RST Threat Feed

The ultimate source of comprehensive knowledge about cybersecurity threats from all over the world in ready-to-use format and the ability to enrich data using our APIs



Our API service provides parsed and normalised domain registration data in ready-to-use format. Add WHOIS information to your data with no risk being banned.

Get global threat intelligence context from RST Cloud

Our mission is to help cybersecurity experts to consolidate global knowledge about all publicly available threat intelligence sources in one convenient service.

Group 33010 (9)

RST Cloud Engine


Many indicators come with no threat context. This makes it difficult to make a decision should we block based on the indicators or not.

Looking at an indicator it is crucial to have additional information such as: when it was first seen in the wild, who owns that IP or domain, where it is hosted geographically and which well-known hosting provider is used. Harvested URLs are being checked at collection time for the actual availability.

After IoCs are being aggregated from multiple sources we contextualise them by adding:



Every day hundreds of threats are targeting every organisation who is actively using the Internet in their day-to-day business. This may cause thousands of alerts daily to be monitored and analysed.

Having such a big flow of everyday alerts it is important to sort them by score and start an investigation of the most critical first. We rank every indicator using our algorithms to assign an appropriate score and help you to look at only the relevant piece of information.


Some indicators of compromise are temporarily in nature, others are submitted incorrectly. This leads to a high number of False Positive detections.

The occurrence of Type I (false positive) errors and Type II (false negative) errors when you deal with Indicators of Compromise is common and annoying.

Our verification engine filters out noise data that shortens investigation time and rises efficiency of threat analysis.

We cross-verify indicators and perform additional sanitising checks:

Exception lists according to RFC
Publicly available cloud services (AWS, GCP, Azure and many others)
Other trusted whitelists used by the cybersecurity community
Context and reputation checks

RST Threat Feed

RST Threat Feed is a subscription-based service that delivers indicators of compromise collected, aggregated, filtered, and scored from hundreds of threat intelligence sources. Our solution enriches indicators with comprehensive context to accelerate incident prevention and response and enables automation solutions with actionable data.

  "ip": {
    "v4": "",    - type | value
    "num": "237077948"      - value as Integer (comparison can be faster)
  "fseen": 1569715200,     - first seen timestamp
  "lseen": 1569801600,     - last seen timestamp
  "collect": 1571184000,   - indicator collection timestamp
  "tags": {                                 - tags in order to categorize indicators
    "str": [
    "codes": [0,11,4]             - IDs of the tags
                                                    (to be used to minimize memory usage in SIEM)
  "asn": {
    "num": 4766,                     - An autonomous system number related 


Our WHOIS API provides registration details of a domain name. All of the WHOIS information is parsed and normalised consistently to a JSON format so it can efficiently fit in with your integrations.

  "status": "registered",
  "registered?": "true",
  "created_on": "2022-01-01 00:00:00",
  "updated_on": "2022-01-01 00:00:00",
  "expires_on": "2023-01-01 00:00:00",
  "age": 365,
  "registrar": "Registrar Name",
  "registrant": "Registrant Name",
  "nameservers": ","

Get Free Trial

Choose a product and get your trial account by email

Trusted by partners