Multi-source feeds
Commercial, open and internal feeds. Mix and score per use case.
IOC, reputation and actor context across every module.
Threat Intelligence in Protoxol is a substrate, not a silo. Every IOC, every actor profile and every campaign signal automatically enriches alerts across EDR, NDR, SIEM and Email — so the analyst sees `185.220.* — TOR exit node, associated with APT28 since 2023` as context on the alert itself, not in a separate console.
Commercial, open and internal feeds. Mix and score per use case.
MITRE ATT&CK mapping. TTPs auto-attached to relevant alerts.
Suppress noisy feeds in some contexts, amplify in others. Tunable per rule.
Ingest your internal threat intel via REST, MISP, TAXII or STIX 2.1.
Every alert across every module enriched at write time. Zero lookup tax.
Context attached at alert creation cuts triage time 40-60%.
Pivot from new IOCs to historical sightings across all modules.
Track impersonation domains, leaked credentials, dependency advisories.
| Feed formats | STIX 2.1, MISP, TAXII, REST |
| Update frequency | 5-minute pull, instant push |
| IOC types | Hash, IP, domain, URL, certs, JA3 |
| Coverage | 20+ commercial + 50+ OSINT feeds |
Threat Intelligence is only useful when it reaches the right module at the right time. Most TI platforms are silos with their own UI. Protoxol TI is a substrate that enriches every other module automatically.
| Vendor | Strength | Tradeoff |
|---|---|---|
| Recorded Future | Broadest commercial feeds. Strong UI. | Premium pricing. Hard to operationalize alone. |
| Mandiant Intel | Deep actor reporting. Incident lineage. | Less granular IOC API. Often tied to consulting. |
| MISP (open) | Free, open, community sharing. | Requires engineering to integrate cleanly. |
Intel enriches every module — not a separate console.
Mix commercial, open and internal feeds with shared scoring.
Single bus means new modules inherit intel automatically.
Thirty minutes. Your environment. The modules that fit. No slideware.