important security entities mentioned:

• CVE numbers (vulnerabilities)
• APT groups (threat actors)
• Malware families
• Affected companies and platforms

Click any entity tag to see all related intelligence.

Saving & Following

• Save: Bookmark articles/clusters for later reference
• Follow Entities: Create custom feeds for specific threats
• Follow Clusters: Get notified when clusters update