Home/Capabilities/Threat Intelligence

Indicators are noise. Intelligence drives action.

Federal CTI engineering. STIX 2.1 over TAXII 2.1. CISA AIS, ISAC/ISAO, commercial, and open source — curated through a TIP, scored, enriched, and pushed to the SOC with context.

Plan your CTI programCapabilities statement

The federal CTI stack is a curation problem

The volume of indicators a federal agency can subscribe to today is effectively unbounded. CISA Automated Indicator Sharing alone delivers tens of thousands of STIX objects per week. Add commercial feeds (Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, Microsoft Defender Threat Intelligence), the relevant ISAC/ISAO feeds, and open source (MISP communities, Abuse.ch, AlienVault OTX) and the raw stream is millions of indicators per month. Dumping that into a SIEM produces alert fatigue, missed detections, and SOC burnout. The federal CTI program is a curation, scoring, enrichment, and delivery problem — not a subscription problem.

Precision Delivery Federal builds federal cyber threat intelligence programs around a Threat Intelligence Platform as the curation layer. The TIP normalizes feeds into STIX 2.1, deduplicates across sources, scores indicators for confidence and relevance to the agency's threat profile, enriches through passive DNS, WHOIS, sandbox detonation, and ATT&CK mapping, and only then pushes high-confidence indicators with context into SIEM watchlists, EDR custom IOCs, firewall block lists, and email gateway policies — each with appropriate dwell time and review cadence.

STIX 2.1 and TAXII 2.1 as the wire format

Structured Threat Information eXpression version 2.1 is the OASIS standard data model for cyber threat intelligence. STIX 2.1 introduces 18 STIX Domain Objects (indicator, malware, threat-actor, intrusion-set, campaign, attack-pattern, course-of-action, identity, infrastructure, location, malware-analysis, note, observed-data, opinion, report, tool, vulnerability, grouping) and STIX Cyber-observable Objects for the technical artifacts (file, ipv4-addr, domain-name, url, x509-certificate, process, network-traffic, and so on). TAXII 2.1 is the transport — REST over HTTPS with API roots, collections, manifests, and objects endpoints.

We deploy TAXII 2.1 servers (the OASIS reference implementation, EclecticIQ, Anomali, or open source Medallion) and clients across the federal stack. We author STIX 2.1 producers for agency-generated intel — for example, when an agency SOC identifies a new malicious infrastructure cluster from internal incident response, that finding becomes a STIX bundle pushed to the agency-internal collection and, where authorized, to the CISA AIS bidirectional flow.

MITRE ATT&CK and CAPEC as the analytic taxonomy

Every piece of intelligence we curate is mapped to MITRE ATT&CK techniques and sub-techniques and, where the abstraction is right, to MITRE CAPEC attack patterns. ATT&CK is the behavioral taxonomy; CAPEC catalogs the attack patterns at a higher abstraction (CAPEC-66 SQL Injection covers many ATT&CK initial access flavors). CAPEC also bridges to MITRE CWE for the underlying weakness. The combined ATT&CK+CAPEC+CWE graph lets us trace an actor TTP all the way to the engineering control that mitigates the underlying weakness.

Federal feed sources we integrate

  • CISA Automated Indicator Sharing. STIX 2.1 over TAXII 2.1 from the CISA AIS server. Bidirectional sharing where the agency can publish indicators back to the federal community under CISA 2015 Act protections.
  • CISA Joint Cybersecurity Advisories and AA-series. Named-actor advisories with TTPs, indicators, and recommended mitigations. We ingest the structured indicators and convert the narrative TTPs into ATT&CK technique tags and detection content backlog.
  • ISACs and ISAOs. MS-ISAC for SLTT-adjacent agencies, H-ISAC for HHS components, FS-ISAC for Treasury and financial regulators, E-ISAC for electricity, Aviation ISAC, Defense Industrial Base ISAC, and others by sector.
  • FBI/IC3/Cyber Division. Where the agency has an FBI Cyber Action Team or InfraGard relationship, we wire those communications into the CTI pipeline with appropriate handling caveats.
  • DoD Cyber Crime Center (DC3). For DoD components and Defense Industrial Base partners, DC3 DCISE intel is an authoritative source.
  • Commercial: Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, Microsoft Defender Threat Intelligence, Palo Alto Unit 42, Sophos X-Ops.
  • Open source: MISP communities (CIRCL, OSINT, dedicated sector communities), Abuse.ch (URLhaus, MalwareBazaar, ThreatFox), AlienVault OTX, Spamhaus, Team Cymru.

Threat Intelligence Platforms we deploy

The TIP is the spine of the program. We deploy whichever the agency's environment and existing licenses support:

  • MISP. Open source, FedRAMP-deployable in agency-owned cloud, the standard for ISAC/ISAO sharing communities. We deploy MISP for agencies that want full data sovereignty and zero vendor lock-in.
  • OpenCTI. Open source with a strong knowledge graph backbone. Excellent for analyst-driven workflows and connector ecosystem.
  • Recorded Future. SaaS commercial. Strong external surface intel and Insikt Group analyst content. FedRAMP authorized.
  • Mandiant Advantage. SaaS commercial. Deep IC-adjacent attribution context.
  • ThreatConnect. Hybrid deployment. Strong workflow and case management for analyst teams.
  • Anomali ThreatStream. Hybrid deployment. Strong feed normalization layer.

Threat hunting

Hunting is hypothesis-driven, ATT&CK-aligned, and ends in either a new detection, a closed hypothesis with evidence, or an incident. We build the agency hunt program around three input sources: current CISA AA advisories on active actors (Volt Typhoon, Salt Typhoon, APT28, APT29/Cozy Bear, Lazarus, ransomware-affiliated crews), the agency's specific threat profile (mission, sector, prior incident history), and the ATT&CK techniques with the lowest detection coverage from the SOC heatmap.

Each hunt is documented in a structured hunt playbook: hypothesis, ATT&CK technique(s), data sources required, query (KQL, SPL, or generic), expected false positive sources, and disposition. Hunts that close as positive feed into the case management system with chain-of-custody preserved. Hunts that close as negative produce evidence packages stored against the technique so we can show coverage even where nothing was found. See our Security Operations capability for SOC integration.

Attribution: technical evidence in support of the IC

Attribution at the federal level — saying with public confidence that a specific intrusion was conducted by a specific nation-state actor — is properly the role of the FBI Cyber Division, NSA, the broader Intelligence Community, and the joint advisory process. Our role on the contractor side is to deliver the technical evidence base that supports attribution: high-fidelity indicators, malware reverse engineering reports, infrastructure pivot analysis through passive DNS and certificate transparency, behavioral signatures, victim cohort analysis, and timeline reconstruction. Attribution calls remain with cleared analysts and the IC.

How we build

  1. Threat profile. Define the agency's threat actors of concern based on mission, sector, prior incidents, and publicly attributed campaigns against peer agencies.
  2. Feed inventory and onboarding. CISA AIS first, then ISAC/ISAO, then commercial, then open source. Each feed scored for relevance.
  3. TIP deployment. Stand up MISP, OpenCTI, or commercial TIP. Wire feeds in. Define scoring rules, dedup, enrichment connectors.
  4. Downstream integration. SIEM watchlists, EDR custom IOCs, firewall block lists, email gateway policies. Each with dwell time and review cadence.
  5. Hunt program. Quarterly hunt cadence, ATT&CK-aligned, documented, evidence-preserving.
  6. Finished intelligence products. Weekly tactical brief, monthly actor focus, quarterly strategic intel for the agency CISO.

Federal context and past performance

Bo Peng holds Kaggle Top 200 global ranking and seven cloud certifications. Precision Delivery Federal delivered production data engineering on SAMHSA platforms and is SAM.gov registered (UEI Y2JVCZXT9HP5, CAGE 1AYQ0). We pursue SBIR CTI topics across CDAO, DISA, FBI, and civilian agencies. See our FBI playbook, CISA playbook, DoD playbook, and agentic AI for federal compliance.

Tooling we work with

  • TIPs: MISP, OpenCTI, Recorded Future, Mandiant Advantage, ThreatConnect, Anomali ThreatStream, EclecticIQ.
  • TAXII servers: OASIS Medallion, EclecticIQ, Anomali, custom Python TAXII 2.1 implementations.
  • Enrichment: VirusTotal Enterprise, PassiveTotal/RiskIQ, DomainTools Iris, Censys, Shodan, GreyNoise, Joe Sandbox, ANY.RUN, Hybrid Analysis.
  • Malware analysis: Ghidra (NSA), IDA Pro, Binary Ninja, REMnux, Cuckoo, CAPE Sandbox.
  • Hunting: Splunk SPL, Microsoft Defender XDR Advanced Hunting (KQL), CrowdStrike Falcon LogScale, Elastic ES|QL, Velociraptor.
Frequently Asked
Federal CTI, answered.
What feeds do federal agencies have access to?

CISA AIS as STIX over TAXII, sector ISAC/ISAOs, CISA AA advisories, FBI/IC3, DC3 DCISE for DoD, and commercial (Recorded Future, Mandiant, CrowdStrike, Microsoft).

STIX, TAXII, CAPEC — what's the difference?

STIX is the data model. TAXII is the transport (REST over HTTPS). CAPEC is the attack-pattern taxonomy linking ATT&CK and CWE.

How do you operationalize CTI beyond a feed dump?

A TIP curates, scores, deduplicates, and enriches. Only high-confidence indicators with context flow to SIEM watchlists, EDR IOCs, and firewall blocks.

What does federal threat hunting look like?

Hypothesis-driven, ATT&CK-aligned, evidence-preserving. Built around current CISA advisories, agency threat profile, and ATT&CK coverage gaps.

Do you do attribution?

Public attribution belongs to FBI/NSA/IC. We deliver the technical evidence base — indicators, malware artifacts, infrastructure pivots, timelines — that supports IC attribution.

Related capabilities
Often deployed together.
Capability

Security Operations

SIEM, SOAR, MITRE ATT&CK coverage, federal incident notification.
Capability

Zero Trust Architecture

Threat signals feed the dynamic policy decision point.
Capability

FISMA Compliance

Threat intel evidence supports continuous monitoring control families.
1 business day response

From indicator to finished intelligence.

CISA AIS. ISAC. STIX 2.1 over TAXII 2.1. ATT&CK + CAPEC. Curated. Scored. Actioned.

[email protected]
UEI Y2JVCZXT9HP5CAGE 1AYQ0NAICS 541512SAM.GOV ACTIVE