Use Case - APAC Threat Intelligence

The intelligence others
license six months late,
we generate ourselves.

ThreatBook has tracked APAC-based threat actors with firsthand research since 2015. Our analysts are embedded in the same markets as the adversaries, tracking campaigns in native languages, tracking infrastructure in real time, and publishing findings months before Western vendors receive the licensed feeds. ThreatBook has Asia's largest threat intelligence community, with 420,000+ practitioners contributing signal daily.

Request an ATI DemoAccess ThreatBook Investigator
420,000+ ThreatBook community users
2,000+ adversary groups tracked
Since 2015 APAC firsthand coverage
80M+ malicious IPs updated daily
The Problem

Western threat intelligence has a structural APAC blind spot

Most enterprise threat intelligence was built to track threat actors who operate in English-speaking environments, use infrastructure favored by European and North American attackers, and target sectors where Western vendors have the most deployed sensors. APAC-based APT groups operate in a different ecosystem, and most intelligence platforms have marginal visibility into it.

01
Licensed Intelligence Arrives Months Late
Western threat intel vendors purchase or license APAC intelligence after it has already been researched and published after ThreatBook's firsthand analysts first documented a campaign. Organizations relying on those feeds are always responding to yesterday's threat picture in a region where adversaries move fast.
02
Language Barriers Limit Source Coverage
Significant attacker activity is discussed, sold, and coordinated in native languages. across underground forums, Telegram channels, and domestic platforms that non-native speakers cannot effectively monitor. Indicators, tools, and targeting lists circulate in these spaces weeks before they appear in English-language sharing communities.
03
Generic IOCs Without Actor Context
Most threat feeds deliver indicators without telling you who is behind them, what they want, or which other organizations in your sector were already hit. An IP block with no actor attribution gives a security team a defensive action but no strategic understanding of the campaign or the follow-on activity to anticipate.
How ThreatBook Solves It

Firsthand. Native-language. Peer-validated.

ThreatBook's ATI is not a licensed feed aggregated from third-party sources. It is the product of ThreatBook's own research team, analysts who have been tracking APAC-based threat actors since 2015 in their native languages, monitoring infrastructure in real time, and contributing to the ThreatBook community of 420,000+ practitioners who provide additional signal through daily interactions with live threats.

Every adversary profile in ATI reflects firsthand investigation. Campaign timelines, TTP documentation, infrastructure fingerprints, and target sector mappings are built from direct analysis, not inference from secondhand data. When a new APAC-based campaign begins, ThreatBook researchers are typically the first to document it publicly.

The ThreatBook community amplifies coverage further. Practitioners across Asia share indicators, validate findings, and surface emerging activity in real time, creating a collective sensor network that no single vendor's deployed base can replicate. IOC freshness and breadth benefit directly from this peer-validated intelligence model.

  • Firsthand APAC adversary research since 2015, not licensed downstream
  • Native-language monitoring of underground sources
  • 420,000+ community practitioners contributing signal daily
  • 20,000+ documented APT incidents with full attribution and TTP mapping
Core Capabilities

What APAC-native intelligence actually delivers

The value of firsthand APAC intelligence is not just freshness, it is depth of context, accuracy of attribution, and the ability to anticipate what a specific adversary group will do next based on years of documented behavior.

 
Adversary Group Profiles
2,000+ tracked threat actor groups with detailed profiles covering known tools, TTPs, infrastructure preferences, targeted sectors, historical campaign timelines, and known peer-organization victims. Profiles are maintained by ThreatBook researchers with firsthand investigation notes, not automated aggregation.
2,000+
adversary groups with full profiles
 
Real-Time IOC Intelligence
80M+ malicious IPs, domains, and file hashes refreshed every 24 hours, sourced from ThreatBook's own research infrastructure, sandboxing pipeline, and community contributions. Every IOC is linked to an actor group and campaign where attribution is established, providing context that block-only feeds cannot.
80M+
malicious IPs updated daily
 
APT Campaign Documentation
20,000+ documented APT incidents with full campaign narratives: initial access vectors, tools deployed, lateral movement paths, data exfiltrated, and remediation indicators. Security teams use this to validate active incidents against documented attack patterns and identify what an actor is likely to do next.
20,000+
APT incidents documented
 
ThreatBook Community Signal
Asia's largest threat intelligence community, 420,000+ active practitioners across financial services, government, telecom, and technology sectors. Community members contribute indicators, validate threat actor activity, and share early-warning signals from their own environments, extending coverage beyond ThreatBook's direct research infrastructure.
420,000+
community practitioners
 
ThreatBook Investigator
ThreatBook's online investigation platform provides analyst-grade lookup for IPs, domains, hashes, and threat actors, drawing on ATI's full intelligence database. Available to the security community as a standalone investigation tool, enabling rapid triage and contextual enrichment without a full ATI deployment.
 
SIEM and SOAR Integration
ATI integrates directly with major SIEM platforms, Microsoft Sentinel, Splunk, QRadar, and others, delivering real-time IOC feeds, actor context, and threat scores into analyst workflows. Native STIX/TAXII support and API access enable custom integration with existing detection and response tooling.
Intelligence Lifecycle

From actor activity to analyst action

The gap between when an APAC-based adversary begins a campaign and when an organization's security team has actionable intelligence about it is where most intrusions succeed. ThreatBook's research model closes that gap at the source.

1
Firsthand Research and Community Signal
ThreatBook analysts monitor APAC threat actor infrastructure, underground forums, and malware distribution in native languages. ThreatBook community practitioners simultaneously contribute indicators and observations from their own environments across Asia, creating multi-source early warning coverage.
2
Campaign Attribution and TTP Mapping
New activity is attributed to known threat actor groups using ThreatBook's adversary profiles and infrastructure fingerprinting. TTPs are mapped to MITRE ATT&CK. Historical campaign data is cross-referenced to identify patterns, infrastructure reuse, and likely target sectors, converting raw indicators into actionable intelligence.
3
ATI Database Update and IOC Publication
Validated indicators and actor intelligence are published to ATI's live database, refreshing 80M+ malicious IPs daily and updating adversary profiles with new campaign data. Customers receive intelligence within hours of ThreatBook's publication, not months later after it has passed through aggregators and resellers.
4
Delivery to Security Operations
ATI pushes intelligence directly into SIEM, SOAR, and EDR platforms via API and native integrations. Analysts receive enriched alerts with actor context, TTP mappings, and campaign history, not raw IOC lists. Detection rules and threat hunting queries based on new ATI findings are available for immediate deployment.
5
Proactive Threat Hunting
Security teams use ATI's actor profiles and campaign data to hunt for precursor indicators of compromise before an attack develops into a confirmed incident. Knowing that a specific threat group typically targets financial sector credentials before moving to data exfiltration allows hunting for the early-stage activity rather than waiting for exfiltration alerts.
Measured Outcomes

What APAC-native intelligence changes

The advantage of firsthand APAC coverage is not theoretical. It translates into concrete operational differences for security teams managing risk in the region.

6–12
Months Earlier Than Licensed Feeds
ThreatBook publishes firsthand APAC threat research 6 to 12 months before the same intelligence appears in other platforms that license data downstream. For organizations targeting threats to their own sector and region, this lead time is the difference between proactive defense and reactive response.
80M+
Malicious IPs Refreshed Daily
ATI's IOC database covers 80M+ malicious IPs refreshed every 24 hours from ThreatBook's research infrastructure and ThreatBook community contributions. IOC freshness directly impacts detection effectiveness, stale indicators miss active attacker infrastructure that has rotated since the last feed update.
420,000+
Community Practitioners
ThreatBook's 420,000+ member community represents a collective sensor network distributed across Asia's most targeted industries. Community-contributed intelligence validates ThreatBook's research findings, surfaces emerging activity earlier, and provides real-world confirmation that complements ThreatBook's proprietary data collection.
Product Powering This Use Case

Advanced Threat Intelligence

Threat Intelligence
ATI
Advanced Threat Intelligence. APAC-native firsthand research since 2015. 2,000+ adversary groups, 20,000+ APT incidents, 80M+ malicious IPs daily. Feeds into SIEM, SOAR, and EDR platforms.
Explore ATI
Get Started

See what APAC-native intelligence finds first

Run an ATI coverage comparison against your current threat intelligence feed, ThreatBook will show you which adversary groups targeting your sector are documented in ATI that your current vendor hasn't published yet.

Request an ATI Demo Try ThreatBook Investigator

ThreatBook Investigator is available at i.threatbook.io