CISA KEV — Confirmed Exploited Vulnerabilities
·
NVD CVSS 9.0+ — Critical New CVEs
·
Active Ransomware Tracking — 24 Hour Victims
·
MITRE ATT&CK — Verified TTPs
·
EPSS Scoring — Exploitation Probability
·
Splunk · Sentinel · Elastic — Ready to Run Queries
·
Verified IOCs — From Community Threat Intelligence
·
CISA KEV — Confirmed Exploited Vulnerabilities
·
NVD CVSS 9.0+ — Critical New CVEs
·
Active Ransomware Tracking — 24 Hour Victims
·
MITRE ATT&CK — Verified TTPs
·
EPSS Scoring — Exploitation Probability
·
Splunk · Sentinel · Elastic — Ready to Run Queries
·
Verified IOCs — From Community Threat Intelligence
·
// Daily Threat Intelligence — 06:00 UTC Every Morning
The Watchman
Never Sleeps.
Your SOC shift starts with the intel, not the research.
Every morning at 06:00 UTC, Watchman Intel delivers a complete threat intelligence briefing to your inbox — confirmed exploited vulnerabilities, critical new CVEs, active ransomware campaigns, verified IOCs, and copy-paste hunt queries for Splunk, Sentinel, and Elastic.
// What's in the briefing
Everything your SOC
needs at shift start.
Not a newsletter. Not a threat feed. A structured operational briefing — built by a security analyst, for security analysts.
CISA KEV — Last 7 Days
Every vulnerability confirmed as actively exploited in the wild, with EPSS exploitation probability scores, due dates, and hunt queries specific to the affected software.
Critical New CVEs — 24 Hours
CVSS 9.0+ vulnerabilities published in the last 24 hours that haven't hit KEV yet. Zero-day alerts when no patch is available. Patch status clearly marked.
Active Ransomware Campaigns
New victims from the last 24 hours. Group profiles with TTPs from MITRE ATT&CK. Pre-encryption hunt queries for each active group — run these before they encrypt.
Ready-to-deploy Hunt Queries
Every threat comes with ready-to-run detection queries in Splunk SPL, Microsoft Sentinel KQL, and Elastic DSL - mapped to each threat.
Sector Targeting Alerts
Ransomware groups hunt by industry. When they target yours, you'll know first.
Daily Action Checklist
A prioritised action list generated from the day's threats. Zero-days first, KEV entries second, ransomware hunts third. Clear, sequenced, actionable.
// Sample briefing extract
Real data.
Real queries.
This is what lands in your inbox. No curated screenshots — this is actual output from the pipeline.
KEV Entry
EPSS 44.3% — 96th percentile
CVE-2026-3055 — Cisco IOS XE
Added to KEV: 2026-04-01 · Due: 2026-04-15 · Ransomware: Known
Unauthenticated remote code execution in Cisco IOS XE web UI. CISA confirmed active exploitation. Affects any device with HTTP/HTTPS management interface exposed. 44.3% exploitation probability places this in the 96th percentile — significantly above baseline for its score.
Hunt Queries — Stage 1: Exploitation Attempts
index=network sourcetype=cisco:ios
| search uri_path="/webui/*" method=POST
| where status IN (200, 201, 500)
| stats count by src_ip dest_ip uri_path
| where count > 3
| search uri_path="/webui/*" method=POST
| where status IN (200, 201, 500)
| stats count by src_ip dest_ip uri_path
| where count > 3
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor == "Cisco"
| where RequestURL has "/webui/"
| where RequestMethod == "POST"
| summarize count() by SourceIP, DestinationIP
| where TimeGenerated > ago(7d)
| where DeviceVendor == "Cisco"
| where RequestURL has "/webui/"
| where RequestMethod == "POST"
| summarize count() by SourceIP, DestinationIP
Ransomware — Active Campaign
Akira Ransomware
8 new victims · Manufacturing, Healthcare, Technology
Akira continues double-extortion operations targeting mid-market organizations. Primary initial access via exposed VPN appliances — Cisco ASA and Fortinet SSL-VPN. Known to exfiltrate data via Rclone before deploying ransomware.
Pre-Encryption Hunt — Stage 3: Exfiltration
index=* (process_name="rclone.exe" OR
command_line="*rclone*copy*" OR
command_line="*rclone*sync*")
| stats count by host process_name
| where count > 0
command_line="*rclone*copy*" OR
command_line="*rclone*sync*")
| stats count by host process_name
| where count > 0
✓ A hit here means you may have time to stop the attack.
View Full Sample Briefing
Opens in a new tab — actual pipeline output, no mock-ups
// How it works
Automated. Verified.
In your inbox.
01
Feeds Pulled at 05:00 UTC
CISA KEV, NVD, active ransomware tracking feeds, threat intelligence sources, and MITRE ATT&CK are queried automatically every morning before most SOC shifts begin.
→
02
Analysis Generated
Each threat is enriched with EPSS scoring, IOC lookups, TTP mapping, and context written in plain English — not raw feed data.
→
03
Queries Written Per Threat
Hunt queries are generated specifically for each vulnerability and ransomware group — not generic templates. Splunk, Sentinel, and Elastic.
→
04
Delivered at 06:00 UTC
The complete briefing lands in your inbox before your shift starts. Open it, read the exec summary, run the priority queries. Done.
// Data sources
We don't make it up.
Here's where it comes from.
Every piece of intelligence in Watchman is sourced from authoritative public feeds. We enrich and contextualise — we never fabricate.
CISA KEV
Confirmed actively exploited vulnerabilities. The authoritative list.
NVD / NIST
CVSS 9.0+ critical CVEs published in the last 24 hours.
Ransomware Tracking
Real-time victim monitoring across all active ransomware groups worldwide.
MITRE ATT&CK
Every threat group ships with TTPs — MITRE ATT&CK verified where available, Watchman Intel analysis where it isn't. Always clearly labeled
EPSS / FIRST
Exploitation probability scores with percentile rankings for every KEV.
Threat Intel Feeds
Verified IOCs where available — sourced from leading community threat intelligence feeds.
// Why Watchman
Built by a security analyst.
Not a marketing team.
Most threat intel products are built for CISOs to buy and analysts to tolerate. Watchman is built for the analyst who opens it at shift start and needs to act.
Other products
✗
Raw feed data you still have to interpret yourself
✗
Queries you have to write or adapt per environment
✗
IOC lists with no context on why they matter today
✗
Confident-sounding intel with no sourcing transparency
Watchman Intel
✓
Plain English analysis written for the analyst acting on it
✓
Copy-paste queries for Splunk, Sentinel, and Elastic — per threat
✓
IOCs sourced from leading community threat intelligence feeds.
✓
Sources clearly listed. TTPs badged MITRE Verified or Watchman Intel
// Common questions
Straight answers.
Every hunt query is provided in three formats — Splunk SPL, Microsoft Sentinel KQL, and Elastic DSL. You only need one. If you use a different SIEM, the query logic is documented clearly enough to adapt in a few minutes.
Free newsletters tell you what happened. Watchman tells you what to run. The difference is copy-paste detection queries written specifically for each threat, EPSS-scored prioritisation, and pre-encryption hunt queries for active ransomware groups — not headlines.
You still get the briefing. On quiet days the KEV section may be short and the ransomware section light. We never pad it with low-confidence content to fill space. A short honest briefing is more valuable than a long fabricated one.
The queries are generated based on the specific vulnerability or ransomware group's known TTPs and written in valid SIEM syntax. They should always be reviewed against your environment before deployment — every briefing includes this disclaimer. No query should ever run blind in production.
Yes. All briefings are marked TLP:WHITE which means unrestricted distribution within your organization. Share it with your team, include it in internal reports, forward it to colleagues — however it helps your team is fine.
No contract, no annual commitment. Month-to-month. Cancel any time. We think the product earns its place in your stack — you shouldn't need a contract to keep it there.
// Pricing
Simple pricing.
No enterprise sales process.
No demo required. No procurement process. Sign up, get your first briefing tomorrow morning.
Monthly
Annual 2 months free
3 Days Free — No Credit Card
Watchman Intel
$499
per month · cancel any time
- Daily briefing — 06:00 UTC every morning
- Full KEV, NVD & Ransomware sections
- Splunk, Sentinel & Elastic queries
- EPSS scoring on all KEV entries
- Industry sector targeting alerts
- TLP:WHITE — shareable with your team
- 3-day free trial, no credit card required
- Cancel any time
3 Days Free — No Credit Card
MSSP
$999
per month · cancel any time
- Everything in Watchman Intel
- Licensed for commercial distribution
- Include in your client reporting and services
- Forward to clients under your own delivery
- 3-day free trial, no credit card required
- Cancel any time
Enterprise
Custom
tailored to your needs
- Everything in MSSP
- Multiple briefing configurations
- Volume and custom delivery needs
- Talk to us about what you need
3-day free trial, no credit card required. Annual billing saves 2 months.
// Early access
Start tomorrow morning.
We're currently onboarding early customers. Request access and we'll reach out within 24 hours.
Built by a security analyst. For security analysts.