Methodology
How we collect, enrich, and deliver threat intelligence
Source Selection
We aggregate from 73+ sources across 11 categories: news, vendor research, EU government advisories, law enforcement, OSINT, CVE feeds, and more. Every source is public, auditable, and RSS-based.
AI Enrichment Pipeline
Each article passes through a multi-stage AI pipeline:
Stage 1: Basic Classification
Workers AI, Llama 3.3 70B — threat level, summary, key points
Stage 2: Deep Enrichment
OpenAI GPT-4o — MITRE ATT&CK mapping, NIS2/DORA compliance tagging, threat actor attribution, IOC extraction, sector classification
Stage 3: Multi-Source Synthesis
Related articles are clustered and synthesised into intelligence reports
MITRE ATT&CK Mapping
Techniques are identified using keyword matching validated by GPT-4o analysis. We map to both parent techniques (e.g., T1566) and sub-techniques (e.g., T1566.001). Mapping confidence varies — always verify against primary sources.
Compliance Tagging
NIS2 and DORA tags are applied at the article level by GPT-4o based on the content's relevance to specific regulatory articles. These are AI-generated suggestions, not legal determinations.
Threat Actor Attribution
Actor names are matched against a database of 45+ tracked groups using direct mentions, known aliases, country-level attribution, and TTP pattern matching. Confidence levels (high/medium/low) indicate the reliability of each attribution.
Data Freshness
Sources are collected hourly. AI processing runs immediately after collection. The entire pipeline from RSS ingestion to enriched intelligence takes approximately 15 minutes.
Disclaimer
All AI-generated analysis (threat levels, MITRE mappings, compliance tags, actor attributions, IOC extraction) should be independently verified before use in compliance evidence, incident response, or regulatory submissions.