How do Cyber Threat Intel (CTI) teams collaborate within Feedly to increase productivity and reduce blind spots? In this post, we’ll share best practices we’ve observed working with CTI teams across industries and how they’re using Feedly’s newest capabilities to move faster at every stage of the intelligence cycle.
Impact
Saved 66-90% of time spent collecting and sharing intelligence
Analyzed vulnerabilities, threat actors, IoCs and TTPs, up to 70% faster
Discovered new vulnerabilities and threats up to 3 days sooner than other tools
Motivated? Read on.
Collecting relevant intelligence
The volume of cybersecurity articles, reports, blogs, and posts on the open web can seem overwhelming. How do you identify what’s important, focus on the intelligence needs of the business, and avoid wasting time on irrelevant or duplicate information?
Feedly’s Intel Agents (Vulnerability, Cyberattack, and TTP) replace that manual effort with continuous, filtered monitoring across 10,000+ OSINT sources, so your team starts each day already caught up.
Vulnerability Agent
Personalized to your tech stack, the Vulnerability Agent surfaces high-risk CVEs with the context needed to prioritize fast: CVSS and EPSS scores, active exploit indicators, PoC availability, and linked threat actors. Filter by vendor, product, attack vector, and more to cut noise and focus on what actually matters to your environment.
Cyberattack Agent
The Cyberattack Agent monitors attack activity targeting your industry in real time, pulling from 10,000+ sources including SEC filings and regional stock exchanges. Filter by attack type, industry, actors, and malware to zero in on incidents that are relevant and use the “What? So what?” column to triage without opening every article.
TTP Agent
The TTP Agent tracks trending ATT&CK techniques and extracts procedures so you can prioritize threat hunts without hours of manual tagging. Filter by industry, threat actor, or malware family, track behavioral shifts over customizable date ranges, and launch directly into MITRE ATT&CK Navigator to build attack emulations grounded in current adversary behavior.
AI Feeds
AI Feeds remain the backbone of ongoing collection. Powered by 1,000+ AI Models, they continuously scan millions of sources and surface articles aligned to your PIRs with higher relevance and lower noise than keyword searches. Most teams organize AI Feeds into Team Folders by intelligence requirement or stakeholder group, and treat them as the always-on layer underneath their Agents.
Triage and analyze emerging threats
Collecting the right signals is only half the job. Feedly’s Insights Cards and Ask AI help teams get from raw article to finished analysis faster, without switching tools or synthesizing dozens of reports by hand.
Insights Cards
Insights Cards give you structured, continuously updated context on any threat (CVE, Cyberattack, Threat Actor, or IoC) aggregated from thousands of sources into a single view. Instead of piecing together context across tabs, you get the full picture in one place: timelines, TTPs, malware, attribution, severity scores, and source citations. Vulnerability teams use CVE Insights Cards to jumpstart triage; incident responders lean on Cyberattack Cards to quickly assess exposure; threat hunters use Threat Actor Cards to prepare hunts and tabletop exercises.
Ask AI
Ask AI can be ran on top of your AI Agents and Insights Cards as well as AI Feeds so analysts can synthesize intelligence across multiple languages, extract IoCs, TTPs, and CVEs, and produce finished deliverables all without leaving Feedly. Every response is grounded in the Real-Time Threat Graph and cited back to its original sources, so analysts stay in control of what goes into the final product. Teams use it to draft vulnerability briefs, flash reports, threat actor profiles, and executive summaries in minutes rather than hours.
Produce intelligence
Collecting and analyzing threats is only part of a CTI analyst’s job. The other part is producing the reports and briefs that keep your team and stakeholders informed. Whether it’s a daily threat brief, a weekly vulnerability digest, or an executive summary after a major incident, Feedly’s Report Builder and Automated Newsletters help you produce consistent, high-quality intelligence outputs without the hours of manual work.
Report Builder
Creating a threat intelligence report manually can take anywhere from 3 to 8 hours. The Report Builder brings that down to minutes. Start from a Feedly template or upload your own, Feedly Al extracts your sections and replicates your writing structure, then automatically gathers supporting sources and populates each section with inline citations from the Feedly Threat Graph. Every claim is verifiable, which matters when you’re handing a brief to a CISO or an external stakeholder.
You can adjust the technical level of the output for different audiences, collaborate with teammates in the editor, and refine any section in real time with Ask Al, without breaking the flow of your report. When you’re done, export directly to PDF or copy the text to your existing workflow.
Automated Newsletters
Automated Newsletters auto-populate from AI Feeds or Team Boards, with AI-assisted summaries and analyst notes already drafted. Teams set a delivery schedule and let Feedly handle the rest: daily threat briefs for security operations, weekly roundups for the CISO, targeted vulnerability digests for the vulnerability management team.
Deliver intelligence
Sharing the intelligence your team has collected, analyzed, and curated is a key activity of most CTI teams. However, many teams spend hours per day on this part of the process using manual report creation sent through email lists. Feedly makes this easier by providing several ways of sharing the intelligence, from article tagging and Slack integration to fully automated workflows that pass data through the Feedly API to your other security tools.
Team Boards
Team Boards are where analysts curate before they share. Save key articles and Insights Cards to a Board, and configure it to trigger downstream actions automatically with a Slack alert, a newsletter entry, or an API push. Boards work best when named around the audience they serve: CISO, vulnerability team, threat hunters, or incident response.
Integrations and API
The enrichment Feedly extracts (IoCs, TTPs, malware, CVE data, detection rules) can flow directly into your TIP, SIEM, or SOAR via STIX/JSON API, no-code integrations, and MISP support. The time between “Feedly found something” and “your detection rules are updated” can be minutes, not days.
Putting it all together
Leading CTI teams use Feedly across the full intelligence cycle: Intel Agents and AI Feeds for continuous, filtered collection; Insights Cards and Ask AI to move from signal to finished analysis fast; and Automated Newsletters and integrations to get the right intel to the right people without the manual overhead.
The result is a team that spends less time gathering and formatting, and more time doing the analysis work that actually protects the organization.
