Skip to main content

Threat Intelligence – Bitdefender TechZone

2026-05-12

Abstract

GravityZone integrates real-time Threat Intelligence (TI) via REST APIs and MRTI feeds, powered by 50 billion daily queries. This architecture enables low-latency IoC verification and seamless telemetry ingestion for SIEM, and SOC workflows.

A security team gets a SIEM alert: a workstation contacted an unknown IP address 47 times in the last hour. The SOC analyst googles the IP. Nothing. They check VirusTotal. Three detections, no context. They do not know if this is malware command-and-control or a false positive from a legitimate cloud service. They block the IP and move on. Two weeks later, ransomware hits. The IP was the attacker’s C2 server, and it had been active in their environment the entire time. The problem was not that the analyst missed the alert. The problem was that the analyst had no intelligence.

Bitdefender Threat Intelligence Solutions (TI) is a set of feeds and APIs that deliver data on malicious files, URLs, domains, and IP addresses to security teams and security product builders. The intelligence comes from the same sensors that power GravityZone’s built-in endpoint detections, processed in our lab to filter, correlate, and validate indicators before they reach your systems. New indicators are available within approximately five minutes of detection anywhere in the global sensor network.

Beyond the Endpoint: Solving the Visibility Gap

Attackers who land on a Windows machine do not stay there. They move laterally over the network. They exfiltrate data to cloud storage. They command their backdoor from an IP that has never touched your endpoints but appears in your firewall logs 400 times this week. GravityZone’s endpoint protection cannot block traffic that never reaches an endpoint, cannot correlate indicators across your SIEM, and cannot tell your firewall which IPs to drop before they connect.

That is the problem threat intelligence solves: it takes what Bitdefender Lab sees across sensors globally and makes it usable in the systems that see the rest of your environment. The firewall gets an IP blocklist. The SIEM gets file hashes and domains to correlate against. The SOC analyst gets a portal where they can detonate a suspicious file, look up an actor’s profile, or check whether that weird domain in their logs is already known malicious.

TI Telemetry

Bitdefender Threat Intelligence Solutions draw from Bitdefender’s Global Protective Network (GPN), which safeguards hundreds of millions of systems, consumer devices, and technology from OEM ecosystem licensing partners. The GPN processes 50 billion security queries daily and discovers over 1,000+ new threats every minute. Bitdefender extracts threat intelligence from this telemetry in compliance with data privacy regulations including GDPR. Information is anonymized before it reaches cloud infrastructure, and Bitdefender does not share details about the organization that is the source of the data or any personally identifiable information (PII).

The GPN does not just collect indicators — data gathered from across the network then goes through Bitdefender Labs for enrichment, where it is processed through different automated and manual steps:

  • Collection: The system ingests telemetry from EDR and XDR agents, network sensors, open-source intelligence feeds, web crawlers scanning for phishing sites, and honeypots designed to attract attacker activity.

  • Correlation: Unsupervised machine learning groups related indicators. If three different files all contact the same IP address and drop similar registry keys, the system flags them as likely belonging to the same campaign. The correlation engine also augments indicators with context tags describing which industries and regions are targeted, and maps them to known attacker tactics.

  • Validation: Every indicator is checked against a cleanset of known-legitimate infrastructure to filter out false positives. An IP address that hosts both malware command-and-control and a Fortune 500 company’s content delivery network gets flagged for manual review. The system also runs continuous rechecks—an indicator that was malicious yesterday but is now a parked domain gets removed.

  • Behavioral analysis: Files are detonated in sandbox environments to confirm they do what their metadata suggests. A file flagged as ransomware must actually encrypt files before it is added to the feeds. Bitdefender runs 14K sandbox detonations daily, and the behavioral data from those detonations feeds back into the correlation engine. The attribution system uses these detonations plus observed tactics, techniques, and procedures (TTP) to link indicators to known threat actors.

Threat_Intelligence_workflow.jpg

This pipeline is what distinguishes GPN-sourced intelligence from open-source feeds. Indicators are extracted from real-world attack telemetry, not synthetic data.

New indicators are available within approximately five minutes of detection anywhere in the sensor network. This does not mean five minutes from when an attack hits your endpoint—it means five minutes from when the first sensor anywhere in the global network detected it, which might have been hours or days before the attack reached your environment.

Automated Data Feeds & API Delivery

Bitdefender Threat Intelligence Solutions deliver processed intelligence through five products.

Bitdefender File Feed

Bitdefender File Feed publishes malicious and suspicious file hashes with severity, popularity and confidence scores. Where known, these entries also include context : which threat actor is behind the file, which CVEs (numbered vulnerability identifiers cataloged in the Common Vulnerabilities and Exposures database) it exploits, which industries and countries are seeing it, and which other files behave similarly using TLSH distance (a fuzzy hashing metric that measures file similarity, which helps analysts find variants of known malware even when attackers modify the files slightly). If your SIEM alerts on a suspicious PowerShell script that downloaded an unknown executable, the File Feed tells you whether that executable is already known malicious and whether it is part of a broader campaign. Format: JSONL (JSON Lines, a text format where each line is a separate JSON object). Query interface: REST GET. Update cadence: approximately five minutes.

Bitdefender Web Feed

Bitdefender Web Feed publishes malicious and suspicious URLs and domains with threat type classification (phishing, malware delivery, fraud, exploit kit), web content category, severity, popularity and confidence scores, first-seen and last-seen timestamps, and geographic distribution of observed activity. When your web proxy logs show a user visiting an unfamiliar domain, the Web Feed tells you whether that domain is hosting a phishing page targeting your industry or delivering browser exploits. Same format and query interface as File Feed.

Bitdefender IP Feed

Bitdefender IP Feed publishes malicious and suspicious IP addresses with severity, popularity and confidence scores, ASN (autonomous system number, a unique identifier for the network operator hosting the malicious IP, which helps analysts see if multiple malicious IPs are hosted by the same provider), hosting provider name, CIDR block (the IP address range the malicious IP belongs to, which helps analysts block entire ranges when a hosting provider’s infrastructure is compromised), geolocation, ports and protocols involved in malicious activity, and affected industries and countries. When your firewall logs show repeated connections to an unfamiliar IP, the IP Feed tells you whether that IP is commanding malware or scanning your network. Same format and query interface as File Feed.

All three above feeds also return related indicators, and support query-time filtering by confidence, and tags, depending on the feed. Bitdefender provides translating scripts for STIX and MISP (two standard formats that many security tools use to import threat data, so you can feed these indicators into your existing systems without custom integration work). Pre-built integrations exist for Splunk, Anomali, and Ticura.

Bitdefender IP Blocklist

Bitdefender IP Blocklist is enforcement-ready, not an enrichment feed. It is built specifically for automated blocking on firewalls, next-generation firewalls (NGFWs), routers, and intrusion prevention systems. Key characteristics distinguish it from the IP Feed:

  • Only active indicators: Entries have a dynamic TTL (time-to-live, how long the indicator remains in the list) based on popularity (number of observed victims). An IP that goes quiet is removed automatically. This prevents stale blocks.

  • High-risk filter: Only IP addresses associated with active malicious activity such as malware command-and-control, command injection attempts, and network scanners are included. IP addresses associated only with low-risk activities such as spam, are filtered out. The filtering is a feature, not a gap. IP addresses associated with low-risk activities such as spam carry a higher rate of false positives and are better addressed by dedicated, context-aware security controls — your email gateway, for example, is better positioned to handle spam and phishing than a network-level blocklist. Applying an automated, set-and-forget block to these categories generates noise without meaningfully reducing risk. The IP Blocklist includes only IPs actively commanding malware or scanning your network—the categories where a firewall block prevents harm.

  • Three response modes: The blocklist can return a raw IP list, IP addresses with tags, or full context (IP, tags, IP reputation score, confidence, severity).

  • Configurable reputation threshold: The default ip_reputation_score filter is 70 (on a scale of 1 to 99, where higher scores indicate higher risk). Security teams can adjust this threshold based on their risk tolerance.

  • Output format: CSV (default) or JSONL, delivered via REST API.

Bitdefender Threat Intelligence API

Bitdefender Threat Intelligence API is an on-demand query interface to the full Bitdefender threat intelligence dataset. Query by IP address, URL, domain, file hash, actor name, malware family name, or CVE ID. The API returns basic information about the IoC, and/or enrichment data in JSON format within seconds: severity, confidence, TTL, geolocation, ASN, ports, protocols, related indicators, exploited CVEs, actor profiles (targeted regions, industries, MITRE ATT&CK mappings—the ATT&CK framework is a knowledge base of adversary tactics and techniques—and associated malware families), malware family profiles, and CVSS v2 and v3 scores (standardized vulnerability severity ratings). Use cases include enriching SIEM alerts in real time, SOAR playbook enrichment, EDR and XDR integration, and ad hoc analyst investigation without managing continuous feed ingestion.

Bitdefender IntelliZone

IntelliZone Portal is a web-based portal for SOC analysts. A free evaluation is available and includes technical support. Key capabilities:

  • Threat Search: Query the full Bitdefender threat intelligence dataset with support for cross-artifact searches such as “show me malicious file hashes active in the financial services industry in Germany last week.”

  • Feeds Preview: Download a sample of any threat intelligence feed to inspect the real data structure before committing to integration. This lowers the barrier for teams evaluating the feeds and serves as the natural starting point before subscribing to a feed.

  • Operational Dashboard: Tracks the most active threat actors in a chosen industry or geography, including the TTPs they use. MITRE ATT&CK mapped.

  • Actor Profiles: Detailed view of hundreds of active actors including targeted countries (displayed on a world map), targeted industries, associated malware families, and common TTPs.

  • Sandbox Analysis: Submit files or URLs for dynamic detonation. Returns extracted indicators and a structured analysis report. This is the same sandbox infrastructure that contributes to the GPN.

  • Visualization: Graph-based threat visualization and navigation across connected indicators.

IntelliZone queries the same dataset as the Threat Intelligence API—the difference is workflow. Analysts who need to investigate interactively can use IntelliZone and the API. Automated systems query the API.

What TI Catches

An attacker landed on your network. Where are they commanding from?

The IP Feed includes command-and-control servers observed directing backdoors, remote access trojans such as Cobalt Strike (a commercial adversary-emulation toolkit widely abused by intrusion operators), and ransomware. The IP Blocklist filters for active C2 servers only—IPs that are commanding malware right now, not infrastructure that was malicious last year but is now dormant. This makes it perfect for automated integration with NGFWs, IPS/IDS and more.

A suspicious file appeared. Is it part of a known campaign?

The File Feed includes malicious executables, malicious documents, credential-dumping tools, keyloggers, and post-exploitation frameworks. Each entry links to related files, the actor behind them when attribution is available, and the CVEs they exploit. If an endpoint alert fires on an unknown PowerShell script, the File Feed tells you whether the script’s payload hash matches a known remote access trojan and which threat actor typically deploys it.

A user clicked an unfamiliar link. Where does it lead?

The Web Feed covers newly registered phishing domains, fraudulent payment pages, malware delivery URLs, and exploit kit landing pages. Because Bitdefender’s sensor network observes these URLs as real users encounter them, they appear in the feed before most aggregated blocklist services pick them up.

Your network is being scanned. Who is behind it?

The IP Feed and IP Blocklist cover attacker-controlled servers used for command-and-control communication and scanning infrastructure—systems that probe networks looking for open ports and vulnerable services. Both sources appear in the sensor network’s telemetry as real attacks against real endpoints.

What You Can Tune in TI

  • Feed filtering: Bitdefender File Feed, Web Feed, and IP Feed support query-time filtering by severity, confidence, and tags. For example, a security team can subscribe to only high-confidence indicators (confidence above 80), or only indicators tagged with specific industries or attack types. This reduces ingestion volume for teams with limited SIEM capacity.

  • IP Blocklist threshold: The default reputation score threshold is 70. Teams operating high-security environments (financial services, critical infrastructure) can lower the threshold to 60 or 50 to block more aggressively. Teams with limited false-positive tolerance can raise it to 80 or 90. Lowering the threshold increases block coverage but also increases the risk of blocking a shared hosting provider whose infrastructure hosts both malicious and legitimate sites.

  • API rate limits: The Threat Intelligence API supports query throttling. Teams integrating the API into SOAR playbooks should tune the request rate to match their incident volume—a SOC running 500 investigations per day needs higher throughput than a team running 50.

  • IntelliZone search scope: Analysts can configure default search filters (specific industries, geographies, threat types) to narrow results before querying. This speeds up investigations for teams focused on specific threat verticals.

How You See TI is Working

When a malicious indicator is added to any of the feeds, it appears in your chosen integration within approximately five minutes. In a SIEM, new file hashes from the File Feed can be set up to automatically enrich alerts—an endpoint alert about a suspicious PowerShell execution now shows that the script downloaded a file hash already flagged as a remote access trojan in the File Feed two days earlier. In a firewall, the IP Blocklist adds new entries to your block rule, and connection attempts to those IPs generate block logs you can review in your firewall dashboard.

The Threat Intelligence API returns results immediately when queried. A SOAR playbook enriching an alert queries the API with the suspicious file hash, and the API responds within seconds with severity, confidence, related indicators, and actor attribution if available. The playbook can then escalate high-severity incidents to an analyst or automatically quarantine the endpoint based on the returned severity score.

In IntelliZone Portal, analysts see query results in real time. A search for “all indicators targeting healthcare in Germany last 30 days” returns a list of file hashes, IP addresses, and domains with severity and confidence scores. Clicking on an actor profile shows a world map of targeted countries, a list of associated malware families, and a timeline of observed campaigns. Submitting a file for sandbox analysis returns a structured report within minutes, including screenshots of the detonation, extracted indicators (IP addresses contacted, registry keys modified, files dropped), and a behavioral verdict.

Feeds Preview in IntelliZone lets you download a sample file before subscribing to a feed. You get a snapshot of the actual JSON structure, field names, and example data. This prevents integration surprises—you know exactly what you are ingesting before you commit.

TI Synchronizing Your Security Stack

While GravityZone protects the endpoint, Bitdefender Threat Intelligence Solutions expose that same high-fidelity visibility to the rest of your infrastructure. Instead of managing siloed tools that are blind to external trends, you can use our machine-readable feeds to keep your firewall, SIEM, and SOAR playbooks synchronized with real-world attacks. This unified approach means your analyst portal, network perimeter, and endpoints are all powered by the same intelligence, allowing you to stop threats at the edge before they ever have the chance to reach a protected machine.

When to use which product:

  • Continuous enrichment (every log, every alert, ongoing correlation): Bitdefender File Feed, Web Feed, or IP Feed

  • Real-time investigation (one alert, one indicator, immediate lookup): Bitdefender Threat Intelligence API

  • Automated blocking (enforce at network perimeter): Bitdefender IP Blocklist

  • Interactive investigation (analyst exploring unknowns, tracing actor activity): IntelliZone Portal

If you are deploying threat intelligence for the first time, start with IntelliZone Portal’s free evaluation. Use the Feeds Preview to inspect the data structure and see which feeds fit your workflows, then decide whether you need continuous ingestion (feeds), on-demand queries (API), or both. Teams that integrate both typically route feeds to their SIEM for correlation and use the API for real-time playbook enrichment.

Recommended Content

To learn more about the technology behind the GravityZone platform, we recommend reading the next article Cloud and Virtualization Optimization.

More Resources

Bitdefender Threat Intelligence official website: Bitdefender Threat Intelligence Solutions

To request a demo, you can click here: Get your Bitdefender Threat Intelligence trial

Bitdefender IntelliZone Guided Tour: IntelliZone Guided Tour with Click & Discovery

Discover the IntelliZone full potential with our dedicated video masterclasses: Bitdefender Masterclass

Cyberthreat Real-Time Map: Real-Time Map