ThreatBook CTI

What is ThreatBook CTI?

ThreatBook CTI is a Cyber Threat Intelligence platform built for security professionals — analysts, threat hunters, and SOC teams who need to decide, fast, whether an indicator is dangerous. It pairs high-fidelity threat data with AI to close the information gap between "here's an IP/domain/file" and "here's what it is, what it has done, and what to do about it." There is a free research portal at i.threatbook.io/research for ad-hoc lookups, and a full API/enterprise tier for teams that want to wire intelligence into their stack.

The pitch in plain terms: stop pivoting across ten tabs to investigate one alert. Paste the indicator, get an authoritative verdict with the evidence behind it.

What it actually does

ThreatBook frames the platform around three jobs:

1. Threat identification. Analyse an IP address or domain to assess its threat level, pull its historical attack behaviour, and see how the verdict has changed over time. An indicator that was clean last quarter and malicious today is exactly the kind of context a static blocklist can't give you.

2. Noise reduction. Distinguish legitimate activity from genuinely malicious behaviour. The platform uses network-infrastructure and ownership data to filter benign sources and cut the false positives that drown SOC queues — the single biggest time-sink in alert triage.

3. Centralised intelligence aggregation. One place for the data you'd otherwise gather from a dozen sources.

What you get on a single indicator

AI-powered analysis + CTI Chat

ThreatBook bakes analyst expertise into its models to extract deeper insight than a raw feed, and ships "ThreatBook CTI Chat" — an intelligent co-pilot for security operations. Instead of learning a query syntax, an analyst can ask in natural language ("is this IP associated with any known APT infrastructure?") and get a contextual answer grounded in the underlying intelligence.

Where the data comes from

This is the part that separates real CTI from an aggregated open-source blocklist. ThreatBook's intelligence is built from:

• Continuous monitoring of global attack activity
• Malware capture at scale
• Proactive tracking of APT groups — not just "this IP is bad," but which actor it belongs to

Intelligence is refreshed at minute-level frequency, and rigorous quality control strips the noise that plagues free OSINT feeds. The result is the high-fidelity, low-false-positive verdict that makes the platform usable inside an automated pipeline, not just for manual lookups.

Free vs paid

• Free research portal — i.threatbook.io/research: limited queries, no spend, ideal for ad-hoc IP/domain/file checks during an investigation.
• Paid accounts — expanded query capacity, additional features, and API access for piping verdicts into SIEM/SOAR enrichment, EDR, or a homegrown triage workflow.

Why APAC SOCs should care

ThreatBook is an APAC-headquartered vendor (offices across Singapore, Hong Kong, China, and the UAE). For regulated enterprises in the region — financial services under MAS TRM in Singapore, HKMA cyber-resilience in Hong Kong, and PDPA frameworks across ASEAN — same-region intelligence collection means strong visibility into the threat actors and infrastructure that actually target APAC organisations, rather than a US/EU-centric feed that under-weights regional campaigns. The minute-level APT tracking is the standout for threat-hunting teams who need to attribute, not just block.

How to use it

The fastest way in is the free portal: open i.threatbook.io/research, paste an IP, domain, or file hash from an alert you're investigating, and read the verdict, the verdict history, and the associated infrastructure. If it earns a place in your workflow, the API tier lets you enrich every alert automatically.

Explore the free portal at i.threatbook.io/research or read the product docs at docs.threatbook.io.