Fortgale CTI reinforces enterprise defence before an attack becomes an incident. We track hostile actors, generate continuous IOC feeds, produce vertical advisories, briefings for the CISO and reports for the board, monitor deep & dark web, and manage IT and brand exposure.
Fortgale CTI is delivered as eight specialist capabilities, activated individually or in combination based on your organisation's context. From hostile actor tracking to critical vendor monitoring: each module answers a concrete question from the CISO, the SOC, or the board. Under each capability, a «Relevant when…» section helps you understand which ones you actually need.
Structured profiles of criminal groups and state actors active against European organisations: MITRE ATT&CK-mapped TTPs, observed C2 infrastructure, tooling, victimology. Where evidence allows, technical attribution of attacks detected against customers.
You have suffered incidents with signs of targeted intent · you operate in target sectors (finance, manufacturing, energy, healthcare, public administration, defence) · you hold high-value assets (IP, sensitive data).
Indicators of compromise (IPs, domains, hashes, URLs, YARA rules) generated from real incidents and research, distributed via STIX/TAXII directly into customer security platforms. Automatic application, no manual intervention required.
You run SIEM/EDR/firewall platforms that support custom TI · your SOC wants to enrich detection with contextual IOCs · NIS2/DORA require TI integration into your controls.
Reports dedicated to individual sectors: manufacturing, finance, healthcare, energy, public administration, critical infrastructure. When the CTI team detects targeted campaigns, customers in the affected sector receive ad-hoc advisories with immediate operational guidance.
You operate in a specific vertical sector (manufacturing, finance, healthcare, energy, public administration, critical infrastructure) and want intelligence focused on threats targeting your industry.
Periodic briefings for the CISO, IT Manager, Head of Cybersecurity: exposure status, actors active against the organisation, decisions required. Dedicated reports for the board in business-risk language, compliance, and impact framing.
The board requires regular updates on cyber risk · you must demonstrate NIS2/DORA governance to the board · the CISO needs to communicate in business language, not technical.
Continuous presence in criminal marketplaces, underground forums, ransomware leak sites, Telegram channels, anonymised networks. Search for compromised corporate credentials, exfiltrated data, customer mentions, planning of imminent attacks.
You fear corporate credential leaks · you are a visible brand · you operate in ransomware target sectors · you want to intercept the planning of attacks before execution.
Continuous discovery and monitoring of the external attack surface: internet-facing assets, exploitable vulnerabilities, shadow IT, expired certificates, leaked credentials, cloud misconfigurations. Prioritisation by real-world impact and exploitability.
You have a wide external surface (multi-cloud, frequent M&A, ungoverned shadow IT) · you struggle to prioritise known vulnerabilities · you want to be preventive, not reactive.
Monitoring of the non-IT attack surface: look-alike domains, fake LinkedIn/Telegram profiles, phishing kits using the customer's logo, executive impersonation, reputational mentions, deepfakes. Coordinated take-down where feasible.
Recognisable brand targeted by phishing/spoofing · executives with exposed public profile · brand impacts conversion (finance, retail, luxury, private healthcare) · you need coordinated take-down of online abuse.
Continuous monitoring of the external exposure and public incidents of critical vendors: credential leaks, exploitable vulnerabilities, appearance on ransomware leak sites, overall cyber posture. Immediate alert on vendor breach — to understand the inherited cyber risk and activate countermeasures before it translates into your own incident.
You rely on critical vendors (cloud, software, MSP, financial services, logistics) whose compromise exposes you · NIS2/DORA require third-party risk governance · you must demonstrate due diligence after a vendor breach.
In a free session we review together your context — sector, high-value assets, recent incidents, external exposure — and identify which of the 7 modules bring real value, and which don't.
A relevance map of the modules for your organisation + a tailored modular proposal. No obligation to continue.
Each module is activated individually or in combination. Modular pricing based on perimeter and volume.
There are hundreds of threat intelligence feeds on the market. Most aggregate third-party data and resell it. Fortgale does something radically different: we generate original intelligence, every day.
Every incident handled by the Fortgale SOC becomes structured intelligence: IOCs observed in real conditions, documented TTPs, mapped offensive infrastructure. Not theoretical models — artefacts extracted from attacks against European organisations in the past 24 hours.
The Fortgale CTI team independently analyses campaigns, infrastructure and tools of major criminal groups and state-sponsored actors active against Europe. Without depending on vendors or aggregators: original analyses, our own attributions, independent publications.
Fortgale uses internally-developed artificial intelligence to amplify analysts: high-volume correlation, known-campaign pattern recognition, alert prioritisation. No third-party AI products: internal systems trained on our own data.
Proprietary database of adversaries active against Europe, real-time IOC distribution, continuous dark web coverage, bilingual reports for management and technical teams.
We profile actors, analyse samples, track campaigns. A part of this research we share with the community on our blog. We don't aggregate third-party feeds — we publish only what we have verified first-hand.
Intelligence · Phishing Kit · Q1 2026 April 24, 2026Fortgale CTI14 min readRPT-26-0424 Observation of the quarter The 2026 phishing ecosystem has outpaced tradition…
Read article →
In the high-stakes world of venture capital and corporate funding, where millions hang in the balance and sensitive financial data flows freely, a new breed of cyber threat is em…
Read article →
In February 2026, the Fortgale Incident Response team investigated a multi-stage intrusion attributed to Mora_001, a Russian-origin threat actor exploiting Fortinet vulnerabiliti…
Read article →
UPDATES: 27.11.2024: As mentioned by TrustWave, "Supercar Phishing Kit" has an high level of overlapping with the most recent update of "Rockstar 2FA Phishing-as-a-Service" 26.09…
Read article →
In the evolving landscape of cybersecurity threats, Fortgale is tracking PhishSurf Nebula, an advanced Cyber Espionage group active since 2021 and primarily targeting entities wi…
Read article →
Fortgale has been tracking an Italian Threat Actor, internally dubbed as Nebula Broker, since March 2022. The actor uses self-made malware (BrokerLoader) to compromise Italian sy…
Read article →The seven CTI capabilities are delivered in four operational formats: bilingual PDFs for management and analysts, STIX/TAXII feeds consumable by SIEM/EDR, real-time alerts via webhook, and live briefings with analysts. Every deliverable is designed to plug into existing processes, with no overhead.
Threat reports, vertical advisories, and executive briefings as PDF in English and Italian. Two cuts per report: technical for SOC analysts and threat hunters (TTPs, IOCs, MITRE mapping) and executive for management and boards (business risk, prioritised actions).
Machine-readable IOCs directly consumable by SIEM, EDR, firewall, and TIP platforms. Standard STIX 2.1 / TAXII 2.1 integration, Custom Threat Intelligence support on major MDR platforms. Continuous rotation, validated indicators.
Immediate notifications on detection of corporate credentials on leak sites, customer mentions in forums, appearance of look-alike domains, high-priority IOCs. Delivery via email, webhook, Slack, Microsoft Teams. Sub-15-minute delivery SLA.
Periodic sessions with the CTI team: advisory walkthroughs, technical q&a, deep-dives on specific actors detected in the customer environment. On demand: convene an analyst for triage or post-incident support.
AI turns raw data into signals; analysts turn signals into decisions. Fortgale has internally developed the AI tools that amplify our team — without ceding control to external platforms.
Internal AI systems correlate millions of network, endpoint and threat feed events in real time, identifying patterns that would require hours of manual analysis. Analysts receive prioritised signals, not raw noise.
Internal models recognise the fingerprints of tracked threat actors — infrastructure, toolsets, behaviour — accelerating attribution and reducing response times from hours to minutes.
No third-party black-box algorithms. Every analysis is produced by the team with documented methods and verifiable results. When Fortgale attributes a campaign to an actor, it's because we have technical evidence — not on a vendor's suggestion.
Each new incident enriches internal models. Fortgale CTI becomes progressively more accurate for customers in continuous engagement: the historical context of their infrastructure is integral to every new analysis.
The TTPs feeding Fortgale CTI come from real incidents: enumeration, lateral movement, credential dumping, exfiltration. The video below is a simulation of an actor's recurring behaviour — the kind of evidence a customer sees in our monthly reports.
Intelligence is only valuable when it translates into concrete protection. Fortgale integrates CTI directly into the SOC and MDR service, creating a continuous cycle: detection → intelligence → improved defense.
Fortgale SOC applies CTI intelligence to detection rules in real time. Every new IOC or TTP identified is distributed immediately to the systems of all monitored customers.
Discover the SOC →Fortgale MDR doesn't just use the EDR vendor's rules: we enrich them with proprietary intelligence on active threat actors, increasing detection rate and reducing false positives.
Discover MDR →During an incident, CTI accelerates attribution and containment. Knowing who's attacking and how they operate dramatically reduces response time and limits overall damage.
Contact the IR team →Most CTI vendors resell feeds aggregated from third parties (VirusTotal, Mandiant, Recorded Future). Fortgale generates original intelligence from three primary sources: incidents handled by the SOC daily, independent threat actor research, continuous deep & dark web monitoring. Contextual, current, applicable intelligence.
Indicators of Compromise (IPs, domains, hashes, URLs, YARA rules) are produced from real incidents and research on offensive infrastructure. They are distributed automatically to customer SIEM/EDR/firewalls via STIX/TAXII and applied as Custom Threat Intelligence on MDR platforms, blocking known threats before impact.
Search for compromised corporate credentials in criminal marketplaces, monitoring of forums where actors plan attacks, detection of exfiltrated data on ransomware leak sites, tracking of Telegram channels and anonymised networks, real-time alerts when the customer name appears.
Two formats: technical reports for security teams (SOC analysts, threat hunters, technical CISOs) with IOCs, MITRE-mapped TTPs and operational guidance; executive reports for management with risk language, business impact, and prioritised actions. Published in English and Italian.
Yes. The CTI service is available both as an integrated component of SOC/MDR (intelligence applied automatically to detection rules) and as a standalone service for companies with internal security teams who want to enrich it with proprietary IOC feeds, vertical advisories, and threat actor reports.
Fortgale ASM performs continuous discovery and monitoring of the customer's external attack surface: internet-facing assets, exploitable vulnerabilities, shadow IT, expired certificates, leaked credentials, cloud misconfigurations (S3, Azure Blob, GCP). Everything is correlated with internal threat intelligence to prioritise what is actually exploitable by actors active against the customer's sector — not a list of theoretical vulnerabilities, but a list of concrete risks.
Monitoring of the non-IT attack surface: look-alike domains, fake LinkedIn/Telegram profiles impersonating executives, phishing kits using the customer's logo, executive impersonation, deepfakes, reputational mentions in criminal channels. Coordinated take-down with providers (registrars, social platforms, hosters) where feasible.
Yes. The Executive Briefing & Board Reporting service produces dedicated reports for the board and risk committees in business-risk language: exposure status, actors active against the organisation, NIS2 and DORA compliance, required decisions, potential economic impact. An operational tool for cyber governance at board level.
Technical attribution is part of Threat Actor Profiling. When the CTI team detects an incident, observed TTPs (MITRE ATT&CK-mapped), C2 infrastructure, tooling, malware code, and victimology are correlated with profiles of already-tracked actors. When evidence is sufficient, a documented attribution is formulated. When it is not, the most likely hypotheses are indicated without overreach — rushed attribution is one of the most common bad practices in commercial CTI.
Dark web monitoring, proprietary IOCs, and Fortgale reports give you access to the intelligence usually only large enterprises can afford. Speak with the CTI team and find out what we're tracking today.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.
