How do Cyber Threat Intel (CTI) teams collaborate within Feedly to increase productivity and reduce blind spots? In this post, we’ll share best practices we’ve seen when working with CTI teams across different industries and how they’re using Feedly’s latest capabilities to move faster through every stage of the intelligence cycle.
Effect
66-90% time saved spent on intelligence gathering and sharing
Vulnerabilities, threat actors, IOCs, and TTPs were analyzed. up to 70% faster
New vulnerabilities and threats discovered 3 days sooner compared to other devices
Inspired? read on.
gathering relevant intelligence
The amount of cybersecurity articles, reports, blogs, and posts on the open web can seem overwhelming. How do you identify what’s important, focus on business intelligence needs, and avoid wasting time on irrelevant or duplicate information?
Feedly’s Intel Agents (Vulnerabilities, Cyber Attacks, and TTPs) replace that manual effort with continuous, filtered monitoring across 10,000+ OSINT sources, so your team can get a head start on each day.
Vulnerability Agent
Personalized for your technology stack Vulnerability Agent High-risk CVEs are surfaced with the context needed to rapidly prioritize: CVSS and EPSS scores, active exploit indicators, PoC availability, and associated threat actors. Filter by vendor, product, attack vector, and more to cut out the noise and focus on what really matters to your environment.
cyber attack agent
cyber attack agent Monitors attack activity targeting your industry in real-time from 10,000+ sources, including SEC filings and regional stock exchanges. Filter by attack type, industry, actors, and malware to focus on relevant events and answer the “What? So what?” Use. Columns for triaging without opening each article.
ttp agent
TTP Agent tracks trending ATT&CK techniques and extracts processes so you can prioritize threat hunting without hours of manual tagging. Filter by industry, threat actor, or malware family, track changes in behavior over customizable date ranges, and launch directly into MITER ATT&CK Navigator to build attack simulations based on current adversary behavior.
AI feeds
AI feeds remain the backbone of the ongoing collection. Powered by 1,000+ AI models, they continuously scan millions of sources and surface articles related to your PIR with higher relevance and less noise than keyword searches. Most teams organize AI feeds into team folders based on intelligence need or stakeholder group, and treat them as an always-on layer beneath their agents.
Examine and analyze emerging threats
Collecting the right signal is only half the job. Feedly’s Insights Cards and Ask AI teams help teams quickly go from raw articles to finished analysis without switching tools or synthesizing dozens of reports by hand.
insight card
Insight cards give you structured, constantly updated context on any threat (CVE, cyber attack, threat actorOr IOC) collected from thousands of sources into a single view. Instead of linking references to all tabs at once, you get the whole picture in one place: timeline, TTP, malware, attribution, severity score, and source citations. Vulnerability teams use CVE Insights cards to advance triage; Incident responders rely on the Cyberattack Card to quickly assess risk; Threat hunters use Threat Actor cards to prepare hunts and tabletop exercises.
ask ai
ask ai Can also be run on top of your AI Agents and Insights Cards as well as AI Feeds so analysts can synthesize intelligence in multiple languages, extract IOCs, TTPs, and CVEs, and produce finished deliverables, all without leaving Feedly. Each response is based on a real-time threat graph and cited to its original sources, so analysts remain in control of what goes into the final product. Teams use it to create vulnerability descriptions, flash reports, threat actor profiles, and executive summaries in minutes instead of hours.
generate intelligence
Collecting and analyzing threats is just part of a CTI analyst’s job. The second part is creating reports and briefs that keep your team and stakeholders informed. Whether it’s a daily threat brief, a weekly vulnerability digest, or an executive summary after a major incident, Feedly’s report builder and automated newsletters help you produce consistent, high-quality intelligence outputs without hours of manual work.
report builder
Creating a threat intelligence report manually can take 3 to 8 hours. The report builder reduces this to minutes. Start with a Feedly template or upload your own, Feedly extracts your sections and replicates your writing structure, then automatically gathers supporting sources and fills each section with inline citations from the Feedly Threat Graph. Every claim is verifiable, which matters if you’re handing over details to a CISO or an external stakeholder.
You can adjust the technical level of output for different audiences, collaborate with teammates in the editor, and refine any section in real time with Ask Al, without breaking the flow of your report. When you’re done, export directly to PDF or copy the text into your existing workflow.
automated newsletters
automated newsletters Auto-populate, AI-assisted summaries and analyst notes from AI feeds or team boards are already generated. Teams set a delivery schedule and let Feedly handle the rest: daily threat intelligence for security operations, weekly roundups for the CISO, targeted vulnerability digests for the vulnerability management team.
provide intelligence
Sharing the intelligence your team collects, analyzes and curates is a core activity of most CTI teams. However, many teams spend hours per day on this part of the process using manual report creation sent via email lists. Feedly makes this easy by providing multiple ways to share intelligence, from article tagging and Slack integration to fully automated workflows that push data to your other security tools via the Feedly API.
team board
Team boards are where analysts discuss ideas before sharing. Save key articles and insight cards to a board, and configure it to automatically trigger downstream actions with a Slack alert, newsletter entry, or API push. Boards work best when they are named around the audience they serve: CISOs, vulnerability teams, threat hunters, or incident response.
Integrations and API
Enhancement Feedly extracts (IoCs, TTPs, malware, CVE data, detection rules) can flow directly into your TIP, SIEM, or SOAR via the STIX/JSON API. No-code integrationAnd MISP support. The time between “Feedly found something” and “Your identity rules have been updated” can be minutes, not days.
put it all together
Leading CTI teams use Feedly across the entire intelligence cycle: Intel agents and AI feeds for continuous, filtered collection; Insight cards and ask AI to move faster from signal to finished analysis; And automated newsletters and integrations to deliver the right information to the right people without manual overhead.
The result is a team that spends less time gathering and formatting, and more time doing the analysis work that actually protects the organization.
