Team Cymru has introduced a new threat intelligence offering called Total Insights Feed, framing it as a move away from the traditional model of static indicator feeds. According to the company, the new framework combines risk scoring, domain intelligence, and contextual threat data into a single machine-readable stream designed for direct use in security operations workflows.
The company is pointing out that the old model is getting harder to rely on at a time when attackers rotate infrastructure quickly and spread activity across a huge number of IPs and domains. A feed that tells a team an indicator looks suspicious is useful, but it often leaves analysts doing extra work to figure out whether that alert actually matters in their environment. Team Cymru is arguing that this extra step has become one of the main bottlenecks in modern SOC operations.
The problem Team Cymru says it is trying to solve
Josh Picolet, VP of Detection & Analysis at Team Cymru, describes the product’s role. He told MSSP Alert, “We want to collapse the enrichment loop that eats into analysts’ time after an alert fires by offering a complete observable/measurable picture of an IP address or Domain,” Picolet said. He said analysts often get an alert tied to an IP or domain, see a basic score or classification, and then have to pivot across internal and external sources to understand what they are really looking at. With Total Insights Feed, he said, the goal is to make that picture more complete in one lookup.
Picolet said that lookup can include a verdict, score, ASN and geolocation, fingerprints, classifications, risk observations, first- and last-seen timestamps, malware or command-and-control context, related hashes, source detection details, and analyst narrative when relevant. He also said the effect on MTTR will vary by organization, but argued that the broader structural change is moving enrichment work away from alert-triage time and into feed-generation time. “That enrichment loop cost gets paid once per hour at Team Cymru, not once per alert at the SOC,” he said.
What the feed includes
Team Cymru says the feed evaluates more than 57 million IPs and CIDRs daily, analyzes more than 400 million domains, and attaches more than 2,000 contextual attributes to indicators. Those attributes include malware family links, botnet membership, command-and-control framework associations, attribution details, and kill-chain stage. The company also says the data is structured for use across SIEM, SOAR, XDR, and TIP environments through a single JSON schema, with tiered options for scoring, tags and analysis, or the complete combined stream.
The immediate takeaway is that Team Cymru is trying to move the conversation beyond feed volume alone. The pitch is not just that it covers a large amount of infrastructure, but that it adds enough context to make the data easier to act on inside automated and analyst-led workflows. That matters because most security teams do not need more raw alerts. They need better signal quality and clearer decision support.
Find and alert before it is used or reported
Picolet argues that one area of differentiation is detecting suspicious infrastructure before it has already been written up publicly. “We want to find and alert on infrastructure before it is used or reported,” he said. He described a detection pipeline that scores infrastructure based on converging signals such as hosting location, certificate anomalies, open port observations, network reputation, telemetry patterns, and proximity to known malicious infrastructure.
He said that this is an important distinction because enrichment platforms generally depend on context that already exists somewhere else. “Total Insights is scoring and tagging based on what the infrastructure looks like, not who’s already talked about it,” Picolet said. He also noted that IPs and domains are delivered in the same stream, which he positioned as another gap in a market where many feeds focus mainly on one or the other.
What this means for teams already running a TIP or SIEM stack
Many security teams already have a TIP, SIEM, and multiple threat feeds in place, so the practical question is what changes if they switch to something like this instead of continuing to aggregate and enrich data on their own. Picolet’s answer is that the outcome is not just broader coverage, but more cohesive coverage. He said teams often end up with gaps when one provider has a port observation, another has a command-and-control observation, and the analyst is left connecting those data points manually.
He also said consistency matters. “When teams run their own enrichment pipeline or playbooks, the output depends on which APIs get queried, in what order, with what rate limits, and whether results are cached or stale,” Picolet said. “Total Insights gives every consumer the same enrichment for the same indicator in the same hour.” That matters even more, he added, as automation and AI-assisted workflows become more common and teams need to trust the context being passed into those systems.
Why the data model matters here
For Team Cymru, this is more than a repackaging exercise. Picolet put that directly: “Honestly, the data model is the product. Not the indicators.” He said the company rebuilt its platform around three core pillars: risk, tagging, and analysis. That includes redesigned behavioral scoring across 22 detection categories with algorithmic decay, more than 1,000 unique tags across more than 44 categories, and an analysis layer that can add attribution, MITRE ATT&CK mapping, first- and last-seen dates, and summaries of threat infrastructure into the feed itself.
That is where the announcement becomes more interesting than a normal product launch. Team Cymru is effectively arguing that the future of threat intelligence is less about producing longer lists of bad things and more about delivering structured, explainable intelligence that can move directly into investigation and response workflows. For security teams, the value proposition is straightforward: less time spent assembling context and more time spent deciding what action to take.
The bigger takeaway
Team Cymru is not claiming this replaces every existing feed, and Picolet was careful to say that up front. But the company is making a clear case that the current feed-plus-enrichment model creates friction that many SOCs can no longer afford. If enrichment can be done earlier, delivered consistently, and tied to a broader set of infrastructure signals, that changes how threat intelligence fits into day-to-day operations.
Team Cymru is trying to push threat intelligence toward a format that is easier to plug into detection, automation, and AI-assisted analysis without a lot of cleanup in the middle. Whether customers see that as a real operational gain will depend on deployment and workflow maturity. But the category shift the company is pointing to is easy to understand: threat intelligence is becoming less of a reference layer and more of an operational input.
