Client: commercial bank
Area: cyber threat intelligence / threat analysis / security processes
Integration: CTI Feed via REST API, with support for CSV, JSON, STIX, TAXII, and XML formats, and integration with SIEM, SOAR, and IDS/IPS tools.
Result: higher data relevance and selectivity, reduced noise, and better alignment of threat intelligence with the bank’s operational needs
The bank was using threat data from multiple sources, but its practical usefulness did not always match the specifics of a banking environment. The issue was not the lack of data, but rather its overly generic nature, limited context, and insufficient alignment with the day-to-day work of security teams.
In practice, this meant additional validation of some information, difficulty distinguishing truly relevant data from less useful signals, and limited ability to use it quickly in daily operations. Another important challenge was the lack of flexibility in working with the data. The client needed a solution that would allow the scope of information to be narrowed by source, risk level, or time, instead of forcing teams to work with a full, unfiltered stream of indicators.
Key challenges:
The bank implemented Cyber Threat Intelligence Feed (CTI Feed) as an additional source of threat data supporting its existing security processes. The key value of the solution was not only the quality of the information itself, but also its usefulness in the day-to-day work of security teams.
An important part of that value comes from the work of PREBYTES SIRT (Security Incident Response Team), which handles and analyzes incidents and monitors threats relevant to financial institutions. As a result, the feed is enriched with intelligence grounded in the real threat landscape, not solely with data collected automatically on a global scale.
At the same time, the solution is backed by a broad data acquisition infrastructure. CTI Feed aggregates intelligence from multiple sources, including more than 100 active web crawlers, daily processing of over 350 million domains, and analysis of more than 6 million spam messages per month. This provides access to a broad stream of threat data without the need to build and maintain an internal acquisition infrastructure.
In practice, this meant access to information that was current, verified, and selectively filtered. Data can be filtered by source, risk level, and time range, making it easier to align the scope of intelligence with specific operational needs and reduce the inflow of low-value information.
Another advantage was the ability to work with both current and historical data. The availability of the solution in CSV, JSON, STIX, TAXII, and XML formats also made it easier to integrate with existing tools and security processes.
After implementation, the bank gained a threat intelligence source that was better aligned with its actual operational needs. This translated not only into greater usefulness of the data itself, but also into more efficient work by security teams, faster identification of threats, and better support for protective and preventive actions. Thanks to higher data relevance and selectivity, teams could focus on signals that truly mattered instead of spending time evaluating a broad stream of indicators with limited operational value.
In practice, this meant less noise, greater control over the scope of the information being used, and better application of threat intelligence in day-to-day security processes. The feed became more useful in supporting the organization’s protection against incidents and their consequences, as well as in activities aimed at earlier threat detection and reducing operational risk.
