K0NSULT // ai-truth/ipIII
k0nsult.cloud / ai-truth / ipIII / threat-intel (CTI-OSINT) / en

Threat Intelligence / CTI-OSINT

The threat-intelligence layer (Phase 3 of the system). What a rigorous researcher and a SOC team check when judging how serious an organization is: where your data comes from, whether you respect licences, whether you can exchange intelligence in industry standards — and whether you honestly separate what is genuinely ingested from what is merely planned. Evidence-first: the automation detects a signal, a human confirms a fact.

Intelligence is a signal, not a verdict. CONFIRMED requires an analyst's signature.

We do not promote an automated indicator (IOC) to the status of a fact without assessing the source's reputation and obtaining manual approval. A feed is a hypothesis about a threat; the confirmation is proof. The same claim ≤ proof doctrine that governs the entire ipIII portal governs the CTI layer.

PIPELINE: SOURCEINGESTDEDUPLICATIONCONFIDENCESOURCE REPUTATIONANALYST APPROVALCONFIRMED / IOC
Honest about status. Below we separate what is genuinely ingested today LIVE from what is planned ROADMAP. We do not claim to run a full SOC with a round-the-clock analyst team. We claim that the pipeline architecture and licence boundaries are designed evidence-first, and that some connectors are operational. Figures marked SIMULATION are demonstrative.

1 · Intelligence sources SOURCES

The layer combines public sources (OSINT), industry CERT/CISA channels and our own telemetry. Each source has a declared data type, licensing model and integration status. We respect licence terms — commercial or restricted-use data is not redistributed against its terms.

SourceData typeLicence / termsStatus
CERT Polska (CSIRT NASK)alerts, phishing campaigns, CyberTarcza domainspublic advisories, per NASK termsLIVE
ENISAreports, taxonomies, threat landscapeEU publications, CC / citationLIVE
CISA KEVcatalog of actively exploited vulnerabilitiesUS Gov public domainLIVE
NVD / CVE (MITRE)CVE records, CVSS, CPEpublic, NVD JSON 2.0 feedLIVE
GitHub Security Advisories (GHSA)vulnerabilities in OSS dependenciesCC-BY-4.0 (GHSA database)LIVE
Vendor advisories (MS/Cisco/Oracle…)security bulletins, patch notesper vendor termsROADMAP
AbuseIPDBIP reputation, abuse reportsAPI key, rate limits, per licence — no redistributionROADMAP
URLhaus / abuse.chmalicious URLs, payload hostingCC0, per abuse.ch policyROADMAP
PhishTankverified phishing URLsAPI, per terms — attributionROADMAP
Own reports (CVD / intake)vulnerabilities, incidents from researchersinternal, evidence-firstLIVE
WAF / CDN / SIEM logsattack telemetry, patterns, injection attemptsinternal, GDPR minimizationINTERNAL

Licence boundary. A restricted-licence feed (e.g. AbuseIPDB) is used for internal prioritization, not for public redistribution of raw indicators. We treat a breach of source terms as a breach of the evidence-first principle — a source without a right of use is not evidence, only legal risk.

2 · Interoperability INTEROP

The key to exchanging intelligence at global scale: standards, not proprietary formats. The system is designed around open CTI standards so it can exchange data with CSIRTs, ISACs and the recipient's SIEMs without ad-hoc conversion.

STIX 2.1 / TAXII ROADMAP

Serialization of indicators and intelligence objects in STIX 2.1; distribution and subscription via TAXII 2.1 collections. STIX JSON export LIVE, TAXII server ROADMAP.

MISP ROADMAP

Exchange of events and attributes with MISP instances (event/attribute format, galaxy tags). Import of MISP-compatible feeds; publication to trusted communities.

MITRE ATT&CK LIVE

Mapping of techniques and tactics (TXXXX) onto incidents and playbooks. A shared TTP language for reporting to the recipient and correlating with detection.

SIEM export ROADMAP

Connectors for Azure Sentinel (DCR/Log Ingestion API), Splunk HEC and syslog RFC 5424. Indicators and alerts in the recipient platform's native format.

Real status: the CTI data model and ATT&CK mapping are LIVE; STIX JSON export works; the TAXII server, bidirectional MISP sync and production SIEM connectors are under construction ROADMAP. We do not claim ready integrations that do not yet exist.

3 · Processing pipeline PIPELINE

Every indicator passes through a deterministic pipeline. The automation assigns a signal and a confidence score; a human confirms the fact for CONFIRMED status. This is the barrier against "intelligence laundering" — promoting an unverified feed to the rank of evidence.

1 · Ingest. Scheduled pull from the source (JSON/STIX/CSV feed, API, RSS). Storage of raw data with metadata: source, timestamp, version.
2 · Deduplication. Normalization and merging of indicators by key (type+value). One IOC = one record with the list of sources that confirmed it.
3 · Confidence score. A 0–100 confidence score from the number and quality of sources, freshness and consistency. Multiple independent confirmations raise the score.
4 · Source reputation. Source weight by historical accuracy (false-positive rate). CERT/KEV high; an anonymous feed low until verified.
5 · Manual approval. A high-impact indicator does not become CONFIRMED without an analyst's signature. The automation proposes, the human confirms — with justification in the chain of custody.
6 · Distribution / action. An approved indicator flows into detection, blocks and reporting; it feeds the vulnerability playbook and P0–P3 prioritization.

Evidence-first in practice. Indicator status: SIGNAL (automation) → UNDER REVIEW (analyst) → CONFIRMED (proof + signature). An unconfirmed indicator remains a signal, never presented as an operational fact.

4 · Indicators of compromise (IOC) IOC

Indicator types, their lifecycle and escalation rules. An indicator has a validity period (it does not live forever) and is retired once its intelligence value is exhausted.

IOC typeExampleRefresh scheduleEscalation rule
IP addressreputation, C2, scannersevery 1 h (reputation feed)hit in WAF logs → P1
Domain / FQDNphishing, C2, DGAevery 6 hhit in outbound traffic → P1
File hash (SHA-256)malware, payloadevery 12 hhit on an endpoint → P0
URLphishing, exploit-kit, payload hostingevery 6 huser click → P1 + phishing playbook
CVECVE-2026-XXXXX in KEVdaily (NVD) + KEV on pushpresence in KEV + vulnerable asset → P0

The schedules above are the target pipeline configuration. Genuinely refreshed on a cycle today: KEV, NVD/CVE, GHSA, CERT advisories. IP/URL reputation feeds are in integration ROADMAP.

5 · Real status vs plan HONEST

Ingested today LIVE

• CISA KEV — catalog of actively exploited vulnerabilities

• NVD / CVE — records and CVSS (JSON 2.0 feed)

• GitHub Security Advisories (GHSA)

• CERT Polska / ENISA advisories

• Own reports (CVD/intake) + WAF/CDN telemetry

• MITRE ATT&CK mapping, STIX 2.1 JSON export

Under construction ROADMAP

• TAXII 2.1 server (collections, subscriptions)

• Bidirectional MISP sync

• SIEM connectors: Azure Sentinel, Splunk HEC, syslog RFC 5424

• Reputation feeds: AbuseIPDB, URLhaus, PhishTank (per licence)

• Vendor advisories as a structured feed

• Automatic IOC expiry after TTL

6
LIVE sources
KEV · NVD · GHSA · CERT · ENISA · intake
STIX 2.1
Export format
JSON LIVE · TAXII roadmap
100
Confidence scale
0–100 · reputation + freshness
P0–P3
IOC escalation
by impact and hit

The values above describe the pipeline configuration, not the volume of a real SOC. We do not run a 24/7 analyst duty roster — CONFIRMED approval is manual and asynchronous.

Related resources

Evidence Board

Evidence layer — chain of custody, confidence level, SHA-256 hash.

API

Programmatic interface — export of indicators and statuses (STIX/JSON).

Vulnerability playbook

Handling process — KEV/CVE → triage → severity → remediation (ISO 30111).

Disclosure (CVD)

Researcher reports — own intelligence source, safe harbor.

Overriding principle. The CTI layer has one currency of trust: proof. A feed is a signal, not a fact — promotion to CONFIRMED status requires assessing the source's reputation and an analyst's signature. We respect source licences and honestly separate LIVE from ROADMAP. Zero offensive payloads — this is a defensive-intelligence layer, not an attack tool.