Threat coverage by the numbers
What we monitor for you
You don't have the capacity to follow every threat source yourself. We do it for you and deliver only what is relevant to your environment and sector.
CVEs and vulnerabilities
You know which new CVEs are actively being exploited and whether your software or hardware is vulnerable. Not every CVE is critical; we filter on exploitability in the wild.
Ransomware groups
You have insight into the 30+ active ransomware groups we track: TTPs, victim profiles, ransom strategy and infrastructure. Know whether your sector is in the crosshairs.
APT actors
You know which state-sponsored actors are active in the Netherlands, Belgium and Spain. From NOBELIUM to APT28: we track campaigns and map them to MITRE ATT&CK techniques.
OT and ICS threats
Your OT environment is not blind. We monitor threats specific to industrial protocols and ICS/SCADA environments, including new malware that disrupts production processes.
Dark web and data leaks
You know when your organisation name, credentials or internal data appears on dark web forums. We actively monitor initial access brokers and data leak platforms.
Sector intelligence
You receive intelligence filtered for your sector: financials, government, healthcare, industry or technology. Generic feeds deliver noise; sector-specific context delivers action.
Recent intelligence
Week 15, 2026: three active threats we are currently monitoring and for which we have published detection rules and IoCs.
NCSC-2026-0239: SonicWall SMA1000 two actively exploited zero-days. CVE-2026-15409 (SSRF, CVSS 9.8) and CVE-2026-15410 (code injection AMC, CVSS 9.8). Patch now.
NCSC-NL advisory NCSC-2026-0239 [H/H] confirms two actively exploited zero-days in SonicWall SMA1000 appliances, both now rated CVSS 9.8. CVE-2026-15409 is an unauthenticated Server-Side Request Forgery (SSRF) in the Work Place interface, allowing an attacker without credentials to probe internal networks and issue requests on behalf of the appliance. CVE-2026-15410 is a post-authentication code injection in the Appliance Management Console (AMC) enabling OS command execution on the system. Both vulnerabilities are confirmed as actively exploited in the wild. SonicWall SMA1000 is a widely deployed remote access platform in enterprise and mid-market environments; a compromised device provides direct access to the internal network. Action: patch SonicWall SMA1000 to the latest available version immediately; review access logs for anomalous SSRF patterns; notify all clients with SonicWall SMA1000 deployments and perform IoC checks. MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter).
PLAY ransomware hits Dutch manufacturer AG Scholtes: NL manufacturing sector threat elevated. Three EU victims in one 24-hour cycle.
PLAY ransomware has confirmed AG Scholtes (agscholtes.nl), a Dutch manufacturing company, as a victim on July 16, 2026 via ransomware.live. In the same 24-hour cycle, PLAY also claimed Andorra Life (healthcare, AD) and Svensk Direktreklam (business services, SE), demonstrating active EU-wide operations across three countries. PLAY is among the most active ransomware groups currently and consistently targets manufacturing and industrial environments. The group's known TTPs include initial access via unpatched RDP and VPN vulnerabilities, followed by lateral movement (T1083, File Discovery), data exfiltration (T1041), and encryption (T1486). For European manufacturing and OT environments, the AG Scholtes hit is a direct indicator of threat actor proximity: PLAY has active footholds within the European business network. Action: activate MDR alerting for manufacturing sector clients; check for PLAY indicators of compromise (CISA AA23-352A); validate RDP and VPN access hardening; review lateral movement detection in production environments. MITRE ATT&CK: T1486, T1083, T1041.
Research and reports
DEFION publishes on two levels. Technical depth for security teams. Strategic context for management.
Technical
- ✓ In-depth CVE analyses and exploitability scores
- ✓ Malware reversals and behavioural analyses
- ✓ KQL detection rules for Microsoft Sentinel
- ✓ Pwn2Own and conference technical write-ups
- ✓ MITRE ATT&CK mapping per campaign
Strategic
- ✓ Monthly threat reports for the CISO
- ✓ Sector analyses per industry and region
- ✓ MITRE ATT&CK heatmaps at organisational level
- ✓ Client briefings on active campaigns
- ✓ Quarterly Threat Landscape report NL/EU
Who is this relevant for?
Threat Intelligence is not just for SOC analysts. Every security role benefits from the right information at the right time.
CISO
- ✓ Monthly threat briefing for the boardroom
- ✓ Risk assessment per sector and regulation
- ✓ Evidence base for security investments
SOC Analyst
- ✓ IoC feeds ready for use in your SIEM
- ✓ KQL detection rules per campaign
- ✓ Technical depth per threat and TTP
IT Director
- ✓ Visibility into vulnerabilities in your environment
- ✓ Patch prioritisation based on exploitability
- ✓ Overview of active threats in your sector
Incident Responder
- ✓ Context-rich IoCs and YARA rules
- ✓ TTP mapping for attribution and containment
- ✓ Rapid sector briefings on active campaigns
Intelligence products
From freely accessible publications to client-specific threat analyses. Choose the level that suits your organisation.
Freely accessible
- ✓ Blog: technical analyses and threat reports
- ✓ Quarterly Threat Landscape report NL/EU
- ✓ CVE updates and patch advisories
- ✓ Research Labs publications
MDR clients
- ✓ Weekly tailored threat briefings
- ✓ IoC feeds directly in your SIEM or EDR
- ✓ KQL detection rules per campaign
- ✓ Direct notification on critical threats
- ✓ MITRE ATT&CK heatmap per quarter
Custom
- ✓ Client-specific threat analysis
- ✓ Sector briefing for your industry
- ✓ Dark web scan for organisation name and credentials
- ✓ Imminent Threat Exposure assessment
FAQ Threat Intelligence
What is Threat Intelligence and why do I need it?
What is the difference between strategic and operational threat intelligence?
How does DEFION Threat Intelligence differ from a commercial feed?
How quickly do you publish when an active campaign or zero-day emerges?
Can I subscribe to Threat Intelligence without MDR?
Request a threat analysis
Want to know which threats are active in your sector and whether your environment is vulnerable? Our analysts produce a targeted analysis based on your profile.
No obligations. First analysis free of charge for qualified organisations.
®