19 March 2024 - Ian Wharton, Technical Architect at Principle Networks

Why you Need a Threat Feed, and Why it Shouldn’t be Called a Threat Feed

What is a threat feed?

In it's most simplistic form, It’s a service which provides a business with intelligence on cyber threats. A threat feed is fundamentally different than the vast majority of cyber protection systems which we generally talk or think about when we mention security.

Firewalls, AV, EDR, MDR etc. Generally cyber protection is about stopping a threat, preventing a threat. It relies on being one step ahead of threat actors. It relies on not leaving a gap. It relies on not making a mistake, not leaving a hole, being right all the time, every time, 24/7… good luck with that.

A threat feed is different. On its own, it does nothing to stop a threat. A threat feed will give us information on the level of threat which is present. We all get threat feeds to some extent, even if only via the press or vendors or security advisories. We look at all that information and we may decide to act on that information or not. However, the value of that superficial information alone is (in my opinion) minimal.


I like a good analogy and hopefully I can provide one here for the value of a threat feed.

To take the conversation away from cyber for a moment, we have all seen the news media make a big deal about some perceived threat, terrorism, crime, climate change, etc. Terrorism is a great example to focus on. Following the London bombings in 2005, a national ‘threat feed’ was updated and published. The threat level was in the press for a while. As a matter of interest, the current threat level for the UK as published by MI5 is ‘SUBSTANTIAL - an attack is likely’. I don’t know about you, but the thought that an attack is likely makes me think that I should do something, change my behaviour in some way. Maybe be more alert and generally aware.

But I’m not. The only reason that I know about the threat level is because I checked it for this blog. I won’t be changing my behaviour and I’ll have forgotten all about it as soon as something more interesting comes up. The problem with this threat feed is that it’s very generic and it doesn’t give any indication of my risk level.


The words risk and threat are often confused, but let me give you an example to illustrate the difference.

If there is someone in the street with an axe, waving it about and screaming incoherently. They are obviously a threat. However if they are on the other side of a six foot wall, the risk is significantly different than if we are in the same room with them. Context is important!

Risk is personal, risks affect me and my business. A high level of risk will definitely make me change my behaviour. So how do I evaluate the level of risk? I would want to know if the mad axeman is in the room before I go in.

Bringing it back to cyber, a good threat feed will tell you exactly what level of risk your business is at. It will be focused on your business, your workforce, your senior leadership team, your credentials. It will tell you whether that threat is focused on you.

Hopefully a threat feed will never bring up any information for you, but if it does and you aren’t aware of it, then you are just hoping that the axeman isn’t waiting for you in that room.