> For the complete documentation index, see [llms.txt](https://help.radiantsecurity.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.radiantsecurity.ai/radiant-connectors/threat-intelligence-hub/built-in-threat-intelligence-feeds.md).

# Built-in threat intelligence feeds

Radiant TIS (rTIS) is the set of threat intelligence feeds Radiant queries on every tenant's behalf during the Enrichment stage of AI triage. This article explains what rTIS is, how its results appear in the artifact panel, and what other cards you may see alongside rTIS results.

### What rTIS covers

rTIS is a curated set of commercial and community threat intelligence feeds covering domain, IP, URL, file hash, proxy, DNS, and geolocation intelligence. When an alert is triaged, Radiant extracts every artifact from the raw alert and queries every applicable rTIS feed in parallel. Verdicts feed into Planning and Execution and become citable sources on each artifact.

{% hint style="success" %}
rTIS is **always on**. Feeds are queried dynamically at the moment an artifact is enriched, not at alert ingestion. No customer configuration is required.
{% endhint %}

### Feed reference

Radiant currently queries the following built-in feeds:

<table><thead><tr><th width="143.423583984375">Feed</th><th width="113.9600830078125">Provider</th><th width="137.506103515625">Artifact type</th><th width="354.22137451171875">What it covers</th></tr></thead><tbody><tr><td>BinaryEdge</td><td>BinaryEdge</td><td>IP address</td><td>Threat feed covering scanner infrastructure and IPs observed engaging in malicious or suspicious activity.</td></tr><tr><td>Cisco Umbrella</td><td>Cisco</td><td>Domain</td><td>Domain reputation categorization across security categories (malware, phishing, command-and-control) and content categories.</td></tr><tr><td>FireHOL</td><td>FireHOL community</td><td>IP address</td><td>Aggregated community blocklists (Levels 1–4) of IPs associated with botnets, scanners, brute-force activity, and other attacker infrastructure.</td></tr><tr><td>Google Web Risk</td><td>Google</td><td>URL</td><td>URL classification for malware, social engineering (phishing), and unwanted software.</td></tr><tr><td>MalwareBazaar</td><td>abuse.ch</td><td>File hash</td><td>Known-malicious file hashes with malware family labels, threat type tags, and first-seen timestamps.</td></tr><tr><td>MISP</td><td>MISP community</td><td>IP address, Domain</td><td>Curated indicators used primarily to suppress false positives, flagging IPs and domains belonging to major service providers (e.g., Microsoft 365, Windows 10 connection endpoints) so legitimate traffic isn't misclassified.</td></tr><tr><td>NSRL</td><td>NIST</td><td>File hash</td><td>Known-good file hashes from the National Software Reference Library. Used to confirm legitimate system and application binaries and short-circuit triage when an actor is verified clean.</td></tr><tr><td>NVD</td><td>NIST</td><td>CVE</td><td>Vulnerability descriptions, CVSS scores, severity, and affected-product metadata from the National Vulnerability Database.</td></tr><tr><td>WHOIS</td><td>WhoisXML</td><td>Domain</td><td>Domain registration metadata: registrar, creation date, registrant, name servers, and expiry. Used to surface signals like newly-registered or recently-transferred domains.</td></tr></tbody></table>

### Where rTIS appears in the artifact panel

rTIS results surface in the **Reputation and threat intel** section of the artifact panel. To find it:

1. Open any alert and select an artifact (an IP address, file hash, URL, domain, or other artifact type) to open the artifact panel.
2. Scroll to the **Reputation and threat intel** section, which appears below the **Attributes** section.
3. The section is collapsible. Expand it to see every result Radiant retrieved for the artifact.

<div align="left"><figure><img src="/files/SVfwcYKEDeiqDkvw1SnI" alt="" width="555"><figcaption></figcaption></figure></div>

Cards only appear when there is a result to display. An artifact that produced no matches will show an empty or absent Reputation and threat intel section. This is expected and does not indicate a failure.

### How to read an rTIS card

Each rTIS card shows:

* The feed's vendor logo and feed name (e.g., Malware Bazaar or Google Web Risk).
* **Radiant Security** as the sub-label.
* A status pill colored by severity, showing the vendor's verbatim verdict (e.g., **Harmless**, **Found**, **Flagged**, **Neutral**). Radiant does not translate the wording.
* The execution timestamp.
* An icon in the top-right corner that opens a sub-drawer with the raw request and response (see [Inspect raw request and response data](#inspect-raw-request-and-response-data)).

<div align="left"><figure><img src="/files/IYs75mBdlGUa4Vlvowb2" alt=""><figcaption></figcaption></figure></div>

### Inspect raw request and response data

Click the icon in the top-right corner of any rTIS card to open a sub-drawer with:

* **Request**: the query Radiant sent to the feed, with the execution timestamp.
* **Response**: the raw vendor response, rendered as a searchable JSON tree.

The raw request and response are useful for validating a verdict, troubleshooting an unexpected result, or escalating a finding with the original source data intact.

<div align="left"><figure><img src="/files/WNwZ7s76nHkYqJt1VEIJ" alt="" width="489"><figcaption></figcaption></figure></div>

{% hint style="info" %}
The **Reputation and threat intel** section reflects the results of a single enrichment pass. Cards represent the data that was available at the time the artifact was enriched.
{% endhint %}

### Other cards in the same section

Three other card types appear in the Reputation and threat intel section alongside rTIS cards:

| Card type         | Sub-label                   | Verdict                   | Appears when                                    |
| ----------------- | --------------------------- | ------------------------- | ----------------------------------------------- |
| client TIS (cTIS) | Your tenant name            | Vendor's verbatim verdict | A feed your team connected returns a result     |
| Allow List        | Radiant Security Allow List | Always **Found** (green)  | An artifact matches a Radiant-curated allowlist |
| Deny List         | Radiant Security Deny List  | Always **Found** (pink)   | An artifact matches a Radiant-curated denylist  |

Allow List and Deny List cards have no data-driven verdict; the match itself is the finding.

To connect a cTIS provider, see [Connect your own threat intelligence](/radiant-connectors/threat-intelligence-hub/connect-your-own-threat-intelligence.md).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/threat-intelligence-hub/built-in-threat-intelligence-feeds.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.