Accuracy: The degree of correctness and reliability of the information provided in the feed.

• Excellent: The CTI feed provides intelligence with a high level of accuracy, the information is constantly consistent, and there is a record of proven reliability from experts.
• Satisfactory: The CTI feed has some occasional inaccuracies that are identified and corrected in a timely manner, and in general, the feed is regarded as reliable.
• Poor: The CTI feed has frequent errors and misleading intelligence and has poor validation and verification of the information that it provides.

Actionable: Refers to the extent to which the information provided can be used to take concrete, practical steps to defend against potential threats.

• Excellent: The feed provides the information in a clear and structured manner. It also provides recommendations on how to use the information and includes detailed documentation for the users.
• Satisfactory: The feed provides some guidance for the users, but it is not always clear and detailed. The guidance is limited to high-level recommendations, and therefore the intelligence is not immediately actionable.
• Poor: The feed focuses only on providing information about threats and vulnerabilities, and the guidance is not clear and structured. Therefore, it is not actionable.

Completeness: The extent to which the information provided in the feed is comprehensive and covers all relevant aspects of a potential cyber threat.

• Excellent: The CTI feed provides comprehensive information on all relevant threats and attack vectors, including those that are not widely known.
• Satisfactory: The CTI feed provides a reasonable amount of information on the most relevant threats and attack vectors but may have some gaps or be less detailed in certain areas.
• Poor: The CTI feed is missing significant information on relevant threats and attack vectors, or is generally incomplete and unreliable in its coverage.

Compatibility: The ease with which the information provided in the feed can be consumed, processed, and integrated into an organization’s existing security infrastructure.

• Excellent: The information provided by the CTI feed can be easily integrated into the existing security systems and platforms without extensive customization and the information is provided in multiple different formats.
• Satisfactory: The information provided by the CTI feed can still be integrated with some customization and some extra effort or skills but it is still manageable without requiring significant resources.
• Poor: The information provided by the CTI feed is difficult to be integrated into the existing security systems or platform, it requires extensive customization and resources that most organizations are not willing to spend for it.

Compliance: The extent to which the feed aligns with legal and regulatory requirements that govern the collection, use, and dissemination of cyber threat intelligence.

• Excellent: The feed provides threat intelligence with full compliance with the regulations, industry standards, and laws.
• Satisfactory: The feed provides the information with some level of compliance with the laws and regulations, but there are areas that need improvement.
• Poor: The CTI feeds do not provide compliance with applicable laws, regulations, and industry standards, or there are significant gaps in compliance that need to be addressed.

False Positives: Refers to the number of incorrect or misleading information provided in the feed.

• Excellent: The feed has very few false positives or near to none, and that makes it highly efficient and reliable.
• Satisfactory: The feed has an acceptable level of false positives that do not prohibit its use.
• Poor: The feed has a high rate of false positives and that hinders its use and reliability.

Impactfulness: Refers to the level of harm or damage that a potential threat could cause to an organization's systems and networks.

• Excellent: The feed provides highly impactful intelligence that directly affects the organization's security posture.
• Satisfactory: The intelligence provided by the feed can have some degree of impact, but it does not pose a significant disruption to the organization's security posture.
• Poor: The feed provides low-impact intelligence that may not always be relevant to the organization.

Maintenance: Refers to the effort required to keep the information in the feed up-to-date and relevant.

• Excellent: The feed is updated on a regular basis and issues like bugs and errors are being addressed quickly. Also, new features are regularly being implemented and detailed documentation of the updates is provided.
• Satisfactory: The feed is updated on a periodical basis and some features may get resolved in a slower manner.
• Poor: The feed is not updated regularly and there are periods of time with inactivity from the developers' side.

Priority: Refers to the level of importance or urgency assigned to the information provided in the feed.

• Excellent: The feed provides critical intelligence that requires immediate attention. It includes a clear categorization of threats that should be prioritized and considered significant by security experts.
• Satisfactory: The feed provides important intelligence, but it may not be critical for the organization. It can be addressed in a timely manner without compromising existing security configurations.
• Poor: The intelligence provided by the feed is of low priority and does not require an urgent response that could harm the organization's security posture.

Relevance: The extent to which the information provided in the feed is applicable to an organization’s specific needs and risk profile.

• Excellent: The CTI provides intelligence that is directly applicable to the organization’s assets and operations, and is critical for effective threat detection and response.
• Satisfactory: The CTI feed provides intelligence that is somewhat applicable to the organization’s assets and it may not be critical for the threat landscape and the needs of the organization.
• Poor: The CTI feed provides intelligence that is not applicable to the organization’s assets and operations, or is of very limited use for the needs of the organization.

Timeliness: The speed and prompt ness with which new and updated information about potential cyber threats is delivered to the recipient, sharing and receiving up-to-date information in a timely fashion.

• Excellent: The feed consistently provides timely and up-to-date information that is useful for threat response and mitigation.
• Satisfactory: The feed provides refined and regularly updated information concerning the current threat landscape but the information is not provided for immediate reaction to newly discovered threats.
• Poor: The feed provides information that is often outdated and not useful for timely threat response.

Uniqueness: Refers to the distinctiveness and originality of the information provided in the feed.

• Excellent: The feed provides highly unique information that is not available in most of the other CTI feeds, and that offers a competitive advantage in terms of intelligence.
• Satisfactory: The feed provides some moderately unique threat intelligence that is not found in all other sources, which offers some competitive advantage.
• Poor: The CTI feed provides only information that is widely available from multiple other sources.

Behavioral Indicators: Descriptions of unusual or malicious behaviors exhibited by malware, helping organizations identify and respond to threats based on behavior.

Command and Control (C&C/C2): URLs or domain names used by malware to communicate with its control servers.

Email Addresses: Email addresses associated with phishing campaigns, spam, or other malicious activities.

File Hashes: Hashes like MD5, SHA-1, and SHA-256 of known malware files or suspicious executables.

Filenames and File Paths: Suspicious or malicious filenames and file paths that might indicate the presence of malware.

Malicious Domains: Domain names that are linked to phishing campaigns, malware hosting, or other malicious activities.

Malicious IP Addresses: IP addresses associated with known command and control servers, malware distribution, or other malicious activities.

Malicious File Extensions: File extensions commonly associated with malware, such as .exe, .dll, .vbs, .js, etc.

Malicious SSL/TLS Certificates: SSL/TLS certificates used to facilitate secure communication but issued with malicious intent, compromising the security of data transmission.

Mutex Names: Unusual or malicious named mutexes used by malware for synchronization purposes.

Network Signatures: Signatures and patterns in network traffic that are indicative of malicious activity, including protocols and communication methods.

Packers and Crypters: Signatures of known packers and crypters used to obfuscate malware.

Phishing Campaign Details: Indicators and information related to active or recent phishing campaigns, including email subjects, sender addresses, and campaign themes.

Registry Key Indicators: Information about registry keys and values associated with malware persistence or other malicious activities.

Credential Dumps: Lists of compromised usernames and passwords that have been leaked or dumped by threat actors.

Script Artifacts: Unique identifiers used by malware for synchronization or to ensure single execution.

Strings and Keywords: Specific strings or keywords that are indicative of malicious activity or commonly found in malware.

User-Agent Strings: Unusual or suspicious user-agent strings in HTTP requests.

URLs: Specific URLs that are known to host malicious content, exploit kits, or participate in phishing attacks.

YARA Rules: Custom YARA rules created to identify specific patterns or characteristics of malware.