Help & Getting Started

vCISO — Open Threat Intel is a free platform for the security community to share threat intelligence and IOCs, and to watch all the security news, advisories, CVEs and ransomware activity in one window — built so a SOC analyst can monitor the threat landscape without juggling 20 tabs.

It's run by Anil Yellamati . This is a lean, community-driven project — not a heavily-staffed product. If something's broken or missing, please use the Feedback button (bottom-right of every page) to raise a bug or feature request — you'll get a ticket number and we'll address it.

• Browsing is 100% open — Threat Map, vCISO Daily, Recent Victims, the Intel Feed and public Post Intel are all viewable with no login.
• Sign in (top-right) to contribute: post intel, upload/share IOCs, rate posts, join groups, connect & message people, and get your Personal SIEM Feed key.
• Sign-in is SSO only — Continue with Google or Continue with LinkedIn. We never store a password; we only read your name, email and avatar, and never post on your behalf.

The world map of live ransomware victims, with three news sections below it.

• Time window (top-right): 24h 7d 30d 90d All — defaults to 7d.
• Source toggle: Both sources ransomware.live vciso only. “vciso only” = victims our own onion collector found that ransomware.live is missing.
• Map pins: the number = how many victims in that country. Click a pin → a list of every victim there; click any one to see its detail.
• Security News — aggregated headlines; click a tile to open the source (via a safe redirect warning).
• Advisories & CVEs — filter by Vendor/Product and CVSS range (e.g. 9–10 critical, 7–8.9 high…).
• Ransomware Victims — newest disclosures.

A once-a-day “Cyber Watch” brief: top stories, a Dark Web & Breach Watch block, and a Ransomware Exposure List by country (with an ANZ callout).

• Share on LinkedIn — copies the text and opens LinkedIn to paste.
• Archive dropdown — read previous days' briefs.

Drill-down analytics over ransomware.live + vciso.

• Filters (all combine as AND): Country · Industry · Threat Actor · Time (24h/48h/7d/30d/90d/1y/All) · Source (Both/r.live/vciso).
• KPI tiles: Victims · Threat Actors · Countries Hit · Industries Hit — all reflect the active filter.
• Charts: Victims Over Time, Trend by Top Threat Actors. The Top Threat Actors / Countries / Industries bars are clickable to filter.
• Map + victim cards with a name/domain search.

What it is: one deduplicated list of IOCs aggregated from many open-source feeds, plus your own uploads, with a no-auth public API to pull them into your tooling.

6.1 Reading the table

Columns: Type · Indicator · Threat · Source Feed · Last Seen. Hover a row → copy the indicator. Type badges are colour-coded (IP red, domain blue, URL orange, hashes purple, email pink, CVE yellow).

6.2 Filtering

• Type pills: All types IPv4 IPv6 Domain URL MD5 SHA-1 SHA-256 Email CVE.
• Feed dropdown: All feeds → pick one source.
• Search box: “Search this page (value, malware, feed)…” (filters the current page).

6.3 Export & pull into your SIEM (no login)

Export buttons: JSON CSV TXT (respect your filters; up to 50,000 rows). The on-page Public IOC API needs no auth:

Params: format type threat feed since limit offset.

6.4 Customise your feeds (sign in → “Customise”)

• Default Feed Sources — toggle community feeds on/off (only affects your account).
• Your Own Feed Sources — add a personal feed: Feed name, URL, and a format (txt_ip txt_url csv json …). MISP/TAXII are admin-only.

6.5 Upload your own IOCs (sign in)

• “Drop files or click to upload” — accepts TXT / CSV · STIX 2.x · PDF reports (also .json/.ioc/.log).
• Auto-extraction detects IPs, domains, URLs, hashes, emails, CVEs — and auto-refangs defanged IOCs (1[.]2[.]3[.]4 → 1.2.3.4, hxxp:// → http://).
• Safety: max 3 MB; files are checked by magic-byte signature, not extension — executables/archives (EXE, ELF, Mach-O, ZIP/RAR/7z…) are rejected. You can't be attacked through an upload.
• Toggle “Include my uploaded IOCs in the feed list & exports” to merge them into your view.

Note: Intel Feed uploads go to your personal vault. To share IOCs with a group or specific people, use Post Intel (below).

Three sub-tabs: Feed · Network · Messages. Red (N) badges show new connection requests/invites (Network) and unread messages (Messages).

7.1 Posting intel

Click “Share intel — IOCs, a physical threat, an advisory…” to open the composer:

1. Category: IOC / Indicators Physical Threat Cyber Threat Advisory / CVE General Intel.
2. Title — a short summary.
3. Body — paste IOCs and they're auto-tagged; defanged formats understood. A profanity filter blocks disallowed language (the box turns red).
4. Tags — comma-separated (e.g. ransomware, lockbit, healthcare).
5. Attach file (TXT/CSV/STIX/PDF) — IOCs auto-extracted.
6. Share with: Public (everyone) · Direct (by email — mutual-group contacts auto-suggest) · Group (members only).
7. Click Post Intel.

On each post you can: rate Useful (1–5★), flag Dubious, comment, and Save N to my feed (pulls those IOCs into your Personal SIEM Feed). Authors show a fidelity badge (avg ★ · credibility %). Click an author's name → profile popup (name, company in brackets, mutual groups, Connect/Message).

Feed controls: scope Everyone My posts Shared with me; filter by category; sort Newest Most useful Most flagged. Save all to my feed and Auto-save new (subscribe a category/group so new IOCs auto-flow to your SIEM).

7.2 Groups

• + New → name (profanity-checked), optional description, Private (invite-only) or Public (anyone can join) → Create (you become moderator).
• Join a public group instantly; private groups require an invite you must Accept (under Group invitations) — nobody is force-added.
• Moderators (shield icon) → “Invite member by email…”, and can remove members.
• Click a group to filter the feed to it; post with Share with → Group to share IOCs to members only.

7.3 Network — connections

• Search people by name…, or see People you may know (group co-members).
• Connect → request goes pending. They see it under Invitations → Accept / Ignore.
• Your connections → Message or remove. The red (N) on the Network tab = pending invites + group invites.

7.4 Messages — direct messages

• You can DM connections and people who share a group with you.
• Start from Network → Message, or the Messages tab. Enter sends, Shift+Enter = newline. Profanity-filtered, 4,000-char max.
• Red (N) on Messages = unread count; clears when you open the thread.

• Edit Display name, Company (shown as “Name (Company)”), default feed view, and “include my uploads”.
• Personal SIEM Feed: Generate feed key → a private always-on URL exposing IOCs you've uploaded/saved, in JSON / TXT / CSV / STIX, plus a TAXII 2.1 connector (Discovery URL, API Root, collections, token). Rotate or Revoke the key anytime — point your SIEM at it, no login needed.

Click Feedback (bottom-right, every page). Choose Bug or Feature request, add a title/details, submit → you get a ticket number (BUG-00042 / FR-00042). Since we're lightly staffed, this is the fastest way to reach us.