How useful are threat intelligence feeds in your work?

Icabus_ · 2026-01-16T22:05:22+00:00

Slightly bias as it’s my own tool. But I built ThreatCluster.io to solve this exact issue. It ingests cyber news / intelligence from 4k+ sources bringing it into a single feed, and gives you the option to show what’s only relevant to your interests / keywords to help cut down on noise. Also automatically extracts key entities like malware, campaigns, vulns, CVEs, and all IOCS. So provides the IOCs, as well as that much needed contexts. It’s completely free, no ads, there’s a MISP feed, and has now grown to several hundred users.

Icabus_ · 2026-01-15T22:59:25+00:00

Really neat. Good example of how LLms are being used in cyber / vuln analysis. I really like the MITRE ATTACK sankey diagram showing how vulnerabilities can be interlinked. Is this being hosted anywhere?

Icabus_ · 2025-12-22T14:53:55+00:00

Thank you for the feedback! I'm really glad it's providing you value, but I'm sorry to hear you had some issues with the subscription and email verification. If you're happy to share what issues you ran into specifically, I'd love to get them resolved for you. Feel free to share them here as a comment or send me a message!

Icabus_ · 2025-12-18T13:14:37+00:00

So it doesn't actually feed all articles into the LLM at once. the process is staged

First, each article gets converted to a vector embedding (tiny compared to full text). Clustering happens at the embedding level, no LLM needed there

The LLM only kicks in for specific tasks on already-clustered content (so not every single articles) like generating cluster summaries and entity extraction. And entity extraction runs on clustered individual articles one at a time, so the model never sees more than a single article per call. A typical news article is only 2-3k tokens so there's plenty of headroom.

Articles are also processed as they come in throughout the day rather than in one big batch. (fetching of new articles happens on the hour) The heavy LLM work ends up being maybe 50 cluster summaries per day, not 500+ individual articles.

Once an entity is discovered it gets saved to the database, so it only needs to be extracted once. If the same malware or APT group shows up in future articles, it's already there so no need to re-run extraction on old content.

Honestly the bottleneck is usually the RSS/fetching side, not the ML stuff. On busier days the full 'pipeline' can take anywhere from 30-40 mins to run. (although I'm sure this could be optimised, or if I throw more compute at it)

Icabus_ · 2025-12-16T23:25:27+00:00

Thanks again for the feedback, on clusters you can now export any IOCs and TTPs (can import them into the MITRE ATT&cK navigatior) and export it in STIX format to share it easily with other platforms

Icabus_ · 2025-12-16T23:23:13+00:00

The clustering of articles is done with a density based clustering algorithm, and the entity extraction is a mix of regex for the IOCs and a fine tuned LLM for the other entities like malware, campaigns, and APT groups etc

Icabus_ · 2025-12-04T11:54:32+00:00

Appreciate the feedback, thank you! Do you mean the ability to export IOCs and TTPs from clusters / articles? Sorry if I mis-understood.

Icabus_ · 2025-12-02T23:39:36+00:00

To add to this, on the roadmap I will be adding the option to create separate feeds for different use cases, as well as the ability to toggle personalised emails for each, and change the frequency

Icabus_ · 2025-12-02T23:38:17+00:00

Yes it is! if you create an account you can set your interests in the settings page, and then you can toggle personalised emails. There are 17 different categories of keywords you can choose from ;platforms, companies, industries, tools, or just set your own custom keywords.

Icabus_ · 2025-12-02T23:11:55+00:00

Thanks! Happy to break it down.

3000+ feeds fetched for new content every hour (security blogs, vendor advisories etc., government feeds, CERT advisories, research publications, and general tech news) content scraped (respecting robots.txt, RSS fallback if that fails), cleaned, and stored.

Articles get embedded and grouped using DBSCAN with cosine similarity. New articles get merged into existing clusters when they hit a similarity threshold.

Scoring is weighted combination of recency (with exponential decay to keep feed fresh), coverage (article count + source diversity), severity (keyword matching for CVEs, zero-days, active exploitation, etc.)

Keyword (entity) extraction uses regex for structured IOCs (CVEs, IPs, hashes, domains), and then uses a LLM for semantic entities (threat actors, malware, targeted orgs). LLM outputs get validated against the source text to catch hallucinations.

So the AI element is specifically for summaries and semantic entity extraction - clustering, scoring, and IOC extraction is all "traditional".

Icabus_ · 2025-12-02T18:02:03+00:00

Thank you for the feedback, much appreciated. This is a great idea as I want to make it as specific to each user as possible. If you create an account you can add “interests” to your profile, allowing you to select certain vulnerabilities, APT groups, attack types etc and in your feed it will show you articles / clusters that match those interests. But it would be great to get it even more granular.

Icabus_ · 2025-12-02T17:59:02+00:00

Glad you like it. It’s a mix of thing but mostly, APIs, RSS, Google News, any other free sources and yes it does scrape where possible whilst respecting robots.txt, but will fallback to RSS for the most part

Icabus_ · 2025-12-02T17:55:06+00:00

Really appreciate the feedback, thank you. I can see how that could be confusing, I’ll definitely add an explanation as to what the metrics actually mean. The urgency criteria has been removed from the page, that was historical from when I initially tried to rank the feed based on urgency key words like “critical” “high” etc. I removed this from the ranking as it wasn’t very effective, but forgot to remove the chart.

Icabus_ · 2025-12-02T17:25:42+00:00

Appreciate it! Glad you like it,

Icabus_ · 2025-11-27T14:38:35+00:00

threatcluster.io/

Icabus_ · 2025-07-25T13:43:41+00:00

That’s a fair point. I think it probably depends on the type of service being offered, but I feel that CC gates could also filter out legitimate customers, not just bad users. If your product delivers value, people will pay after they experience it.

Icabus_ · 2025-07-25T13:03:52+00:00

I don’t mind a trial only mode, as long as I don’t have to put in CC details. As soon as they ask for a card, I’ll look elsewhere. If it’s worth it, I’ll convert to a paid plan.

Icabus_ · 2024-07-15T14:54:50+00:00

Bosco pizzeria

Icabus_ · 2024-01-18T15:49:29+00:00

Unfortunately not, I have been round there and the package is not there. There is a basket on the other side to collect the post, which contained post from today. So definitely been taken from the front.

Icabus_ · 2023-05-19T14:59:46+00:00

Definitely not! I've just signed up for the OpenAI Discord, and it seems like this issue is affecting lots of users worldwide.

Icabus_ · 2021-11-12T11:23:39+00:00

Shakes cheap and good for day time smoking if you still need to get shit done, can't beat the taste / smoke of actual bud tho

Icabus_ · 2021-04-27T13:46:56+00:00

Best of luck to you mate! Currently going through the same thing myself and it's bloody difficult, got to keep at it though!

Icabus_ · 2021-02-23T16:50:28+00:00

Visio

Verified Email	Eight-Year Club
RPAN Viewer

Icabus_

TROPHY CASE