# Threat Intelligence Hub

The Threat Intelligence Hub is the set of threat intelligence feeds Radiant queries during the Enrichment stage of AI triage. It combines two tiers: Radiant TIS (rTIS), built-in feeds that run on every tenant by default, and client TIS (cTIS), which lets you connect your own subscriptions into the same enrichment pass.

### How the Hub fits into triage

Enrichment is the second stage of the AI triage pipeline, which sits inside the broader [Radiant data pipeline](/welcome-to-radiant/what-is-radiant-security/the-radiant-data-pipeline.md).

During Enrichment, Radiant extracts artifacts from the alert (file hashes, IP addresses, URLs, domains, email addresses, hostnames, user identities, process names) and queries every feed applicable to each artifact type in parallel. The results flow into Planning and Execution and become citable sources on each artifact.

### Two tiers of feeds

<figure><img src="/files/2uSuVkJgcqklZ2Q64yGO" alt=""><figcaption></figcaption></figure>

#### Radiant TIS (rTIS)

A curated set of commercial and community threat intelligence feeds that Radiant queries on your behalf. Enabled by default on every tenant, with no configuration required.

See [Built-in threat intelligence feeds](/radiant-connectors/threat-intelligence-hub/built-in-threat-intelligence-feeds.md) for what rTIS covers and how its results appear in the artifact panel.

#### Client TIS (cTIS)

cTIS lets you connect threat intelligence subscriptions your team already holds. Once a credential is saved, the feed is queried automatically on every relevant triage alongside rTIS, with results attributed to your tenant.

Radiant currently supports cTIS for VirusTotal. To connect it, see [VirusTotal](/radiant-connectors/threat-intelligence-hub/connect-your-own-threat-intelligence/virustotal.md).

### How enrichment results appear to analysts

Threat intelligence results appear as cards in the **Reputation and threat intel** section of the artifact panel. The section can contain four card types: Radiant TIS, client TIS, Allow List, and Deny List.

For details on each card type and how to read them, see [Built-in threat intelligence feeds](/radiant-connectors/threat-intelligence-hub/built-in-threat-intelligence-feeds.md).

### Availability

The Threat Intelligence Hub is available to all Radiant tenants. rTIS is enabled by default. cTIS is opt-in per provider; configure it from the Credentials page in Settings.

<table data-view="cards"><thead><tr><th>Topic</th><th data-card-target data-type="content-ref">Target</th></tr></thead><tbody><tr><td>Built-in threat intelligence feeds</td><td><a href="/pages/qVYic2jYT1WQCMZG9CSq">/pages/qVYic2jYT1WQCMZG9CSq</a></td></tr><tr><td>Connect your own threat intelligence</td><td><a href="/pages/qGsOUyuCojSYaTSu1TvK">/pages/qGsOUyuCojSYaTSu1TvK</a></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/threat-intelligence-hub.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.