ThreatQuotient helps organizations strengthen their security posture with ThreatQ, a threat intelligence platform designed to arm analysts with the intelligence, controls, and automation required to protect their organizations through a threat-centric security operations and management program.

By leveraging insights from illicit online communities and other highly curated sources, Flashpoint helps multiple teams across an organization bolster cyber and physical security, detect fraud and insider threats, and enhance corporate and physical security, to help rapidly identify threats and mitigate the most critical security risks.

This joint solution brings the most important parts of an organization’s threat operations and management framework together in one platform. It unites an organization’s security solutions and accelerates the transformation of threat data from illicit online communities into actionable threat intelligence by giving defenders unmatched control. By utilizing Flashpoint Finished Intelligence, Technical Data, and ThreatQ across the security operations center, it ensures that intelligence is accurate, relevant, and timely to the business so organizations get more out of their true security resources: people and infrastructure.

The Flashpoint & ThreatQuotient Advantage

This solution delivers an extensible threat intelligence platform which pulls insights and context from illicit online communities, as well as technical data, to provide defenders the prioritization, customization, and collaboration needed for increased security effectiveness and efficient threat operations and management.

Key Features


ThreatQ equips users with a threat library that automatically scores and prioritizes threat intelligence based on customer-defined parameters. The integration of Flashpoint Technical Data expands user visibility into developing malware or evolving actor TTPs from Flashpoint-collected illicit online communities.


ThreatQ offers customer-defined configuration and integrations to work within an organization’s processes and tools. Customizable workflow and customer-specific enrichment streamlines investigation and analysis, and automates the intelligence lifecycle.


Flashpoint data can be compared to network events to determine if malicious activity has occurred. With the ThreatQ Open Exchange, correlated events can receive additional enrichment to provide more context.


ThreatQ sends specific actions, rules, or signatures to network and endpoint security solutions—firewalls, IDS/IPS, Web proxies, advanced malware protection, etc.—or other devices via API. This includes signatures and observables taken from RIOs or Finished Intelligence. Actions are configured and automated based on user-defined parameters. Users get more from existing security investments by integrating their tools, teams and workflows through standard interfaces and an SDK/API for customization.

Use Cases


Flashpoint’s RIOs dataset provides visibility into activities and events extending beyond traditional indicator-based

datasets. Using this data in ThreatQ, customers can monitor RIOs associated with illicit online activity and where they

might be exposed accidentally, or by a malicious insider. By correlating this data against internal logs, users have

greater visibility into potential insider threats in their environment and have a greater understanding of potential

insider misuse.


ThreatQ combines, normalizes, and contextualizes threat data from external and internal sources into a threat

library used across the organization. By using the finished intelligence produced by Flashpoint, the integration offers

a “state of the threat” view to assist security personnel in developing and prioritizing intelligence on emerging threats

to the organization. A law firm, for instance, could create alerts about cybercriminals targeting documents held by

law firms, allowing them to mitigate risk of exposure and enhance their security protocols.


The integration supports the scoping and remediation of a breach by correlating artifacts of an investigation with a

Threat Library of related indicators and context. Flashpoint’s Technical Data dataset provides additional context on

malicious infrastructure used for reconnaissance and exfiltration. This additional context provides for better tuning

of the Threat Library to remove noise and enables the network defender and intelligence teams to remediate and

take relevant action to support their business operations.

Integrated Flashpoint Datasets


Finished Intelligence: Access to analytical reports produced by our intelligence analysts. Reports cover a wide spectrum of illicit underground activity, including crimeware, fraud, emerging malware, violent extremism, and physical threats.


Technical Indicators: Enable users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets, including those found in Flashpoint Finished Intelligence reports, allowing for seamless integration into users’ workflows and automated tools.

Risk Intelligence Observables (RIOs): Flashpoint leverages its unique access to underground communities to collect and deliver a near real-time stream of cyber observables that can identify illicit activity from inside forums and file-sharing communities focused on cybercrime, hacking, fraud, and extremism/terrorism. These high-fidelity observables include IP addresses, locations (city/ country), hosting providers, timestamps, and user-agent strings.


Compromised Credentials Monitoring - Enterprise (CCM - E): Enables organizations to search and monitor Flashpoint’s unique collections for compromised enterprise accounts and passwords in order to flag accounts, reset employee passwords, and restrict permissions to prevent actors from accessing confidential or personally identifiable information (PII).


Chat Services: Access to around-the-clock conversations within threat-actor channels to monitor and gain insights across threat-actor communities.

Paste Sites: Enables access to openly shared research, data leaks, and other plain-text files frequently used by both anonymous sources and threat actors to share malicious activity, providing a broader view into open web data.


Card Shops: Collection of stolen credit card data found in illicit high-end credit card shops, compromised from a variety of operations - including dumps from Point-of-Sale (POS) compromises, or credit cards from Card Not Present transactions. Users are provided credit card data including BIN numbers and various card details including country location and expiration dates.

Did this answer your question?