Skip to main content

Cross-MSP Intelligence

Defend's cross-MSP intelligence system anonymizes confirmed threat data from across the customer base and feeds it back into detection rules, improving protection for every MSP. When one MSP confirms a threat, every other MSP benefits.

How It Works

  1. An analyst marks a detection as True Positive and resolves it
  2. Optionally, the confirmed IOCs (hashes, IPs, domains) are published to the MSP Collective intelligence feed
  3. The data is sanitized — all org-identifying information is stripped
  4. Other Defend customers receive the IOC through the Collective feed
  5. Detections sourced from cross-MSP intelligence are labeled Community Detection

What Is Shared

SharedNot Shared
File hashes (SHA256)Organization name or ID
IP addressesDevice names or identifiers
Domain namesUser names or identities
URL patternsFile contents
MITRE technique mappingInternal network topology
Detection rule that matchedCustomer-specific configuration

Privacy Controls

Cross-MSP intelligence is designed with privacy as the default:

  • Org contribution token — Each organization has a unique token that controls publishing access
  • Admin audit — Administrators can review all data published by their organization via the intel audit endpoint
  • PII checks — Automated validation ensures no personally identifiable information is included before publication
  • Opt-out — Organizations can disable intelligence sharing entirely in Settings → Intelligence Sharing
ℹ️Intelligence sharing is opt-in per detection. Analysts choose whether to publish IOCs when resolving a True Positive. Your organization's telemetry is never shared automatically.

Cross-Tenant Correlation

Beyond IOC sharing, Defend's background engine correlates threat patterns across the customer base:

  • Campaign detection — When the same malware hash appears across 3+ organizations within 24 hours, it's flagged as a campaign
  • Trend analysis — The threat landscape summary shows which MITRE techniques are most active across the MSP community this month
  • Emerging threats — New IOCs that appear across multiple tenants are fast-tracked into detection rules

All correlation is performed on anonymized data. No organization can see another organization's specific detections.

Community Detections

Detections sourced from cross-MSP intelligence are clearly labeled in the console:

  • Badge: "Community Detection" tag on the detection card
  • Source: Shows which intelligence source contributed the IOC
  • Confidence: Inherits the confidence score from the community consensus

Community detections are investigated and responded to the same way as any other detection.

Threat Landscape Summary

The Intelligence → Threat Landscape page provides a monthly summary:

  • Top MITRE techniques hitting MSPs this month
  • Emerging malware families detected across the community
  • Geographic distribution of threat sources
  • Trend comparison with previous months

This helps your team prioritize which techniques to focus defensive efforts on.

Next Steps

  • IOC Feeds — All threat intelligence sources including Collective
  • Detection Rules — How community intelligence feeds into rules
  • Behavioral AI — How ML benefits from community labels