Threat Intelligence Hub

The Threat Intelligence Hub is the set of threat intelligence feeds Radiant queries during the Enrichment stage of AI triage. It combines two tiers: Radiant TIS (rTIS), built-in feeds that run on every tenant by default, and client TIS (cTIS), which lets you connect your own subscriptions into the same enrichment pass.

How the Hub fits into triage

Enrichment is the second stage of the AI triage pipeline, which sits inside the broader Radiant data pipeline.

During Enrichment, Radiant extracts artifacts from the alert (file hashes, IP addresses, URLs, domains, email addresses, hostnames, user identities, process names) and queries every feed applicable to each artifact type in parallel. The results flow into Planning and Execution and become citable sources on each artifact.

Two tiers of feeds

Radiant TIS (rTIS)

A curated set of commercial and community threat intelligence feeds that Radiant queries on your behalf. Enabled by default on every tenant, with no configuration required.

See Built-in threat intelligence feeds for what rTIS covers and how its results appear in the artifact panel.

Client TIS (cTIS)

cTIS lets you connect threat intelligence subscriptions your team already holds. Once a credential is saved, the feed is queried automatically on every relevant triage alongside rTIS, with results attributed to your tenant.

Radiant currently supports cTIS for VirusTotal. To connect it, see VirusTotal.

How enrichment results appear to analysts

Threat intelligence results appear as cards in the Reputation and threat intel section of the artifact panel. The section can contain four card types: Radiant TIS, client TIS, Allow List, and Deny List.

For details on each card type and how to read them, see Built-in threat intelligence feeds.

Availability

The Threat Intelligence Hub is available to all Radiant tenants. rTIS is enabled by default. cTIS is opt-in per provider; configure it from the Credentials page in Settings.