12 M+
IOCs in base
Indicators of compromise correlated in real time: IPs, domains, hashes, certificates, malicious URLs. Continuous update.
Cyber Threat Intelligence
Twelve years of sovereign CTI — 3 million attacks stopped every month
Since 2014, SYLink has operated a Cyber Threat Intelligence platform integrated with all its DPI probes, EDR agents and managed services. We analyze 30 PB of network traffic every month across 1,200+ customer perimeters, have stopped 3 million attacks in pre-impact every month, and continuously feed a library of IOCs, CVEs, MITRE TTPs and YARA / Sigma rules exposed via secure API.
12 yrs
of CTI expertise
Cyber Threat Intelligence operated from Clermont-Ferrand since 2014
30 PB
of streams analyzed / month
Network traffic collected and analyzed across the entire supervised fleet
3 M / month
attacks stopped
Attempts blocked in pre-impact, every month, on customer perimeters
Knowledge base
A living CTI base, operated 24/7 by our French analysts
Four indicators sum up the depth of our Threat Intelligence — each updated continuously, exposed via secure API, and instantly propagated to your protected fleet.
334 k+
monitored CVEs
Vulnerabilities tracked from disclosure to remediation. Mapping to your assets via Vizu CAASM, alerts prioritized by exploitability.
80+
MITRE ATT&CK techniques
Coverage of the MITRE framework — from reconnaissance to persistence to exfiltration. Every detection mapped to a known TTP.
100 k+
YARA / Sigma rules in API
Behavioral signature library exposed via secure API for SIEM, EDR, SOAR integration — mTLS auth + rotating API key.
Cyber Threat Intelligence is only worth what feeds it — and the jurisdiction governing it
SYLink's sovereign Cyber Threat Intelligence isn't yet another feed, nor a resold OSINT. It's a complete cyber-intelligence chain — collection, qualification, correlation, dissemination — operated from France since 2014. Thirty petabytes of network traffic analyzed every month, three million attack attempts blocked in pre-impact, twelve million indicators of compromise correlated in real time. These volumes don't come from a lab: they come from real production, on 1,200+ customer perimeters, from medical practice to ministry.
A useful CTI has three non-negotiable properties. Signal quality: deduplication, enrichment, scoring by our SYLink AI engine — you receive a qualified IOC, not a raw hash. Propagation velocity: less than two minutes between detection of a new threat and automatic push to your firewalls, DPI probes and EDR agents. Chain sovereignty: code, datacenters, teams, contracts — all in France, beyond the reach of extra-territorial laws (Cloud Act, FISA), GDPR-compliant and NIS2-transposed.
On scope, our base covers everything an analyst handles: indicators of compromise (IPs, domains, MD5 / SHA-256 hashes, X.509 certificates, malicious URLs), CVE vulnerabilities with CVSS mapping and real exploitability observed across the fleet, MITRE ATT&CK techniques from reconnaissance to exfiltration, and YARA and Sigma behavioral rules exposed via secure API for direct integration into your SIEM (Splunk, Elastic, IBM QRadar, Microsoft Sentinel) or SOAR (Cortex XSOAR, Splunk SOAR).
For threat hunting teams, SYLink CTI feeds MITRE-driven hypotheses across five years of 1:350 compressed DPI storage. For SMB, mid-market and local-authority CISOs, it cuts SIEM noise by prioritizing by sector context. For MSP / MSSP, it's consumed pay-per-use multi-tenant with transparent rebilling. For OIV / OSE and sovereign actors, the engine can be deployed on-premise air-gap, with signed models, updates transmitted through controlled channels, no cloud callback.
This machinery serves a simple goal: turn an ocean of raw events into actionable defense decisions — automatically when technically safe, under analyst validation when the stakes warrant it. That's what we call a living CTI: a base you query, that queries your infrastructure, and that knows how to defend itself against known campaigns while your teams focus on truly ambiguous weak signals.
Architecture
Multi Sources → SYLink AI engine → API
A three-stage chain: multi-source collection correlates OSINT, SYLink production sensors and deep / dark-web watch; the SYLink AI engine qualifies and enriches each indicator; the secure API disseminates in real time to your defenses and third-party tools.
Stage 1
Multi Sources
- Customer DPI probes30 PB / month
- Sovereign honeypotsFR + EU
- CERT-FR / NATO / Armed Forces partnershipsTLP-CLEAR / GREEN
- OSINT & commercial feedsMISP, OTX, abuse.ch
- Deep & dark web58 VIP modules
- Internal threat huntersMITRE-driven
collect
Stage 2
SYLink AI engine
SYLink AIMoE · ~3B active
- Deduplication & CIM normalization
- Attacker-context enrichment
- Scoring by real exploitability
- MITRE ATT&CK + CVE mapping
- Weak-signal correlation
- Rule signing & versioning
< 2 min
Stage 3
Secure API
- REST · OpenAPI 3.1JSON
- Webhook pushTLS 1.3
- STIX 2.1 / TAXIIMISP
- SIEM / SOAR connectorsSplunk, Elastic, QRadar
- DPI / EDR / Box pushnative SYLink
- mTLS audit trailPASSI format
↓ Collect ↓ AI qualification ↓ API dissemination
CTI pipeline
From collection to your defense, in under two minutes
Four industrialized steps, operated on French datacenter — no third-party cloud, no callback outside the EU, no human delay in the propagation loop.
01
Sovereign multi-source collection
Customer DPI probes, distributed honeypots, CERT-FR / NATO / Armed Forces partnerships, OSINT and commercial feeds, deep & dark web — all centralized on French datacenter.
02
Enrichment by SYLink AI
SYLink AI models qualify, deduplicate and correlate indicators. Noise reduction, prioritization by customer business context.
03
Real-time dissemination
Automatic push to fleet DPI probes, EDR, firewalls. Your defenses update with no human intervention, in under 2 minutes.
04
Secure integration API
REST + Webhook endpoint to connect your SIEM (Splunk, Elastic, QRadar), SOAR or third-party EDR. Full quotas and audit trail.
Collection sources
Six correlated channels, zero foreign dependency
Source 01
SYLink production sensors
DPI Pro / Mini / VM probes deployed on 1,200+ customers: 30 PB of streams / month, the equivalent of 6 billion sessions analyzed every day.
Source 02
Distributed sovereign honeypots
High and low-interaction honeypot network on French and European infrastructure — early detection of campaigns targeting French speakers.
Source 03
Institutional partnerships
Bilateral exchanges with CERT-FR (NATO / Armed Forces), sectoral CERTs (health, energy, finance) and regional CSIRTs — IOCs shared under TLP-CLEAR / GREEN.
Source 04
OSINT & commercial feeds
CIRCL, MISP, AlienVault OTX, abuse.ch feeds, enriched and correlated. Complementary commercial sourcing for VIP perimeters.
Source 05
Deep & dark web
Permanent monitoring of criminal marketplaces, hacktivist forums, Telegram channels, ransomware leak sites — 58 modules for VIP watch.
Source 06
Internal hunting
SYLink threat hunters dedicated to chasing weak signals on the fleet. MITRE-driven hypotheses, exploration on 5 years of DPI storage.
Real-world use cases
SYLink CTI in the field
Six recurring scenarios drawn from our daily activity — CISOs, SOCs, MSPs, threat-hunting teams.
Real-time dissemination
Early detection of a targeted campaign
A new ransomware family appears on a leak site. In under 30 minutes, its IOCs are pushed to all fleet DPI probes — your defenses block it before it reaches your customers.
Secure API
Smart customer SIEM triage
Your SIEM raises 50,000 alerts / day. The SYLink CTI API enriches them with attacker context (TTP, kill chain, victimology) — your analysts prioritize the 50 real threats.
CVE × Vizu CAASM
Threat-driven patch management
A 9.8 CVE is disclosed. The CTI service crosses your Vizu inventory and reports the 23 affected assets — including 4 truly exploitable from the outside. Targeted patching, not generalized panic.
MITRE ATT&CK
MITRE-driven threat hunting
Your analysts formulate a hypothesis (T1078 Valid Accounts). SYLink CTI provides the related IOCs and Sigma rules — the hunt moves from hypothesis to evidence in hours.
Leaks VIP / Enterprise
Brand watch & VIP monitoring
Dark-web monitoring for your brands and executives: leaked credentials, mentions in criminal channels, phishing kits mimicking your site — alerts qualified by our analysts.
C-level reporting
Sovereign reporting for the committee
Monthly CTI report for your CISO / CEO: top sectoral threats, brand exposure, comparison with your industry. 100% French, enforceable data.
Dissemination
Where SYLink CTI applies automatically
Indicators and rules are propagated in under 2 minutes to the entire SYLink stack — and exposed via API to your third-party tools.
- SYLink Box / Mini / Pro firewallsIOC push, DPI signatures, custom rules.
- DPI Pro / Mini / VM probes35,000 signatures, 2,500 applications, 520 protocols.
- SYLink EDR agentEndpoint YARA rules, file/registry/network IOCs, malware hashes.
- SYLink Leaks 12 / 28 / 58 modulesBrand watch, credential leaks, executives, deep/dark web.
- Third-party SIEM / SOAR via APISplunk, Elastic, QRadar, Sentinel, Cortex XSOAR — REST + Webhook.
- Sovereign UniSOCFull CTI stack native in the SYLink AI SOC — no extra cost.
CTI API offerings
Four formulas — from free trial to sovereign deployment
The SYLink CTI API is consumed by profile: pay-per-use per request for MSPs, flat-rate unlimited for internal SOCs, or air-gapped on-premise deployment for sovereign actors. All tiers expose the same indicators and rules — only volumetry, availability and governance change.
Discovery
Free/ 14 days
To evaluate the SYLink CTI API with your real use cases and measure signal quality.
- 1,000 requests / day
- IOCs, CVE, MITRE TTPs — read access
- REST endpoint + API key
- Postman / OpenAPI documentation
- Community support
Pay-per-use
On-demand/ monthly billing
For MSPs / integrators: variable volume by customer fleet, transparent rebilling.
- Adjustable monthly quota (10k → 10M req)
- Tiered degressive pricing
- Real-time webhook push
- Multi-tenant for MSPs
- 99.9% SLA · 8/5 support
Unlimited
Flat/ annual commitment
For internal SOC, mid-market, large administrations: uncapped volume, dedicated environment.
- Unlimited requests + Webhook
- STIX / TAXII 2.1 + MISP
- Dedicated tenant, IP whitelist
- 5-year historical feed
- 99.99% SLA · 24/7 support
On-premise
Sovereign/ license + MCO/MCS
For OIV / OSE / sovereign: SYLink AI CTI engine deployed in your datacenter, no cloud callback.
- Air-gap deployment possible
- SYLink AI models included
- Signed updates via controlled channel
- Full audit trail, PASSI format
- MCO / MCS by cleared teams
Standards & native connectors
REST OpenAPI 3.1 · Webhook TLS 1.3 · STIX 2.1 / TAXII · MISP · Splunk · Elastic Stack · IBM QRadar · Microsoft Sentinel · Cortex XSOAR · Splunk SOAR · MITRE ATT&CK Navigator · Sigma · YARA
Frequently asked
Sovereign Cyber Threat Intelligence — your questions
What is SYLink Cyber Threat Intelligence (CTI)?
SYLink Cyber Threat Intelligence is a sovereign cyber intelligence service that aggregates, qualifies and disseminates in real time the indicators of compromise (IOCs), vulnerabilities (CVE), MITRE ATT&CK attack techniques and YARA / Sigma detection rules observed across the French and European ecosystem. Operated from Clermont-Ferrand since 2014, it continuously feeds all SYLink DPI probes, EDR agents and managed services.
What's the difference between SYLink CTI and a public OSINT feed?
A public OSINT feed aggregates indicators without qualifying them, with no business context and no automatic propagation. SYLink CTI combines OSINT, SYLink production sensors (30 PB of streams / month on 1,200+ customers), sovereign honeypots, CERT-FR partnerships and internal threat hunting. Each indicator is enriched by our SYLink AI models, deduplicated, scored, and propagated in under 2 minutes to your defenses.
How do I integrate the SYLink CTI API into my SIEM?
The SYLink CTI API exposes a REST endpoint authenticated by API key or mTLS, plus a Webhook channel for real-time push. Native connectors are available for Splunk, Elastic Stack, IBM QRadar, Microsoft Sentinel and Cortex XSOAR. STIX 2.1 / TAXII export and MISP compatibility are included in Unlimited and On-premise offers.
Is the Pay-per-use offer suited for MSPs?
Yes. Pay-per-use is designed for MSPs / MSSPs supervising several customers: volume adjustable to fleet, tiered degressive pricing, native multi-tenant, transparent rebilling to the end customer. You only pay actual consumption, with no minimum-volume commitment.
Does my data stay in France?
Yes. The SYLink CTI engine is hosted in our Green IT datacenters in France (Clermont-Ferrand, Unitel and OVH ISO 27032 partnerships). No data leaves European territory. For OIV / OSE / sovereign perimeters, the On-premise option allows full air-gap deployment in your infrastructure, with signed updates via controlled channel.
How many MITRE ATT&CK techniques are covered?
More than 80 techniques of the MITRE ATT&CK framework are covered by our detection rules — from reconnaissance (T1595) to exfiltration (T1041) through initial access, execution, persistence and lateral movement. Every alert raised by our DPI probes or EDR agents is mapped to a MITRE TTP to facilitate threat hunting and investigations.
Want to consume our CTI in your own tools?
30-minute CTI API demo — REST endpoints, JSON schema, quotas, integration examples for Splunk / Elastic / QRadar / Sentinel. 14-day evaluation access.