Threat Feed
The Threat Feed is a single, chronological stream of curated threat intelligence harvested from dark-web sources: ransomware leak sites, breach forums, initial-access broker listings, and combo-list dumps. Each item is parsed into a structured record — category, threat actor, victim country, industry, and named organization — so you can triage hundreds of new posts a day and surface the ones that touch your attack surface.
Overview
The page is a status-tabbed table. The default landing tab shows the full feed (newest first); the metrics strip across the top gives at-a-glance volume and recency numbers; an optional analytics panel breaks the feed down by category, actor, and victim geography. Every row is a single threat event you can bookmark, comment on, mark reviewed, archive, or open in a detail drawer.
This is intelligence about the threat landscape, not findings about your own assets. A ransomware post here means "this actor breached this victim and is leaking their data" — it becomes relevant to you when the victim, their country, or their industry matches your own profile. ShadowMap flags those matches automatically (see Relevance).
How it works
The mechanics below are not visible from the UI but determine what you see and how the page behaves.
Where the data comes from
Items are ingested from ShadowMap's dark-web collection pipeline (the DWI feed) into two backend tables that the page unions into one stream:
| Source | Backend table | What it contains |
|---|---|---|
| Ransomware leak sites | dwi_ransomware | Victim posts from ransomware-group leak/extortion sites. The actor is the group_name; category is always Ransomware. |
| General threat intel | dwi_threatfeed | Everything else — data breaches, data leaks, initial-access sales, combo lists, defacements, DDoS claims. Carries explicit category, victim_country, victim_industry, and named organization fields. |
Both tables are company-agnostic — every customer sees the same global feed. What is per-company is your triage state (reviewed/archived), your bookmarks, your comments, and the relevance highlighting. Because the two tables have independent auto-increment IDs that can collide, ShadowMap tracks each item's source table internally; this is why status and bookmark actions always travel with a source_table tag behind the scenes.
Categories and severity
The feed has no analyst-assigned severity. Severity is derived from the category at display time, using a fixed map:
| Category | Derived severity |
|---|---|
| Ransomware / Ransomware Incident | Critical |
| Data Breach / Data Leak | High |
| Initial Access | High |
| Combo List | Medium |
| Defacement | Medium |
| DDoS Attack | Medium |
| (anything unmapped) | Low |
So the Severity column and the Critical / High metric are functions of category, not a separate judgement. Filtering by severity is equivalent to filtering by the categories that map to it.
Relevance: matching to you (badge)
The crosshair badge in the Relevant column marks items that intersect your organization's profile. ShadowMap builds that profile per company from three sources and matches each feed item against it:
- Countries — from your News Alert settings (
countrypreference). Matched against the item's victim country. - Industries / sectors — from your News Alert settings (
sectorpreference) plus your company's own configured sector. Matched against the item's victim industry. - Organizations / domains — your domains from asset inventory and configured organization names. Matched against the item's named victim organization.
An item is flagged Relevant if it matches on any of these axes. Relevance is purely a highlight and quick-filter — it never hides anything. If your country/sector preferences are empty and you have no asset domains, nothing will be flagged.
Triage state (the status tabs)
Marking an item Reviewed or Archived writes a per-company record keyed on (feed_id, source_table, company_id). The status tabs then filter the global feed against that record:
- New — any item without a
reviewedorarchivedrecord for your company. This is the default state of every freshly ingested item; you never have to mark something "new." - Reviewed — items you explicitly marked reviewed.
- Archived — items you explicitly marked archived (used to clear noise).
Triage is yours alone; archiving an item does not remove it from any other customer's feed or from the global tables. The All tab shows everything regardless of state.
Daily email digest
Separately from the in-app feed, ShadowMap can send a daily news-alert email of stories published in the last day, filtered by your company's News Alert country/sector preferences. This is a digest of newly published items, not a real-time per-item alert — configure the country/sector filters and recipients under News Alert settings.
Two tables, one ransomware module
Ransomware victim posts also drive the dedicated Ransomware intelligence page, which reads the same dwi_ransomware source but presents it actor-first (groups, victim counts, timelines). The Threat Feed is the chronological, all-categories view; the Ransomware page is the structured drill-down.
Understanding the data
Columns
The table is column-customizable (the Columns button toggles each on/off; your choice is remembered in the browser). Default-visible columns are marked below.
| Column | Default | Description |
|---|---|---|
| Date | Shown | When the item was discovered/published, as a relative time ("3h ago"); hover for the exact timestamp. The default sort. |
| Severity | Shown | Critical / High / Medium / Low, derived from category (see above). Sortable. |
| Category | Shown | The threat type (Ransomware, Data Breach, Initial Access, Combo List, …) with a color dot. Sortable. |
| Title | Shown | The post/headline as harvested from the source. |
| Threat Actor | Shown | The ransomware group or actor name behind the item. Sortable. |
| Country | Shown | Victim country, with flag. Populated for general intel; blank for most ransomware rows. |
| Industry | Hidden | Victim industry/sector. Filterable; off by default. |
| Organization | Hidden | The named victim organization. Filterable; off by default. |
| Relevant | Shown | Crosshair badge if the item matches your profile (see Relevance). |
| Source | Shown | Opens the original source link (the leak-site / forum post) in a new tab. |
| Comments | Always | Inline comment thread for the item; supports comment templates. |
Each row also has a checkbox (for bulk actions) and a bookmark star.
Status tabs
| Tab | Shows |
|---|---|
| All | The entire feed, any triage state. |
| New | Items you haven't reviewed or archived yet (the default working queue). |
| Reviewed | Items you marked reviewed. |
| Archived | Items you archived to clear noise. |
Tab counts come from the summary endpoint and reflect your company's triage state.
Metrics strip
Six KPI cards sit above the table. Most are clickable and apply the corresponding quick-filter to the list.
| Card | Meaning | Click action |
|---|---|---|
| Total | Total items in the current scope. | Clears filters. |
| New (24h) | Items discovered in the last 24 hours. | Filters to the last 24 hours. |
| Critical / High | Count of Critical + High severity items. | Filters to Critical/High severity. |
| Relevant to You | Items matching your profile. | Filters to relevant items. |
| New This Week | 7-day volume, with an up/down trend (red = more threats, green = fewer). | Display only. |
| Top Actor (7d) | The most active threat actor in the last 7 days. | Filters the list to that actor. |
TIP
The trend coloring is inverted from typical dashboards on purpose: red means threat volume went up (bad), green means it went down (good).
Analytics panel
Toggle the analytics panel (collapsed by default) for four charts over the recent feed:
- Threat Volume (30d) — daily item count trend line.
- Category Distribution — donut of items by category.
- Top Threat Actors (7d) — most active actors.
- Victim Countries — most-targeted countries.
Filtering & search
Use the filter bar to narrow the feed. Available filter fields:
| Field | Notes |
|---|---|
| Title | Free text against the harvested headline. |
| Category | Ransomware, Data Breach, Initial Access, Combo List, etc. |
| Country | Victim country. |
| Industry | Victim industry/sector. |
| Threat Actor | Group/actor name. |
| Organization | Named victim organization. |
| Date | Discovery-date range. |
INFO
Filter dropdown values (the list of countries, actors, categories, etc.) are populated from the live feed, so they reflect what is actually present in the current data. Sorting is supported on Date, Severity, Category, and Threat Actor.
Page size (25 / 50 / 100 / 200), the active sort, and the page number are written to the URL, so a filtered view is shareable and survives a refresh.
Detail view
Clicking a row opens a right-side detail drawer without leaving the list:
- Severity badge, category, and source network.
- Full title and discovery time.
- The first ~500 characters of the harvested post content.
- Metadata: threat actor, victim country, industry, organization, and the victim's website (linked).
- A thumbnail strip of any captured screenshots from the source.
- Status buttons to set New / Reviewed / Archived inline.
- Previous / Next navigation to walk through the loaded list.
The Full Detail link opens the dedicated detail page, which adds a Related Threats tab — other items attributed to the same threat actor — and a full-size screenshot viewer.
Taking action
| Action | How | Effect |
|---|---|---|
| Mark Reviewed | Row → drawer status button, or select rows → Mark Reviewed | Moves the item to your Reviewed tab (per-company). |
| Archive | Drawer status button, or bulk → Archive | Moves the item to your Archived tab to clear it from New. |
| Bookmark | Star icon on the row (or b on the focused row) | Personal bookmark; surfaces in your bookmarks. |
| Comment | Comment icon on the row | Adds a threaded comment; supports saved comment templates. |
| Open source | Source column link | Opens the original leak-site/forum post in a new tab. |
| Share | Bulk → Share | Sends selected items to a connected integration (e.g. ticketing/messaging). |
| Export | Header Export, or bulk → Export | Generates an export of the current filtered view (background task; respects active filters and status tab). |
Select multiple rows (header checkbox selects the page) to reveal the bulk action bar for Mark Reviewed, Archive, Export, and Share.
Keyboard shortcuts
This page supports power-user navigation. Press ? for the in-app cheat sheet.
| Key | Action |
|---|---|
j / ↓, k / ↑ | Move row focus down / up |
Enter | Open the detail drawer |
Space | Toggle selection on the focused row |
b | Toggle bookmark |
n / p | Next / previous item while the drawer is open |
Esc | Close the drawer or help overlay |
? | Show / hide the shortcuts help |
Common questions
Is the Threat Feed about my assets or about other companies? About the broader landscape. Items describe breaches and leaks affecting other organizations and the actors behind them. They become relevant to you when the victim, country, or industry matches your profile — those are flagged with the crosshair badge.
Why do most ransomware rows have no country, industry, or organization? Ransomware items come from leak-site posts where only the group name and victim title are reliably parseable. The structured victim country/industry/organization fields are populated mainly for the general threat-intel category, not for ransomware posts.
Where does Severity come from? I never set it. It is derived from the item's category by a fixed map (Ransomware → Critical, Data Breach/Initial Access → High, Combo List/Defacement/DDoS → Medium, everything else → Low). There is no manual severity on this feed.
If I archive an item, does it disappear for my whole company / for everyone? Triage state (reviewed/archived) is stored per company, so it applies to your whole organization's view but never affects other customers or the global source data. Archiving simply moves the item out of your New queue.
How is this different from the Ransomware page? The Threat Feed is the chronological, all-categories stream. The dedicated Ransomware page reads the same ransomware source but organizes it by actor/group with victim counts and timelines.
Can I get notified about new items? Yes — configure the daily news-alert email (country/sector filtered) in News Alert settings. It's a once-a-day digest of newly published stories, not a real-time per-item alert.
Do my filters and view persist? Page size, sort, and page number persist via the URL (shareable and refresh-safe). Column visibility and the compact/expanded view persist per browser.
Related
- Ransomware — actor-first view of the same ransomware leak-site source, with victim timelines.
- Threat Actors — profiles of the groups named in feed items.
- Threat Intelligence Overview — landing dashboard for the intelligence module.
- Data Breaches — your-data-centric breach exposure, complementing the landscape-wide breach items here.
- Custom Tags and Comments — organize and annotate feed items during triage.
- Exports — how the background export of a filtered feed works.