External Threat Intelligence (ETI) is the systematic collection and enrichment of data concerning potential or active threats originating outside an organization’s network perimeter. As a cybersecurity use case, ETI focuses on threats targeting specific organizations, industries, or geographies by analyzing the open, deep, and dark web. The goal is to deliver "operationally consumable insights" that empower stakeholders to make informed, risk-based decisions, reduce the success of cyberattacks, and proactively mitigate exposure.

How ThreatNG Powers External Threat Intelligence

ThreatNG is an all-in-one External Threat Intelligence Service Provider (ETISP) that integrates External Attack Surface Management (EASM), Digital Risk Protection (DRP), and Security Ratings into a unified platform. It eliminates the "Attribution Chasm" by correlating technical exposures with definitive business context.

1. Purely External, Unauthenticated Discovery

ThreatNG redefines intelligence gathering by performing discovery without requiring internal agents or connectors. This "outside-in" methodology mirrors the reconnaissance phase of a real-world adversary, ensuring that security teams see exactly what a threat actor sees.

2. Detailed External Assessments and Ratings

ThreatNG provides granular assessments that quantify risk across multiple domains. Key examples include:

• Subdomain Takeover Susceptibility: The platform performs DNS enumeration to identify CNAME records that point to third-party services (e.g., AWS S3, Heroku, Shopify). It cross-references these against a comprehensive vendor list and performs a specific validation check to confirm "dangling DNS" states—identifying resources that are inactive or unclaimed and thus ripe for hijacking.

• BEC & Phishing Susceptibility: Ratings are derived from multidimensional findings, including compromised credentials, domain name permutations (homoglyphs/typosquatting), and missing email security records such as DMARC and SPF.

• Web Application Hijack Susceptibility: ThreatNG assesses the presence of critical security headers such as Content-Security-Policy (CSP), HTTP Strict-Transport-Security (HSTS), and X-Frame-Options to prevent injection and clickjacking attacks.

• Non-Human Identity (NHI) Exposure: This critical metric quantifies vulnerability to high-privilege machine identities—such as leaked API keys and service accounts—often invisible to internal tools.

3. Comprehensive Investigation Modules

ThreatNG provides over ten specialized investigation modules to facilitate deep-dive intelligence gathering :

• DarChain™ (External Contextual Attack Path Intelligence): This sophisticated modeling tool maps the precise exploit chain an adversary follows, from initial reconnaissance to the compromise of mission-critical assets. It identifies "Attack Choke Points" where a single remediation can disrupt dozens of potential attack paths.

• Technology Stack Investigation: ThreatNG provides exhaustive discovery of nearly 4,000 technologies comprising a target’s external attack surface, covering everything from CRM systems to AI development platforms.

• Sensitive Code Exposure: This module identifies data leaks in public repositories, specifically searching for hardcoded API keys (e.g., Stripe, AWS, Google), cloud credentials, and system configuration files.

• Social Media Discovery: The platform monitors the "Conversational Attack Surface" on Reddit and LinkedIn to identify project leaks or employees most susceptible to social engineering.

4. Continuous Monitoring and Intelligence Repositories

The platform maintains a real-time defense posture by continuously monitoring the external digital environment. This is supported by the DarCache suite of intelligence repositories :

• DarCache Dark Web: Indexed, sanitized, and searchable archives of dark web content.

• DarCache Ransomware: Tracking over 100 ransomware gangs (e.g., LockBit, BlackSuit) and their unique tactics, techniques, and procedures (TTPs).

• DarCache Vulnerability: A strategic risk engine that integrates the National Vulnerability Database (NVD) with the Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerabilities (KEV) to provide a "Decision-Ready Verdict" based on real-world exploitability.

5. Reporting and Executive Insights

ThreatNG delivers insights through prioritized reporting facilities, including Executive, Technical, and Inventory reports. Crucially, it provides External GRC Assessment Mappings that automatically link external findings to regulatory frameworks such as PCI DSS, HIPAA, GDPR, NIST CSF, and DORA.

Cooperation with Complementary Solutions

ThreatNG functions as a force multiplier for existing security stacks, providing high-fidelity external intelligence to fuel internal response engines.

• Cooperation with SIEM and XDR: ThreatNG enriches internal logging by feeding high-certainty evidence, such as compromised dark web credentials or discovered phishing domains, into SIEM/XDR platforms. This enables analysts to correlate external signals with internal traffic to expedite triage.

• Cooperation with SOAR Platforms: ThreatNG automatically detects fraudulent infrastructure, such as phishing sites that mimic the organization's domain, and triggers SOAR playbooks to block malicious IPs or notify stakeholders instantly.

• Cooperation with Takedown and Brand Protection Services: While ThreatNG identifies the target, it packages technical evidence (DNS records, IP ownership, and sanitized screenshots) into a "Forensic Evidence Package". This package is then delivered to complementary takedown services that use legal relationships with registrars to scrub the malicious content from the internet.

• Cooperation with Vulnerability Management: ThreatNG's DarCache Vulnerability data enriches internal scanners with real-world context, helping teams prioritize patching efforts based on active exploitation (KEV) and publicly available Proof-of-Concept (PoC) exploits rather than theoretical scores.