Threat Intelligence Solutions

RST Report Hub

We transform public threat reports into machine-readable formats. Access summaries and information on threat actors, malware, CVEs, TTPs, industries, countries, indicators, and their interrelationships.

Learn More

THREAT INTELLIGENCE SOLUTIONS

RST Threat Feed

The ultimate source of comprehensive knowledge about cybersecurity threats from all over the world in machine-readable formats and the ability to enrich data using our APIs

Get Started

Threat Intelligence Solutions

RST Noise Control

Filter out irrelevant indicators and identify "known good" software, files, and network resources. RST Cloud streamlines the analysis process to eliminate False Positives in TIP, SIEM, SOAR, and XDR!

DATA ENRICHMENT SOLUTIONS

RST WHOIS API

We provide parsed and normalised domain registration data in JSON format. Add real-time WHOIS information to your data with no risk of being banned.

Get Started

Get global threat intelligence context from RST Cloud

Our mission is to provide SecOps teams with high-quality Cyber Threat Intelligence, democratise and revolutionise the field of CTI, and make it accessible, affordable, and effective for a wider range of companies across the globe. Ultimately, we aim to contribute to a safer and more secure digital landscape for all.

RST Cloud Engine

Learn how our AI-enabled engine works

Our in-house smart TI processing engine combines AI, ML, and automation technologies to derive global context from various sources.

Information can be found in many languages: English, German, Spanish, French, Russian, Chinese, Japanese, Arabic, Ukrainian, and many more. The engine translates them and ensures that all possible formats—from human-readable to various machine-readable structured formats such as CSV, TSV, JSON, ndJSON, XML, MISP, STIX, and unstructured formats such as pastes and dumps on GitHub, Pastebin, messages on X, WeChat, or Telegram, and other resources—are normalised into our internal RST format.

The engine performs analysis of the data, whether it has been seen before or is a new piece of information, determines the context available for the data, and checks our internal knowledge bases, historical statistics, internal filters, and automated checkers. Enrichment and filtering processes work together, as additional context found via enrichment allows better filtering decisions, and vice versa, filtering noise at early stages minimises enrichment effort for the engine.

This enables us to perform proper scoring and filtering out the noise. Low-fidelity information is scored with values towards 0, and high-quality data is scored with values towards 100. For example, information scored with values above 60 could go straight to firewalls, WAFs, EDR, and XDR systems for automatic blocking. Data scored above 40 can be used for real-time detection. Various tags, categories, and threat names associated with data elements can be used in threat hunting and incident response activities.

To help clients disseminate actionable threat intelligence data effectively, we provide out-of-the-box connectors, integration scripts, and cloud-to-cloud pipelines to push relevant information into different security tools. This data could be aggregated in a threat intelligence platform, directly pushed to a firewall for blocking, or send to a SIEM for real-time detection.

Integration

We provide quick and easy out-of-the-box integration with many SIEM, SOAR, TIP, EDR, XDR, NGFW, and WAF solutions. The knowledge we produce is actionable to the extent that machines can facilitate end-to-end detection, prevention, and response.

FortiGate

Fortigate firewalls can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.

Datasheet

Palo Alto NGFW

Palo Alto NGFW can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.

Datasheet

IBM Qradar SIEM solution

RST Thread Feed integrated with IBM Qradar SIEM via RST Downloder agent. This agent automatically downloads all the required data and pushes it to the SIEM via API. There are options to filter indicators through its score and types, malware, tags etc

Datasheet

Palo Alto Cortex XSOAR

Palo Alto Cortex XSOAR can directly be integrated with RST Threat Feed via API. It gives an ability to query RST Cloud API directly from any playbook or using the war room commands.

Datasheet

Splunk Enterprise

RST Thread Feed integrated with Splunk. The app is published on the official Splunk marketplace and allows to automate downloading and maintenance of the feeds into Splunk.

Documentation

Microsoft Sentinel

RST Thread Feed is integrated with Microsoft Sentinel SIEM via a standard STIX/TAXII integration. There are options to filter indicators through its score and types, malware, tags etc

Documentation

Elastic SIEM

RST Thread Feed is integrated with Elastic SIEM solution via a custom elastic filebeat/agent configuration. There are options to filter indicators through its score and types, malware, tags etc

Datasheet

MISP

RST Thread Feed is integrated with MISP via a python script. There are options to filter indicators through its score and types, malware, tags etc

Datasheet

ArcSight ESM/Logger SIEM solution

RST Thread Feed is integrated with Arcsight ESM/Logger solutions via RST Downloder agent. There are options to filter indicators through its score and types, malware, tags etc

Datasheet

OpenCTI

RST Thread Feed is natively integrated with OpenCTI via API.

Datasheet

Cisco Firepower

Cisco Firepower can directly be integrated with RST Threat Feed via API. It gives options to block or alert on access to malicious websites or IP addresses. The integration is seamless and requires no extra software to be used to configure the firewalls.

Datasheet

SAF Systems

SAF Systems is a versatile platform for collecting and analysing machine data. It works in the fields of information security, IT infrastructure monitoring, and business process analysis. The integration of RST Threat Feed and RST Report Hub within the SAF platform empowers analysts to make informed decisions.

Documentation

Trusted by partners

Become a Partner

Enrichment

Many threat intelligence data come with little or no context, making it challenging for cybersecurity professionals to determine the appropriate course of action. This can lead to extra work as they try to assess the risk level of indicators of compromise (IoCs) and decide whether to action them or further investigate potential threats.

After aggregating indicators of compromise such as IP addresses, domain names, and file hashes from multiple sources, we add valuable context to help cybersecurity professionals more effectively assess the threat level of indicators. Our enrichment process adds the following context to indicators:

Threat category (e.g. phishing, malware, ransomware)
Malware family (e.g. Emotet, Trickbot, Ryuk)
Common Vulnerabilities and Exposures (CVE)
Attribution to Threat actors (e.g. APT groups, cybercrime organisations)

We use a combination of external sources and our own proprietary methods (such as RST Honeypot Network, RST C2 Tracker) to consistently and reliably add this context to indicators. This helps cybersecurity professionals more effectively assess the threat level of indicators and decide on appropriate courses of action quicker.

After threat data is aggregated from multiple sources we contextualise it by adding:

Scoring

Cybersecurity professionals often face a deluge of alerts on a daily basis, as hundreds of threats target organizations that rely on the internet for their daily operations. To help prioritize these alerts and focus on the most critical ones first, we use algorithms to rank every indicator with an appropriate score.

Our scoring process helps you identify the indicators that are most likely to pose a threat and should be investigated first. By sorting alerts by score, you can quickly focus on the most relevant and actionable pieces of information, helping you to streamline your workflow and more effectively protect your organisation against cyber threats.

Verification

Indicators of compromise (IoCs) can be temporary or submitted incorrectly, leading to a high number of false positive detections. These false positives, as well as false negatives, can be frustrating and time-consuming for cybersecurity professionals who are trying to protect their organisations against cyber threats.

To mitigate the occurrence of false positives and false negatives, our verification engine filters out noise data and "known-good" that is irrelevant to threat analysis. This helps streamline investigation time and alleviate alert fatigue, ultimately enhancing the efficiency of threat analysis by prioritising the most reliable and actionable indicators. By validating the validity of IoCs, our verification process aids cybersecurity professionals in accurately assessing the threat level of indicators and making well-informed decisions regarding how to respond to potential threats.

We cross-verify indicators and perform additional sanitising checks:

Exception lists according to RFC

Publicly available cloud services (AWS, GCP, Azure and many others)

Other trusted whitelists used by the cybersecurity community

Context and reputation checks

RST Cloud STIX sample data in Microsoft Sentinel

RST Threat Feed

RST Threat Feed is a subscription-based service that delivers indicators of compromise collected, aggregated, filtered, and scored from hundreds of threat intelligence sources. Our solution enriches indicators with comprehensive context to accelerate incident prevention and response and enables automation solutions with actionable data.

Explore Threat Feed

IoC Lookup

Request Demo

RST Report Hub

Explore our extensive electronic library housing threat reports from various security companies, independent researchers, and communities. These reports are meticulously transformed from human-readable formats into machine-readable formats, including STIX 2.1. Gain access to valuable insights to bolster your cybersecurity strategy and stay informed about emerging threats.

Explore RST Report Hub

Request Demo

Enrichment services for SOC teams

The RST Noise Control API enables users to verify whether an indicator or a batch of indicators are deemed "known-good" and therefore classified as noise. With the RST IoC Lookup API, users can check individual values to determine if they are suspicious or malicious indicators, including IP addresses, domains, URLs, and hashes (MD5, SHA1, SHA256). Additionally, the RST Whois API provides registration information in JSON format, offering unlimited speed and no risk of being banned from WHOIS servers. This data can provide valuable information for recognising phishing or fraudulent resources.

Explore RST Noise Control

Explore WHOIS API

Explore RST IoC Lookup


{
  "status": "registered",
  "registered?": "true",
  "created_on": "2022-01-01 00:00:00",
  "updated_on": "2022-01-01 00:00:00",
  "expires_on": "2023-01-01 00:00:00",
  "age": 365,
  "registrar": "Registrar Name",
  "registrant": "Registrant Name",
  "nameservers": "ns1.domain.com,ns2.domain.com"
}

Get Free Trial

Choose a product and get your trial account by email. By signing up for a free trial, you grant RST Cloud permission to contact you via the provided email address for purposes related to your trial, account management, and relevant product information.

Threat Feed

Whois API