Building the Foundation for Federated Threat Intelligence Sharing

In early November 2025, a cybercrime development unlike any before made the news headlines: a merger between notorious groups Scattered Spider, LAPSUS$, and ShinyHunters, three of the most disruptive threat actors of recent years. The new collective, now operating as a coordinated network and offering extortion-as-a-service, openly described itself as a “federation of crews.” 

Threat actors are organizing, operationalizing, and sharing intelligence across ecosystems faster than ever. Meanwhile, many defenders still function within isolated intelligence-sharing circles; each with its own rules, governance models, and trust barriers. 

To keep pace, organizations, ISACs, MSSPs, and national CERTs must evolve beyond central hubs and silos toward federated, policy-driven ecosystems that strike a balance between autonomy and collective visibility. The future of collective defense depends on it. 

The Limit of Centralized Sharing Models 

For years, central sharing models have underpinned collaboration across industries. Individual ISACs, CERTs, and information-sharing communities have done critical work in uniting defenders. But as participation and regulation have grown, central models have reached their operational limits. 

They struggle to reconcile conflicting disclosure rules, national data-sovereignty laws, and complex trust frameworks. They also create single points of failure, be it technical, organizational, or political, that can limit scalability and responsiveness. 

A federated approach provides a path forward, connecting independent sharing nodes that preserve local autonomy while still enabling cross-community visibility across sectors and borders. 

Why Federation is Emerging as a Strategic Imperative 

Federation is a governance evolution. It allows independent communities to align on shared principles without collapsing into a single central authority. This model introduces a meta-governance layer, where policies, rules, and trust standards are harmonized while each participant retains sovereignty over its own data and operations. 

Several strategic forces are making federation not only desirable but necessary. 

Governance Saturation and Trust Complexity: As ISACs and CERTs grow, the layers of legal, operational, and policy complexity multiply. Trying to centrally manage trust agreements or disclosure policies across hundreds of members quickly becomes unmanageable. 

Federation introduces flexibility. Each node retains control over what to share, how to share it, and under what rules, while still contributing to a shared situational picture. For example, the energy and financial sectors can maintain distinct disclosure protocols yet exchange high-confidence TTPs via a federated layer. 

Regulatory Convergence and Accountability: Regulatory mandates such as DORA and NIS2 in the EU, and the SEC’s incident-disclosure rules in the US, require sector coordination, cross-border transparency, and traceable data lineage. Federation satisfies these expectations by embedding compliance at the sharing-fabric level. Policies and audit trails accompany the data, ensuring each exchange is transparent, enforceable, and fully accountable. 

In effect, federation turns compliance into an enabler rather than an obstacle, ensuring regulatory alignment without hindering collaboration. 

Data Volume and Source Proliferation: Today’s threat landscape generates an overwhelming volume of signals daily, including Indicators of Compromise (IOCs), telemetry feeds, and alerts. Analyzing or correlating that data through a centralized hub is both computationally and politically infeasible. 

Federated, decentralized architectures distribute load and accountability. Each organization analyzes data locally, sharing only derived insights or model updates. This preserves confidentiality, reduces data-transfer burdens, and strengthens the collective intelligence model. 

Sectoral Interdependence and Third-Party Risk: Critical infrastructure sectors no longer operate in isolation. A breach in a vendor network can cascade across multiple industries within hours. 

Federated intelligence sharing ensures risk context travels securely across sector boundaries, allowing organizations to identify shared exposures and act pre-emptively. For instance, a compromised supplier’s behavior pattern detected in one sector can be flagged early to others, preventing repeat exploitation across interconnected supply chains. 

How Cyware Enables Federated Threat Intelligence Sharing 

Cyware has long championed the evolution from traditional, centralized sharing to a federated, collective defense. Its architecture provides the connective fabric that makes policy-driven federation operational. 

Cyware enables federated threat intelligence sharing through a platform approach that focuses on bi-directional exchange, standardization, collaboration, and collective defense across trusted communities. Here is how Cyware facilitates this:

1. Bi-Directional Intelligence Exchange

Cyware's platforms, like Cyware Intel Exchange and Cyware Collaborate, move beyond one-way feeds by creating a reciprocal flow of information:

• Consume and Contribute: Organizations not only receive external threat intelligence but can also seamlessly contribute their own internal observations, such as newly discovered Indicators of Compromise (IOCs) or attack patterns.

• Real-Time Sharing: This bi-directional exchange is automated and happens in real-time, drastically reducing the latency associated with manual sharing processes.

2. Standards-Based Interoperability

Cyware Intel Exchange ensures that intelligence can be shared and consumed across diverse security ecosystems by adopting industry standards:

• STIX/TAXII Protocol: Cyware supports the Structured Threat Information eXpression (STIX) format for structured intelligence and the Trusted Automated eXchange of Indicator Information (TAXII) protocol for secure, machine-to-machine distribution. This standardization is critical for federated sharing across different organizational toolsets (like SIEMs, EDRs, etc.).

• Format-Agnostic Ingestion: Cyware Intel Exchange can automatically ingest, de-duplicate, and normalize threat data from various unstructured and structured sources (e.g., MISP, JSON, CSV) into a consistent format for clean, actionable intelligence.

3. Collaboration and Community Building

Cyware is purpose-built to empower security communities like ISACs, ISAOs, and CERTs, creating a network effect for defense:

• Secure Collaboration: Cyware Collaborate provides a secure environment for analyst-to-analyst discussions, coordinating investigations, and sharing strategic insights that automation alone cannot capture.

• Hub-and-Spoke Model: The platform uses a Hub-and-Spoke model to disseminate curated intelligence from central hubs (like ISACs) to member organizations and allows members to feed their threat data back to the hub, fostering a dynamic loop of collective threat awareness.

• Granular Policy Controls: It utilizes the Traffic Light Protocol (TLP) and granular access controls to manage who can see and use the shared data, safeguarding privacy and ensuring compliance while still promoting collaboration.

4. Automated Actioning and Enrichment

To make shared intelligence immediately valuable, Cyware integrates automation and AI:

• Automated Enrichment: Raw threat data is automatically enriched with context (e.g., MITRE ATT&CK mappings, reputation scores) to turn raw indicators into high-fidelity, actionable intelligence.

• Actioning at Scale: Curated intelligence is automatically pushed to member security tools (SIEM, SOAR, EDR) via integrations, triggering automated workflows and response playbooks for faster detection and mitigation across the entire federated network.

The Future of Collective Defense 

Federated threat intelligence sharing represents the convergence of technology, policy, and trust. It enables sovereign communities to collaborate without surrendering autonomy, fulfilling both operational needs and regulatory mandates. 

As cyber ecosystems become more interconnected, federation will define the architecture of trust for the next decade, linking national CERTs, sector ISACs, MSSPs, and private enterprises into a unified, adaptive defense fabric. 

Cyware stands at the forefront of this evolution, helping organizations build the foundation for a future where intelligence flows as freely as the threats that demand it.