Cisco Blogs

Changing the Way We Deliver Vulnerability and Threat Intelligence

- July 31, 2015 - 1 Comment

We are making some changes to the way Cisco Security provides and shares vulnerability and threat intelligence to make it more consumable by our customers and the security community. The Cisco Security IntelliShield Service has been successfully delivering multi-vendor security intelligence to our customers for 15 years. During this time, the security intelligence market has continued to evolve to more integrated and automated solutions. Similarly, the Cisco Security strategy has evolved to add machine-readable security content.

We have seen an ever-increasing volume of multi-vendor reporting over the years. IntelliShield started publishing security intelligence alerts in May 2000 and we published 1337 alerts that first year. By 2005 that had increased to 1555 alerts and in 2010 to 5210 alerts. In 2014, IntelliShield published 7242 alerts and the volume continues to increase. As the volume of security activity has increased, security teams are faced with the challenge of efficiently handling that increased volume. The solution for this increased volume is to automate the reporting and sharing of vulnerability and threat intelligence through machine-to-machine standardized formats. 

To make security intelligence more consumable and sharable, Cisco announced the End-of-Life of the Cisco Security IntelliShield Alert Manager Web Portal on February 2, 2015. The End-of-Sale and the IntelliShield Alert Manager Web Portal shutdown will occur on August 3, 2015. To prepare for the End-of-Life, we have made all IntelliShield alerts going back to the year 2000 publicly available on the Cisco Security Portal and have been working with our customers to transition to the Cisco Security Portal and automated services. The announced End-of-Life only affects the IntelliShield Alert Manager Web Portal Service. The IntelliShield security analysts will continue to deliver the multi-vendor security intelligence alerts through the API and RSS services, standardized CVRF and OVAL formatted reporting, and human-readable and searchable public alerts available on the Cisco Security Portal.

We developed and began using the IntelliShield API internally at Cisco years ago, which now supports multiple Cisco Services, engineering and security teams within Cisco. The API is available externally by subscription, and will become our primary delivery format going forward. Additional technical information on the IntelliShield Security Intelligence API is available in the Cisco Security Blog post: A Programmatic Approach to Using Cisco’s Security Intelligence Feed.

We are committed to continue working with organizations like ICASI, the ISACs, and multiple other vendors and security organizations to develop the governance, technical frameworks, and standards to improve threat intelligence reporting, sharing, and exchanges.

We invite you to visit the Cisco Security Portal to explore the depth and breadth of the multi-vendor security alerts, spam and malware activity, technical papers, and the Cisco Security Blog.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Any plans to provide indicators of compromise like Bad IPaddresses, Hashes of bad files etc via this platform ? currently they are being mentioned in various blog entries of Talos but it might be useful if they are part of this programmable service