Skip to main content
Pulsedive structures threat intelligence in layers so that any piece of data connects upward to broader context and downward to specific evidence.

Core Entities

Pulsedive organizes threat intelligence around three entities: indicators, threats, and feeds. Each entity captures a different layer of intelligence:
  • Indicators: The atomic unit of intelligence, representing observable entities that Pulsedive has enriched with contextual data.
  • Threats: Group and contextualize indicators under named activity such as malware families or adversary campaigns.
  • Feeds: Curated collections that bring indicators into Pulsedive from third-party sources.
Understanding these entities is the foundation for working effectively with Pulsedive, whether through the UI or the API.

Relationships

Indicators, threats, and feeds are not independent records. An indicator links to the feeds that flagged it and the threats it is associated with. A threat aggregates data from its linked indicators to surface patterns across infrastructure and activity. A feed provides provenance, telling you where a group of indicators came from and who maintains them. Understanding these relationships lets you move fluidly between layers of intelligence, from a specific observable entity to the broader context it belongs to.