CTI Teams have long relied on sandboxing to analyze threats and extract IOCs. But —treating individual IOCs ( aka clues left behind) in isolation is a common pitfall. This isn’t a brand-new challenge, and many experts have advocated for indicator-only feeds. Still, the conversation is worth revisiting because the industry continues to struggle with relevance of feeds, missed campaigns/threats, wasted time caused by the flood of false positives.
By the end of this post, you’ll see how these challenges shaped our thinking — and why we built UniqueSignal to deliver threat intel the way CTI teams actually need it.
This piece isn’t about introducing a new framework but reinforcing the importance of context-driven intelligence. Concepts like the Diamond Model of Intrusion Analysis, the MITRE ATT&CK framework, and the Pyramid of Pain have already shown us that atomic indicators alone aren’t enough. Instead of focusing on individual IOCs, thinking in terms of IOC Building Blocks—clusters of related indicators will provide us pathway for meaningful context.
A single IOC from a sandboxing report doesn’t necessarily indicate a true or false positive, and unactionable. An IP address or a hash alone is short lived and easy to change for attackers, and tells us little about adversary behavior, infrastructure reuse, or the threat’s broader impact. So we’d like to move beyond individual indicators. Just like puzzle pieces, they form a clearer picture when placed in context. This approach strengthens detection as well as hunting confidence.
Supporting the Context-First Approach
The industry has been advocating for contextual intelligence over atomic indicators for years. Some key frameworks, followed by security tools, that is reflecting this shift:
- Diamond Model of Intrusion Analysis – Focuses on relationships between adversaries, infrastructure, victims, and capabilities, treating indicators (e.g. Malware C2 address) as a starting point all the way to attribution.
- MITRE ATT&CK – Encourages mapping IOCs to TTPs to understand how adversaries operate and predict their next moves.
- Pyramid of Pain – Demonstrates that atomic indicators (hashes, IPs) are easy for attackers to change, whereas TTPs are harder to modify.
- Tech stack perspective: Threat Intelligence Platforms (TIPs) – Many modern TIPs emphasize contextual relationships over raw IOCs allowing CTI analysts to keep all in the same place, score and pivot. Modern TIPs don’t just correlate IOCs; they also integrate intelligence from external sources such as public research, dark web chatters and vulnerability databases, which provide early warning signs of active campaigns and trending malware.
STIX: Context-native delivery format
A widely accepted format for threat intelligence sharing is STIX (Structured Threat Information eXpression). However, its real power is only realized when its components are used together (e.g. relationship objects, SROs).
For example, consider an IP address extracted, observed to be C2 address of a payload:
- If used alone for detection or enrichment purposes, it might have already died out or be a noisy or outdated indicator because the malware usually abuse legitimate cloud infrastructures.
- But if correlated with a known TTP, it gains relevance, especially during an alert investigation
- If that TTP is linked to a specific threat actor, we now have insight into the adversary’s behavior.
- When tied to real-world incidents and DFIR reports, analysts can take actionable steps to hunt for the threat.
This association-first approach is at the heart of IOC Building Blocks.
Image: UniqueSignal STIX structure
From Sandbox to Signal: The Path to UniqueSignal
Over the past 11 years, we’ve seen how customers use our sandbox beyond just analysis — as a reliable source of threat intelligence. Many teams have already built pipelines where samples go in, and IOCs come out.
This inspired us to take it further.
We’re now excited to share that we’ve officially launched our new Threat Intelligence Feed, built on top of our evasion-resistant sandbox foundation. It’s delivered via STIX 2.1 over TAXII, integrates easily with tools that support open standards, and brings together everything seen during dynamic analysis:
- Atomic indicators (IP, URL, Hash)
- Behavioral markers (VTIs)
- MITRE ATT&CK mappings
- Config extracts
- Enriched labelling around threat actors and geographies
During development, we worked closely with dozens of customers — large enterprises and government CTI teams — to refine this feed. Their feedback helped us sharpen our post-processing, add an enrichment layer, and focus on delivering truly actionable intel, not just raw observables.
On one end: the sample. On the other: contextual intelligence.
It may sound simple, but we’ve learned that turning raw sandbox data into useful intelligence takes iteration, exploration, and a shared effort. Some teams are far along. Others are just getting started. Either way, this process of building contextual blocks is foundational — and it’s exactly what our new feed is designed to support.
After hundreds of feedback calls, we’ve built something we believe truly serves CTI teams — filtering out the noise, keeping the context, and staying true to open standards for correct delivery.
We’d love for you to try it out.
Early adopters get 60 days of free access.
Just drop us a note — or reach out to your account manager to get started.
