SOC operations & alert triage
Enrich alerts with context on malicious IPs, domains, hashes, and emails so analysts can decide quickly whether to escalate, suppress, or block.
Threat Intelligence Platform
Operational threat intelligence for defenders, combining indicator search, dark web visibility, and attack surface monitoring in a single platform.
Operational threat intelligence your SOC can actually use
Most security teams are drowning in indicators that they cannot reliably prioritise or integrate. Cyber Defence’s Threat Intelligence platform is built for defenders, not researchers. It fuses SOC telemetry, dark web collection, credential leaks, phishing reconnaissance, and external attack surface data into a single, searchable view.
Analysts can pivot from indicators to adversary infrastructure, exposed assets, and related campaigns in seconds. Everything is exposed through a documented API and portal so you can plug intelligence directly into SIEM, SOAR, SOC365, and your wider security tooling.
From raw indicators to decisions and actions
Cyber Defence’s Threat Intelligence service underpins our Detect, Defend, and Disrupt pillars. It provides the context and coverage you need to understand who is targeting you, how they operate, and which vulnerabilities and exposures matter most.
Whether you run an in-house SOC, rely on our SOC365 team, or operate a hybrid model, the platform turns global telemetry and research into detections, watchlists, and hardening actions that directly reduce risk.
Pricing for all plans is available at /pricing.
Use cases
Built for modern security operations
Threat intelligence that is directly aligned to how defenders work, hunt, and respond.
See which plan matches your needs on the Threat Intelligence Pricing page.
Threat hunting & detection engineering
Drive hunts and new detections using live data on adversary infrastructure, campaigns, and emerging tradecraft mapped to MITRE ATT&CK.
Dark web & credential-leak monitoring
Identify exposed credentials, brand abuse, and mentions of your domains, staff, and assets across forums, marketplaces, and paste sites.
Attack surface monitoring
Track domains, IP ranges, and services for risky exposures, weak configurations, and new infrastructure that attackers can exploit.
Incident response & investigations
Pivot from a single indicator to related infrastructure, malware families, and actor profiles to accelerate containment and scoping.
Executive and board reporting
Translate technical findings into threat trends, business impact, and recommended investment using curated sector-specific intelligence.
Global threat intelligence at your fingertips
Our platform continuously ingests, normalises, and curates data from deception systems, honeypots, malware telemetry, phishing campaigns, dark web monitoring, and credential-leak collections. These holdings are kept fresh through daily re-analysis and strict expiry on stale IP and domain data.
425,000+
Malicious IPs
995,000+
Malicious domains
3,000,000+
IOC hashes
800,000,000+
Account leaks
145,000+
Malicious URLs
620,000+
Phishing domains
Features
What the Threat Intelligence platform provides
Capabilities that turn raw data into decisions, detections, and actions your security team can actually use.
Indicator search & pivoting
Fast lookups for IPs, domains, URLs, hashes, and email addresses, with the ability to pivot into related infrastructure, campaigns, and leak data.
Dark web and credential-leak visibility
Search across dark web sources, forums, and marketplaces for mentions of your brands, staff, and assets, plus leaked credential data.
External attack surface monitoring
Continuous discovery and tracking of Internet-facing domains, services, and certificates associated with your organisation.
Campaign, actor, and tooling intelligence
Profiles of adversary behaviour, malware families, and TTPs mapped to MITRE ATT&CK and enriched with observables and infrastructure.
Alerts, watchlists, and reporting
Custom watchlists, scheduled alerts, and reports delivered through the portal and email to keep your team ahead of active threats.
API & SOC365 integrations
Documented REST API, CSV exports, and direct integration options for SIEM, SOAR, SOC365, and ticketing systems.
Plans
Choose a plan that matches your mission
Start with free lookups, then scale to continuous monitoring and deep integration with your SOC and security tooling.
Full plan details and comparison are available at Threat Intelligence Pricing.
Detect – £149 / month ex VAT
Full dataset access for indicators, limited dark web search for selected domains, basic attack surface monitoring, and fair-use API access. Ideal for solo analysts, consultants, and small teams.
Defend – £399 / month ex VAT
The plan most customers choose. Everything in Detect plus higher limits, expanded leak monitoring, richer attack surface visibility, and multiple named users.
Disrupt – from £1,250 / month ex VAT
For larger, multi-site, or regulated organisations. Everything in Defend plus deep coverage, custom scopes, enhanced SLAs, and MSSP/partner support.
Get the right plan for your organisation
Walk through the portal with our analysts, understand usage patterns, and match your requirements to the most appropriate plan.
Delivered through the portal, API, and your existing tools
Analysts can work directly in the Cyber Defence Threat Intelligence portal. Engineering and SOC teams can consume intelligence via API feeds, scheduled exports, and integrations with SIEM, SOAR, ticketing systems, and SOC365 itself.
To understand which plan fits your integration model, view the pricing and plan comparison.
Focused on the sectors that attackers target most
Our collections and research are tuned to the industries we protect every day. Plans are priced per-organisation, and tailored packages are available for complex or regulated estates.
Sector-specific pricing guidance is available at <a href="/services/threat-intelligence/pricing" class="cd-inline-link">pricing</a>.
Financial services
Healthcare and life sciences
Maritime and logistics
Legal and professional services
Technology and SaaS
Government and public sector
Critical infrastructure and OT
Threat intelligence backed by analysts and a live SOC
The platform is powered by Cyber Defence’s CREST-accredited, ISO-certified SOC365 operations, deception infrastructure, and analyst research. You are not buying a static feed – you are partnering with a team that actively tracks campaigns, tunes detections, and supports you during incidents.
If you are evaluating plans, speak to us to map coverage, limits, and support levels to your estate — or visit the <a href="/services/threat-intelligence/pricing" class="cd-inline-link">Threat Intelligence Pricing</a> page.