Resources · Guide · CTI · 1 min read

Why a proprietary intelligence feed, not a resold one

In short

An intelligence feed is only as good as its source. Generic resold feeds aggregate third-party indicators, often stale and out of context: noise that clogs the SIEM. A field-observed proprietary feed is born from real incidents and direct actor research: fresh, attributed IOCs that are relevant to your sector. The difference is not the quantity of indicators, it is how many of those indicators actually matter to you.

The thesis

Everyone sells “threat intelligence”. Few produce it. The difference between a feed that protects and one that only makes noise is not the number of indicators, it is where they come from: a proprietary feed born from real incidents can tell you who is attacking you and why; a resold feed gives you a list.

The cost of not having it (or having the wrong one)

A generic feed fills the SIEM with isolated, often stale indicators: the SOC drowns in false positives and the real signals get lost. The cost is not just the feed subscription, it is analysts’ time and the important alerts missed. Having “a feed” is not the same as having intelligence.

What a field-observed feed provides

Fresh, attributed IOCs (34k+ validated weekly), tied to an actor and a sector, produced from incidents handled and direct research. It is the difference that enabled the attribution of Nebula Broker, later confirmed by Mandiant: intelligence that anticipates, not that describes.

When it really matters (and when less is enough)

It matters when you have a SOC/SIEM that can consume it and act, or an MDR that applies it for you. If you do not yet have operational detection, the outpost comes first (an MDR or a SOC), then the feed powers it: a feed without anyone to use it stays a file. Honestly: a micro-business with no SOC gets more value from securing identity and backups than from buying a feed.

Comparison

Generic resold feed vs field-observed proprietary feed

Generic resold feedFortgale proprietary feed
SourceThird-party aggregationReal incidents + direct research
ContextIsolated indicatorActor, TTP, sector targeted
FreshnessOften stale34k+ IOCs validated weekly
Effect on the SOCNoise and false positivesTargeted detection, less noise
Field-observed proof · original intelligence

Fortgale was the first to attribute the Italian actor Nebula Broker (BrokerLoader malware, 2023), later confirmed by Mandiant (Google) as UNC4990. That actor's TTPs and IOCs went into customers' feed: intelligence produced, not bought.

Read the research →
FAQ

Frequently asked.

What do I risk with a generic feed?

Volume without relevance: thousands of uncontextualised indicators that generate false positives, overload analysts and hide the signals that matter. A feed you cannot trace is not a defence, it is noise.

What makes a feed 'proprietary'?

That the intelligence is produced by those who use it: incidents handled, actor research, deep and dark web monitoring. Fortgale tracks 287 adversary groups and offensive tools relevant to the EU.

Does the feed integrate with my SIEM?

Yes: the IOCs are machine-readable and integrate into SIEM/EDR/firewall. In the Fortgale model the feed is already integrated into the MDR service, applied to detection in real time.

Is it useful for a mid-sized company too?

Yes. What counts is knowing which actors target your sector and receiving indicators applicable to your stack, not having the biggest feed. Relevance beats volume.

How Fortgale delivers it

From theory to a real operation.

What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale Intelligence Feed.

Related resources: What is CTI · The role of CTI in defence · CTI for the board

Want to go deeper with an analyst?

A technical conversation, not a funnel.

Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.

Response time: < 1 business day.