One feed. Every report structured.

Signalis monitors curated CTI sources and extracts structured fields from every report. You read one ranked feed instead of many source sites.

n/a
structured reports
n/a
CVEs tracked
n/a
indicators
continuously updated
pipeline

The extraction pipeline

01
Ingestion
Curated CTI feeds, polled continuously.
02
Deduplication
URL-identity collapses re-runs and feed drift.
03
Structured extraction
Large language models read each article and emit typed fields.
04
Ranked feed + detail
Severity-ranked feed and per-report intel.

Large language models read each article in full and emit a fixed schema: classification, indicators, CVEs, techniques, attribution. The pipeline is versioned and run continuously.

for analysts

How to read Signalis intelligence

Not every field is the same kind of claim. There are three types.

model judgment

Analytical signal

Severity, attack type, threat-actor attribution, victim industry. These are the model's assessment, not ground truth.

Severity is a model assessment on a 5-level scale, not a CVSS score.

how to treat it · Prioritize with it. Verify before acting.
sourced fact

As stated in the source

CVE identifiers, CVSS scores when the article provides them, affected products, named malware. Transcribed from the report, not inferred.

how to treat it · Faithful to the article. Only as reliable as the source.
computed

Derived from extraction

Indicator / CVE / technique counts, the exploited-in-wild flag, IOC role (actionable vs. context), and MITRE techniques marked * when inferred from behaviour rather than explicitly stated.

how to treat it · Deterministic from the fields above.

Every item is traceable. Each extracted field carries a confidence score, and every report links to its source article.

read this first

On severity

Severity is the feed's primary axis and the easiest field to misread. It is a model assessment on a five-level scale (info → low → medium → high → critical), not a CVSS metric. About three-quarters of reports land in high, so the reliable cut is critical vs. the rest. Triage on attack type and feed ranking, not the severity label alone.

what we don't know

Limitations

Where the data falls short.

  • Coverage is source-dependent
    Signalis covers what its sources publish. It is not an exhaustive view of all threat activity.
  • Some fields are deliberately sparse
    Victim, industry, and incident date are extracted only when an article states them clearly. A null beats a guess, so expect these on a minority of reports.
  • Extraction is probabilistic
    A large language model reading once is not deterministic. Near-boundary calls can vary between similar reports. Every item carries a confidence score and a source link.
  • CVSS is often absent
    Most articles cite a CVE without its CVSS score. Signalis shows the score when the source provides it and leaves it blank otherwise. It never fabricates one.
Open the feed →