Threat Intelligence

Tangate includes threat intelligence from curated open-source feeds, ingested nightly and distributed as global rules to all instances.

What's Covered

The threat intelligence pipeline provides rules covering:

• Botnet C2 infrastructure — IP addresses of known command-and-control servers
• Compromised hosts — IPs identified as compromised or actively attacking
• Malicious user agents — Bot signatures, scraping tools, and exploit kits
• Attack URI/query patterns — SQL injection, path traversal, and code injection signatures

Current Rule Count

The global ruleset contains hundreds of rules across multiple threat categories, updated nightly. Rule counts fluctuate as new threats are added and stale indicators expire (rules not seen in 7 days are automatically removed).

Update Frequency

The threat intelligence pipeline runs nightly on the Tangate operations infrastructure:

1. Fetch: Pull latest data from all configured sources
2. Normalize: Convert to a common schema with type, value, reason, source, and confidence
3. Deduplicate: Same indicator from multiple sources retains the highest confidence score
4. Diff: Compare against current global rules in Tangate
5. Push: Add new rules, remove expired rules (not seen in 7 days)

How Threat Intel Rules Flow to Your Instance

Threat Intel Sources
    │
    ▼
Nightly Fetch + Push
    │
    ▼
Tangate Global Rules (S3 + CloudFront)
    │
    ▼
Deckard Analysis Lambda (hourly)
    │
    ├─ Fetch global.json (no auth, public)
    ├─ Fetch elevated.json (if enabled)
    ├─ Merge with instance + local rules
    │
    ▼
Updated Blocklist (your S3)
    │
    ▼
Lambda@Edge (5-min cache refresh)

Your Deckard instance fetches global rules from Tangate's rules CDN every hour. The rules CDN has a 1-hour cache TTL, matching Deckard's fetch interval.

Elevated Protection

Elevated protection provides additional threat intelligence beyond the standard global ruleset. Enable it by setting ElevatedProtection=true in the CloudFormation parameters.

Elevated rules are served at /v1/rules/elevated.json and require instance API key authentication.

Rule Schema

Each threat intelligence rule follows this schema:

{
  "value": "1.2.3.4",
  "type": "ip",
  "reason": "Botnet C2 infrastructure",
  "source": "threat-intel",
  "confidence": 1.0,
  "added": "2026-03-04T00:00:00Z"
}

Field	Description
value	The IP, CIDR, user agent pattern, or query pattern to block
type	One of: ip, cidr, user_agent, query_pattern
reason	Human-readable description of why this is blocked
source	Feed source identifier
confidence	Score from 0.0 to 1.0 indicating confidence level
added	ISO 8601 timestamp when the rule was added

Next Steps

• Rules and Blocklists — How rules are merged and enforced
• AI Configuration — AI analysis complements rule-based detection
• SIEM Integration — Export decisions for external analysis