Ctrlk
ProductBook a demoOpen app
linkedinyoutube

Built-in threat intelligence feeds

How Radiant TIS (rTIS) enriches every alert by default.

Radiant TIS (rTIS) is the set of threat intelligence feeds Radiant queries on every tenant's behalf during the Enrichment stage of AI triage. This article explains what rTIS is, how its results appear in the artifact panel, and what other cards you may see alongside rTIS results.

What rTIS covers

rTIS is a curated set of commercial and community threat intelligence feeds covering domain, IP, URL, file hash, proxy, DNS, and geolocation intelligence. When an alert is triaged, Radiant extracts every artifact from the raw alert and queries every applicable rTIS feed in parallel. Verdicts feed into Planning and Execution and become citable sources on each artifact.

rTIS is always on. Feeds are queried dynamically at the moment an artifact is enriched, not at alert ingestion. No customer configuration is required.

Feed reference

Radiant currently queries the following built-in feeds:

Feed
Provider
Artifact type
What it covers

BinaryEdge

BinaryEdge

IP address

Threat feed covering scanner infrastructure and IPs observed engaging in malicious or suspicious activity.

Cisco Umbrella

Cisco

Domain

Domain reputation categorization across security categories (malware, phishing, command-and-control) and content categories.

FireHOL

FireHOL community

IP address

Aggregated community blocklists (Levels 1–4) of IPs associated with botnets, scanners, brute-force activity, and other attacker infrastructure.

Google Web Risk

Google

URL

URL classification for malware, social engineering (phishing), and unwanted software.

MalwareBazaar

abuse.ch

File hash

Known-malicious file hashes with malware family labels, threat type tags, and first-seen timestamps.

MISP

MISP community

IP address, Domain

Curated indicators used primarily to suppress false positives, flagging IPs and domains belonging to major service providers (e.g., Microsoft 365, Windows 10 connection endpoints) so legitimate traffic isn't misclassified.

NSRL

NIST

File hash

Known-good file hashes from the National Software Reference Library. Used to confirm legitimate system and application binaries and short-circuit triage when an actor is verified clean.

NVD

NIST

CVE

Vulnerability descriptions, CVSS scores, severity, and affected-product metadata from the National Vulnerability Database.

WHOIS

WhoisXML

Domain

Domain registration metadata: registrar, creation date, registrant, name servers, and expiry. Used to surface signals like newly-registered or recently-transferred domains.

Where rTIS appears in the artifact panel

rTIS results surface in the Reputation and threat intel section of the artifact panel. To find it:

  1. Open any alert and select an artifact (an IP address, file hash, URL, domain, or other artifact type) to open the artifact panel.

  2. Scroll to the Reputation and threat intel section, which appears below the Attributes section.

  3. The section is collapsible. Expand it to see every result Radiant retrieved for the artifact.

Cards only appear when there is a result to display. An artifact that produced no matches will show an empty or absent Reputation and threat intel section. This is expected and does not indicate a failure.

How to read an rTIS card

Each rTIS card shows:

  • The feed's vendor logo and feed name (e.g., Malware Bazaar or Google Web Risk).

  • Radiant Security as the sub-label.

  • A status pill colored by severity, showing the vendor's verbatim verdict (e.g., Harmless, Found, Flagged, Neutral). Radiant does not translate the wording.

  • The execution timestamp.

  • An icon in the top-right corner that opens a sub-drawer with the raw request and response (see Inspect raw request and response data).

Inspect raw request and response data

Click the icon in the top-right corner of any rTIS card to open a sub-drawer with:

  • Request: the query Radiant sent to the feed, with the execution timestamp.

  • Response: the raw vendor response, rendered as a searchable JSON tree.

The raw request and response are useful for validating a verdict, troubleshooting an unexpected result, or escalating a finding with the original source data intact.

The Reputation and threat intel section reflects the results of a single enrichment pass. Cards represent the data that was available at the time the artifact was enriched.

Other cards in the same section

Three other card types appear in the Reputation and threat intel section alongside rTIS cards:

Card type
Sub-label
Verdict
Appears when

client TIS (cTIS)

Your tenant name

Vendor's verbatim verdict

A feed your team connected returns a result

Allow List

Radiant Security Allow List

Always Found (green)

An artifact matches a Radiant-curated allowlist

Deny List

Radiant Security Deny List

Always Found (pink)

An artifact matches a Radiant-curated denylist

Allow List and Deny List cards have no data-driven verdict; the match itself is the finding.

To connect a cTIS provider, see Connect your own threat intelligence.

PreviousThreat Intelligence HubNextConnect your own threat intelligence

Last updated

Was this helpful?