SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Flux result 39a6fe52 cd41 4db0 ad6c 28f68704fac4
#
Malware
#
SIEM
#
Network Security

Team Cymru launches Total Insights Feeds for threat data

Sat, 18th Apr 2026 (Today)
Author image
By Joseph Gabriel Lagonsin, News Editor

Team Cymru has launched Total Insights Feeds, a new threat intelligence framework available immediately.

The framework is designed to replace older feed models built around lists of known malicious infrastructure. It combines internet-wide IP and domain analysis with contextual data in a single stream for security teams and automated tools.

Threat intelligence feeds have long relied on collecting and distributing indicators such as suspect IP addresses and domains. Team Cymru argues that approach has become less effective as attackers rotate infrastructure rapidly, expand command-and-control networks across large address ranges, and run phishing campaigns at a scale many legacy feeds were not built to handle.

Total Insights Feeds, or TIF, evaluates more than 57 million IPs and CIDRs each day and assigns weighted risk scores on a 0 to 100 scale, according to Team Cymru. It also analyses more than 400 million domains daily, including phishing infrastructure, algorithmically generated domains, and what it classifies as malicious hosting.

Each indicator is enriched with more than 2,000 contextual attributes. These include malware families, botnet membership, command-and-control frameworks, attribution data, and kill-chain stage. The output is delivered in a structured format designed for existing security operations workflows.

Josh Picolet, vice president of detection and analysis at Team Cymru, said the launch marks a break from established threat feed practices.

"The era of the indicator list is over," Picolet said. "Coverage without context is noise, and context without coverage creates blind spots. Total Insights Feed delivers both across the full surface of the internet in a single integration that security teams can act on at machine speed."

Single schema

A central part of the offering is a unified JSON schema designed to work with SIEM, SOAR, XDR, and TIP platforms. The goal is to let customers ingest one stream rather than combine and normalise multiple separate feeds.

The framework is organised into three intelligence layers that feed into the same output. It is sold in tiered configurations, including a risk-scoring tier focused on IP and domain reputation, a tags-and-analysis tier for added context, and a complete tier that combines both.

For existing customers, users of Team Cymru's Controller Feed, Reputation Feed, and BARS products will be supported within the new framework. Their current intelligence will be preserved and expanded as part of the migration to the new service.

Scale problem

The launch reflects a broader shift in cyber security toward larger-scale telemetry, automated scoring, and richer contextual analysis. Security teams have increasingly moved away from binary classifications of malicious or benign data points, as those labels often do not show how urgent a response should be or how an indicator fits into a wider campaign.

TIF uses decay modelling in its risk scoring so automated block policies can be set at chosen thresholds without analyst review. It also includes named actor and campaign associations where available, MITRE ATT&CK mapping, first and last observation data, and external intelligence references.

The system draws on visibility from more than 700 internet service providers and network operators. Team Cymru says that reach supports its claim that the framework covers the full routable internet rather than a narrower, curated sample of activity.

This emphasis on breadth and context comes as cyber defenders face attacks that move faster than manual review processes can handle. Team Cymru argues that even high-confidence feeds can leave large parts of the active threat landscape uncovered if they track only a limited set of indicators.

In practical terms, a security operations centre may identify known bad infrastructure but still lack enough information to decide whether to block, monitor, or escalate an event. By combining scoring with contextual tagging, Team Cymru is aiming to shift more of that decision-making into automated systems while still giving analysts enough data to investigate campaigns and actors.

The company also highlighted domain intelligence as a key part of the launch, with more than 3.5 million domains tagged as malicious in its daily assessment set. That reflects the role of domains in phishing, hosting, and evasive infrastructure, where attackers can generate or abandon assets quickly.

Team Cymru is positioning the new framework as a structural change rather than an update to its existing feed portfolio. TIF is intended to serve as the basis for customers seeking to replace fragmented feed architectures with a single source of threat data. The service is available now, and existing Controller Feed, Reputation Feed, and BARS users are supported within Total Insights Feed.

Related stories
Emerson & OPSWAT strike global reseller deal for OT patching
IWF & Cyacomb launch workplace abuse material scans
Cork Cyber adds automated mapping to Vantage platform
How Atomgate uses education and partnership to drive successful SonicWall upgrades
SentinelOne appoints Shah as Channel Director for ANZ & APJ distribution

Top stories

FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
CIQ launches Linux compliance platform ahead of deadlines