Blog

Research & Analysis

Threat intelligence engineering, applied cryptography, and security research from the ThreatFight team.

Latest Apr 16, 2026 threat-poolthreat-sharingzero-knowledge

Collective Threat Intelligence Without Revealing Your Watchlist

ISACs are slow. Bilateral sharing doesn't scale. MalCloud's Threat Pool lets organizations contribute anonymized sightings via ZK commitments and see aggregate signals — without exposing what they're tracking.

Read article →

Apr 16, 2026 siemintegrationelastic

Push Enriched Threat Intel to Your SIEM in Seconds

MalCloud's SIEM Connector Framework enriches IOCs and pushes them to Elastic, Splunk, Sentinel, Chronicle, or any Syslog/CEF target in real-time. No manual import. No CSV uploads. Under 2 seconds from enrichment to SIEM.

Apr 16, 2026 data-gravitystixgraph-context

Why Your Threat Intelligence Context Doesn't Export

STIX bundles carry nodes and edges. They don't carry the analyst reasoning, confidence history, or provenance chains that make your graph valuable.

Apr 16, 2026 zk-snarkproof-of-observationgnark

ZK Proof-of-Observation: Cryptographic Evidence You Saw It First

MalCloud generates auditable zk-SNARK proofs that an organization observed a threat indicator before it was shared — without revealing the indicator.

Mar 29, 2026 threat-intelligenceself-hostedarchitecture

Why Self-Hosted Threat Intelligence Matters

Cloud-hosted TIPs create a paradox: you hand your most sensitive threat data to a third party to protect you from third-party risk. Here's the case for keeping intelligence on your infrastructure.

Mar 28, 2026 zk-stixcryptographythreat-sharing

ZK-STIX: Zero-Knowledge Proofs for Threat Intelligence Sharing

Sharing threat indicators means revealing what you're investigating. ZK-STIX uses zero-knowledge proofs to let organizations collaborate on threat intelligence without exposing their watchlists, investigation targets, or defensive posture.

Mar 25, 2026 comparisonopenctimisp

MalCloud vs OpenCTI vs MISP: An Honest Comparison

A technical comparison of three self-hostable threat intelligence platforms — MalCloud, OpenCTI, and MISP — covering architecture, deployment, STIX support, unique capabilities, and where each one is strongest.

Mar 22, 2026 detection-engineeringsigmadetection-as-code

Detection-as-Code: Generating Sigma Rules from Threat Intelligence

SOC teams track hundreds of threat actors but maintain a fraction of the detection rules they need. Detection-as-code closes this gap by auto-generating Sigma rules from threat intelligence, mapped through ATT&CK, and compiled to SIEM-native queries.