One feed. Every report structured.
Signalis monitors curated CTI sources and extracts structured fields from every report. You read one ranked feed instead of many source sites.
The extraction pipeline
Large language models read each article in full and emit a fixed schema: classification, indicators, CVEs, techniques, attribution. The pipeline is versioned and run continuously.
How to read Signalis intelligence
Not every field is the same kind of claim. There are three types.
Analytical signal
Severity, attack type, threat-actor attribution, victim industry. These are the model's assessment, not ground truth.
Severity is a model assessment on a 5-level scale, not a CVSS score.
As stated in the source
CVE identifiers, CVSS scores when the article provides them, affected products, named malware. Transcribed from the report, not inferred.
Derived from extraction
Indicator / CVE / technique counts, the exploited-in-wild flag, IOC role (actionable vs. context), and MITRE techniques marked * when inferred from behaviour rather than explicitly stated.
Every item is traceable. Each extracted field carries a confidence score, and every report links to its source article.
On severity
Severity is the feed's primary axis and the easiest field to misread. It is a model assessment on a five-level scale (info → low → medium → high → critical), not a CVSS metric. About three-quarters of reports land in high, so the reliable cut is critical vs. the rest. Triage on attack type and feed ranking, not the severity label alone.
Limitations
Where the data falls short.
- Coverage is source-dependentSignalis covers what its sources publish. It is not an exhaustive view of all threat activity.
- Some fields are deliberately sparseVictim, industry, and incident date are extracted only when an article states them clearly. A null beats a guess, so expect these on a minority of reports.
- Extraction is probabilisticA large language model reading once is not deterministic. Near-boundary calls can vary between similar reports. Every item carries a confidence score and a source link.
- CVSS is often absentMost articles cite a CVE without its CVSS score. Signalis shows the score when the source provides it and leaves it blank otherwise. It never fabricates one.