Every Entity Known. Every Relationship Mapped. Nothing Isolated.

Threat intelligence is most powerful when it is connected. A threat actor in isolation tells you who to watch. A threat actor connected to their TTPs, their malware, their campaigns, their infrastructure, and their nation-state affiliation tells you what to detect, what to hunt, where to look, and what the blast radius looks like if they succeed. CIPHER's entity registry is the connective tissue of the SCOUT intelligence layer — every known entity documented, every relationship mapped, and every connection visible across the full knowledge graph.

The entity registry stores every intelligence entity across eight types — Threat Actor, Malware, TTP, Vulnerability, Nation-State, Tool, Campaign, and Infrastructure. Every entity carries a structured record — canonical name, aliases, MITRE ID where applicable, confidence level, country of origin, activity level, source report, and tags. Relationships between entities are stored as typed edges — uses, deploys, attributed-to, targets, exploits, communicates-with — creating a queryable knowledge graph that surfaces the full context of any entity with a single click. The entity graph visualizes every relationship as an interactive network — nodes representing entities, edges representing relationships, and the full intelligence picture visible at a glance for any actor, campaign, or technique in the registry.

Every Intelligence Article Read. Every Relevant Entity Tagged. Nothing Missed.

Body: Threat intelligence arrives constantly — vendor blogs, government advisories, ISAC feeds, research publications, and news sources producing a continuous stream of articles that collectively paint a picture of the current threat landscape. The challenge isn't access to that intelligence — it's processing it consistently enough to extract the signal from the noise. CIPHER automates that processing — aggregating feeds, scanning every article against the entity registry, and surfacing the intelligence that matters to your environment without requiring an analyst to read everything.

How It Works: CIPHER aggregates RSS feeds from configured intelligence sources — vendor blogs, government advisories, ISAC feeds, research publications, and news sources. Every article is scanned against the entity registry the moment it arrives — matching article content against every entity name, alias, and known indicator in the registry. Articles that mention registered entities are automatically tagged with the relevant entity names, surfaced in the entity's intelligence feed, and counted against the entity's article hit count — providing a real-time signal of increased coverage or attention for any actor, technique, or campaign in the registry. Unread article counts are tracked per feed so analysts can see at a glance where new intelligence has arrived. The FLARE Display Wall tag cloud visualizes the most prominent terms across recent articles — with entity registry matches highlighted by type.

Intelligence Collection With Purpose. Requirements That Drive Action.

Priority Intelligence Requirements define what the SOC needs to know — the specific intelligence questions that, if answered, would materially improve the organization's defensive posture. Most SOCs write PIRs and then struggle to collect against them systematically. CIPHER gives PIRs a structured home — tracked, assigned, reviewed on a defined cadence, and connected to the intelligence collection activity that answers them.

PIRs in CIPHER are structured intelligence requirements — each carrying a statement of the intelligence question, a category, a priority tier, an owner, a review cadence, and a status. Findings — individual intelligence observations that contribute to answering the PIR — attach directly to the PIR record as they are discovered. Each finding carries a source, a confidence level, a relevance assessment, and the analyst who documented it. PIR health is tracked against the review cadence — PIRs that haven't been reviewed within their defined window surface as overdue. The PIR status brief report surfaces the collection health of every active PIR — findings since last review, overdue flags, and owner accountability — giving the CTI lead a real-time picture of collection program health.

From Actor Name to Structured Intelligence Report — In Minutes.

Threat actor profiling is time-consuming work when done manually — cross-referencing multiple intelligence sources, synthesizing conflicting attributions, documenting TTPs, and structuring the output in a format the rest of the team can use. CIPHER automates that work — generating a comprehensive, structured threat actor profile from four authoritative intelligence sources in the time it takes to type a name. The report is the starting point, not the destination — every generated report populates the entity registry, feeds the hunt pipeline, and informs the threat model automatically.

CIPHER generates threat actor profiles on demand — the analyst enters the actor name, selects the report parameters, and CIPHER queries MITRE ATT&CK, CrowdStrike, Microsoft Threat Intelligence, and GTIG to synthesize a comprehensive profile. The generated report covers actor attribution, nation-state affiliation, target sectors, motivation, capability assessment, known TTPs with MITRE mapping, malware families deployed, campaigns conducted, infrastructure indicators, and recent activity. The report saves to the CIPHER report library and simultaneously populates the entity registry — creating entity records and relationship edges for every TTP, malware family, alias, and nation-state attribution in the profile. The full report exports as a formatted HTML document suitable for sharing, filing, and regulatory documentation.

The Weekly Intelligence Picture — Without the Weekly Intelligence Effort.

CTI reporting consumes significant analyst time — aggregating what was learned, summarizing what changed, and producing a document that gives leadership and the broader team a current picture of the threat landscape. CIPHER automates that production — a structured CTI digest that synthesizes recent CIPHER reports, new entity registry additions, RSS intelligence highlights, and PIR collection progress into a formatted briefing ready for distribution without manual compilation.

The CTI Digest generates automatically from the CIPHER data collected during a defined reporting period — typically weekly. It covers new threat actor profiles generated, entity registry additions and relationship updates, RSS intelligence highlights with entity hits, PIR collection progress and new findings, and threat landscape observations derived from article volume and entity hit trends. The digest formats as a structured HTML report suitable for email distribution, filing, and executive briefing. It exports on demand or on a scheduled basis — giving the CTI lead a production-ready intelligence briefing without the manual compilation work that typically makes consistent CTI reporting difficult to sustain.

Intelligence That Feeds Every Pillar. Context That Improves Every Workflow.

Threat intelligence is only as valuable as the operational workflows it informs. CIPHER is not a standalone intelligence platform — it is the intelligence layer that every other SCOUT pillar draws from, contributes to, and is made more effective by. Every profile generated, every entity registered, and every relationship mapped in CIPHER immediately enriches the detection, hunting, response, and modeling capabilities of the full platform.

CIPHER integrates directly with every pillar in the SCOUT platform through a shared intelligence layer. PROWL draws actor TTPs from CIPHER to generate targeted hunt hypotheses — surfacing relevant intelligence at the moment a hunter opens a new hypothesis. BLADE draws coverage gap intelligence from CIPHER — flagging actor TTPs that lack detection coverage and generating detection engineering requests automatically. SHIELD draws actor context from CIPHER during incident response — surfacing relevant actor profiles, known TTPs, and infrastructure indicators when a confirmed threat actor is identified in an active incident. TIME draws actor targeting and capability data from CIPHER to inform the threat model — understanding which actors are most relevant to the organization's specific environment and sector. FLARE draws entity hit data from CIPHER to enrich alert context — surfacing relevant actor and campaign intelligence alongside the alert that may be attributable to them.