15-Second summary
OpenCTI is a powerful threat intelligence platform that turns threat data into a connected knowledge graph. The better your inputs, the sharper your intelligence. Feedly’s AI-curated intelligence gives OpenCTI a high-signal source of threats, vulnerabilities, and TTPs mapped to your priority intelligence requirements, so analysts spend their time on analysis rather than collection.
With Feedly Threat Intelligence connected to OpenCTI, you can:
- Automatically populate your knowledge graph with relevant, structured intelligence from thousands of open-source channels.
- Start investigations with rich context; every entity is enriched with threat actors, TTPs, malware, CVEs, IoCs, and their relationships.
If you’ve invested in OpenCTI, Feedly Threat Intelligence helps you turn it into a knowledge graph that’s ready for work.
A knowledge graph is only as good as what flows into it
OpenCTI gives CTI teams a powerful foundation for organizing, correlating, and operationalizing threat intelligence. But the platform doesn’t collect intelligence on its own. To get the most out of it, teams need a reliable way to feed it with high-quality, relevant data, consistently and at scale.
Most teams rely on IoC-heavy commercial feeds that deliver volume without narrative context, leaving threat actor profiles thin and TTP coverage patchy. Analysts make up the difference manually: reading blogs, pulling reports, and copying data into the platform. Collection consumes hours that should be going toward analysis.
The result is a team spending more time on data management to feed the knowledge graph, than actual analysis.
Feedly Threat Intelligence automates the collection layer. It continuously monitors thousands of open-source channels and uses AI to extract, structure, and deliver intelligence directly into OpenCTI, so your knowledge graph reflects the current threat landscape without requiring your analysts to build it manually.
Use AI Feeds to focus on what’s actually relevant
Not all open-source intelligence is relevant to your organization. Feedly’s AI Feeds solve the signal-to-noise problem before anything reaches OpenCTI.
AI Feeds are continuously updated streams of intelligence from over 10,000 open sources, filtered to your organization’s specific threat profile: the threat actors targeting your sector, the malware families relevant to your tech stack, and the vulnerabilities that matter to your infrastructure.
You can organize AI Feeds or ****Folders by intel requirements, and the connector continuously pulls from those curated streams. What flows into OpenCTI is curated intelligence scoped to what your team is actually tracking.
Feedly AI Models and the Threat Graph extract and enrich threat data
Feedly’s AI Models automatically identify key entities within each article: IoCs (IPs, domains, hashes, URLs, email addresses, and registry keys), CVEs, malware families, threat actors, TTPs, cyberattacks, etc.
The Threat Graph maps the relationships between extracted entities: which threat actor is using which malware, which CVE is being exploited in which campaign, which TTPs are associated with which intrusion set. These relationships are built from the source reporting itself, preserving the analytical context that makes intelligence meaningful.
By the time intelligence leaves Feedly, it’s no longer unstructured text. It’s a set of connected entities with documented relationships, ready to enrich your knowledge graph rather than just add to it.
Structured for OpenCTI: STIX 2.1 out of the box
OpenCTI is built natively on the STIX 2.1 standard, and so is Feedly’s output.
Every piece of intelligence the connector delivers is formatted as a STIX 2.1 bundle: threat actors, malware, TTPs, indicators, vulnerabilities, and the relationships between them are all expressed as proper STIX objects. They map directly to OpenCTI’s data model without transformation or cleanup on your end.
This means the intelligence that lands in your knowledge graph is immediately usable, correctly typed, correctly linked, and ready for analysts to pivot on.
Setting up the integration
Connecting Feedly to OpenCTI takes about 15 minutes.
What you’ll need:
- Feedly for Threat Intelligence subscription (with API access)
- OpenCTI 6.x or later
- Your Feedly API token
- Docker or a standard OpenCTI connector deployment environment
Steps:
- Deploy the connector. Pull the Feedly connector from the OpenCTI connectors repository (https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/feedly) and deploy it using Docker alongside your OpenCTI instance.
- Configure your credentials. Add your Feedly API token and OpenCTI API URL to the connector’s environment configuration.
- Select your Feedly streams. Specify which Feedly Boards or Folders you want the connector to pull from. This is where your AI Feeds configuration determines what flows into OpenCTI.
- Set your ingestion interval. Configure how frequently the connector checks for new intelligence. Hourly is a common starting point for active threat tracking.
- Verify the connection. Once running, the connector will begin importing Feedly reports into OpenCTI as structured STIX 2.1 objects. Check the OpenCTI Data > Ingestion panel to confirm intelligence is flowing.
For detailed configuration options
see the Feedly + OpenCTI Integration Documentation.
Documentation
What it looks like in OpenCTI
Once the connector is running, Feedly intelligence appears in OpenCTI as fully structured reports, each one linked to the entities Feedly extracted, with relationships already mapped in the knowledge graph.
Analysts can pivot directly from a Feedly report to the threat actor profile, explore related malware or campaigns, and correlate Feedly-sourced indicators against internal data, all within OpenCTI’s graph interface, without re-entering a single data point.
Conclusion
Feedly Threat Intelligence and OpenCTI are built for each other: one collects and structures intelligence from the open web, the other organizes and operationalizes it. Together, they replace a slow, manual collection process with a continuous, automated intelligence pipeline, from open-source data to a knowledge graph to analyst action.
If you’ve built an OpenCTI deployment and want to keep it current without burning analyst hours on collection, Feedly is the intelligence source that makes it work.
Feedly Threat Intelligence connects with 10+ security solutions
OpenCTI is one of the many integrations available. Start your free trial and see how Feedly Threat Intelligence connects to your CTI workflow.
Try Feedly Threat Intelligence
