Last updated at Wed, 23 Apr 2025 14:22:35 GMT

Co-authored by Raj Samani (Chief Scientist) & Craig Adams (Chief Product Officer)

In traditional conflicts, intelligence is both integral and beneficial to decision-making at every level. Unfortunately, in cybersecurity, the impact of threat intelligence as an asset for organizations—and in particular their security operations team—has been less significant.  

Why has this been the case? While threat intelligence should be intrinsic to the detection and response process, the reality is that security teams are overwhelmed with far too much noise to efficiently gather what they need from it. Not responding in a timely fashion ultimately means that by the time any response can be mustered, it will be too late. This is particularly the case given threat actors’ dwell times have in some instances decreased to a matter of hours.

The threat landscape is not static—defenders need a continuous view of what is occurring, right now.

We are delighted to announce the availability of Intelligence Hub, an evolution in threat intelligence delivery that is designed to provide meaningful context and actionable insights integrated with the Rapid7 Command Platform.

High-fidelity data: curated intelligence

Intelligence is not a commodity. Simply gathering every feed is why many organizations are overwhelmed and unable to respond in a timely manner to disrupt the kill chain before attackers move to the final stage. Consider many of the recent significant breaches; invariably, alerts are missed and data is exfiltrated. With this in mind, the focus of Rapid7 Labs has been to increase the fidelity of data, leveraging our own approach to curated intelligence.

Data that can be trusted

The objective of curated intelligence is to extract the low-prevalence indicators and verify the malicious nature of the artifact, thus enabling a timely response while reducing the risk of false positives. Introducing high-fidelity data also provides the opportunity to automate the response. Such an approach goes beyond the analyst and considers what an appropriate response should be.

The curated intelligence within Intelligence Hub is derived from ingestion sources that are unique to Rapid7, such as our honeypot data and proprietary research, as well as insights from our open source and research communities. These include Metasploit, AttackerKB, and other global communities that make our reach into understanding the threatscape both broader and deeper. Expertly crafted machine learning (ML) models combined with manual verification from our Rapid7 Labs team create additional layers of validation.

What matters to me? Understand prevalence quickly with the campaigns that are targeting your business sector or geography as efficiently as possible.

Decay modeling maintains relevance

Even curated intelligence can quickly get very stale. If we consider an IP address used within a given campaign, this artifact will soon cease to be relevant since threat actors will migrate once it has been identified as known bad. For this reason, Intelligence Hub shows the decay score, which will reduce over time as the artifact migrates from known bad to unknown (or another state).

A view of campaign activities being conducted by the Mustang Panda APT group (correct at the time of writing). Intelligence Hub covers all major threat activities from organized crime and APT groups.

Contextualized information

Intelligence Hub’s higher fidelity data remains continuously updated, allowing us to move away from the problem of traditional Threat Intelligence Platforms (TIPs) that have provided the firehose of false positives and noisy alerts. The opportunity is to now use prevalence to allocate resources to only the areas which are necessary. In other words, if a threat campaign is targeting a specific sector and/or geography and exploiting specific vulnerabilities, then surely these will require remediation first. In addition, if the campaign is being carried out by a ransomware group whose dwell time continues to drop, then almost certainly prioritizing remediation should include automation.

Automation does, of course, demand high-fidelity data, which is why curated intelligence remains the foundation of the solution.

Actionable insights

What all of this means is the security teams can get true, actionable insights — understanding what indicators within their environment are confirmed as malicious, as well as the threat actors’ motivations. Utilizing these insights to take the appropriate action to mitigate the threat in a timely fashion now becomes a reality with Intelligence Hub.

Learn more about the active threat groups conducting operations in the world today.

Intelligence is great, but what does this mean for your organization?

Above all else, the integration of Intelligence Hub with the Rapid7 Command Platform provides the ability to go beyond the analyst and deliver true security outcomes. Firstly, with our next-gen SIEM, Rapid7 InsightIDR, the security analyst can prioritize triaging security alerts that demand attention. For example, if there are reliable indicators regarding the possibility of a ransomware group inside the environment, this clearly demands prioritization with the intention of disrupting the kill chain before the final stage payload is delivered. Such an approach reinforces why context matters, and perhaps controversially, why attribution becomes operationally relevant.

Migrate away from the dependency of manual tools to integrate intelligence into operations and surface the alerts that truly matter.

Threat-informed remediation: beyond the security analyst

The role of intelligence Hub therefore goes beyond the security analyst, and supports integration with the remediation actions of any organization. An upcoming integration with Remediation Hub will give security analysts the added insight to justify security updates being rolled out outside of the normal change control cycle. An example of this could be CVE-2024-55591, an authentication bypass in Fortinet firewalls, which was exploited as a zero-day in January 2025 and reported to be used by ransomware groups on March 18, 2025. This attack warrants immediate remediation in order to mitigate the potential of being exploited. This answers the question many security practitioners are often asked: Are we vulnerable? And, with the investigation option within Intelligence Hub, the opportunity exists to answer the question: Have we been compromised?

With actionable (and relevant) intelligence being incorporated into the allocation of resources for remediation, Intelligence Hub provides the critical data necessary for effective security operations.

Intelligence Hub is the integrated threat intelligence solution that delivers proactive context and prioritization, rapidly accelerating time to remediation.

The evolution of threat intelligence

In summary, Intelligence Hub represents a significant leap forward in threat intelligence delivery. By providing curated, high-fidelity data with relevant context and actionable insights, it empowers security teams to move beyond the noise of traditional threat intelligence solutions. The integration with the Rapid7 Command Platform and Remediation Hub further offers threat-informed remediation, allowing organizations to prioritize and automate responses effectively. Ultimately, Intelligence Hub is designed to help organizations achieve true security outcomes by focusing on what truly matters and disrupting the kill chain quicker, and with greater confidence. Learn more about Intelligence Hub here.