Curated IOC depth
Continuously-updated malicious domain, IP, hash, and URL feeds with quality curation. Reduces noise compared to raw open-source feed aggregation.
OpenText • Security operations
OpenText Threat Intelligence
OpenText Threat Intelligence delivers curated IOC feeds, brand-and-attack-surface monitoring, and threat-actor reporting into SOC and IR workflows, with native integration into Core Threat Detection and Response, Enterprise Security Manager, and the rest of the SecOps line.
Through Merito, OpenText Threat Intelligence feeds get integrated into the customer's existing SIEM, NDR, and IR workflows, with feed-prioritization policy designed to handle conflicts across multiple subscriptions so SOC operations carry useful IOC enrichment rather than overload.
- Best for
- SOC leaders adding curated IOC enrichment to SIEM and NDR, IR leads using threat intelligence for incident scoping, CTI analysts curating internal and external feeds
- Hosting
- SaaS
- Time to value
- Feeds live in days. SIEM and NDR enrichment integrated in two to four weeks. Brand and attack-surface monitoring operationalized in four to eight weeks.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
OpenText Threat Intelligence in the enterprise stack
OpenText Threat Intelligence is the curated IOC and threat-intelligence product inside the OpenText SecOps line. It delivers continuously-updated indicators of compromise (malicious domains, IPs, hashes, URLs), brand-and-attack-surface monitoring, and threat-actor reporting. Where Core Adversary Signals covers TTP and tradecraft depth, Threat Intelligence covers IOC and infrastructure depth. Programs running both get adversary-aware SOC operations across techniques and indicators.
IOC enrichment is the load-bearing capability for SIEM-shaped SOC operations. SIEM detections that trigger on raw events generate noise; SIEM detections enriched with threat-intel context (this IP is on a malicious-actor list, this domain is sinkhole infrastructure, this hash matches a known malware family) get prioritized triage. OpenText Threat Intelligence feeds are designed to integrate with Core Threat Detection and Response and Enterprise Security Manager so the enrichment is native rather than bolted on.
Brand-and-attack-surface monitoring is the secondary capability that programs sometimes underuse. The product monitors brand impersonation (typosquatted domains, fraudulent social media presence), attack-surface exposure (exposed cloud assets, leaked credentials, dark-web mentions), and supply-chain risk indicators. Programs subject to brand-impersonation attacks or sensitive about supply-chain exposure get an early-warning capability that pure IOC feeds do not provide.
What breaks Threat Intelligence adoption is feed overload. Programs that subscribe to OpenText Threat Intelligence alongside three or four specialist feeds (Recorded Future, Mandiant, sector ISAC, internal CTI) and route everything into the SIEM end up with so much enrichment context that triage becomes impossible. The right shape is feed prioritization and de-duplication: which feeds are authoritative for which IOC types, how to handle conflicts, and what the noise floor is. Merito's engagement designs the feed-prioritization policy so the SOC gets enrichment without overload.
Ideal use cases
- Curated IOC feeds for SIEM and NDR enrichment
- Threat-actor reporting for IR and CTI workflows
- Brand impersonation and attack-surface monitoring
- Sector-specific threat intelligence for regulated industries
- Threat intelligence consolidated with the rest of the OpenText SecOps line
What it is best at
Where OpenText Threat Intelligence earns its seat
Native SecOps integration
Direct integration with Core Threat Detection and Response, Enterprise Security Manager, NDR, UEBA, and Adversary Signals.
Brand and attack-surface monitoring
Brand impersonation, attack-surface exposure, and supply-chain risk monitoring beyond pure IOC feeds.
Threat-actor reporting
Curated reporting on major threat actors paired with Core Adversary Signals MITRE content for IOC plus TTP coverage.
Sector and regional intelligence
Sector-specific (financial services, healthcare, government) and regional intelligence depth.
Core capabilities
OpenText Threat Intelligence capabilities, grouped by outcome
IOC feeds
What Threat Intelligence delivers as a continuous content stream.
Malicious infrastructure feeds
Curated domains, IPs, URLs, and hash indicators with continuous update cadence.
Confidence and context scoring
Each indicator carries confidence scoring and context attribution to reduce false-positive enrichment.
Sector and regional feeds
Sector-specific (financial services, healthcare, government) and regional intelligence.
Threat-actor attribution
IOCs attributed to known threat actors where attribution exists.
Surface and brand monitoring
Beyond IOC feeds into early-warning monitoring.
Brand impersonation monitoring
Typosquatted domains, fraudulent social media, and brand-impersonation infrastructure.
Attack-surface monitoring
Exposed cloud assets, leaked credentials, dark-web mentions, and external-facing exposure.
Supply-chain risk indicators
Indicators of compromise on the customer's supply chain and third-party ecosystem.
Integration and operations
Threat intelligence inside the SecOps operating model.
SIEM enrichment
IOC matching against Core Threat Detection and Response and Enterprise Security Manager events.
NDR enrichment
Network signal matched against malicious infrastructure feeds.
Adversary Signals pairing
Native pairing with Core Adversary Signals for IOC plus TTP coverage.
Long-retention matching
Retroactive IOC matching across Security Log Analytics long-retention data.
Where it fits in the stack
How OpenText Threat Intelligence connects to the rest of your landscape
OpenText SecOps line (native)
Native- OpenText Core Threat Detection and ResponseIOC enrichment integrated into SaaS SIEM detections.
- OpenText Enterprise Security ManagerIOC enrichment integrated into on-prem SIEM detections.
- OpenText Network Detection and ResponseNetwork signal matched against malicious infrastructure feeds.
- OpenText Core Adversary SignalsIOC plus TTP coverage in one OpenText SecOps subscription.
- OpenText Security Log AnalyticsRetroactive IOC matching across long-retention data.
Third-party platforms (certified)
Certified- Splunk, Microsoft Sentinel, IBM QRadarIOC feed delivery to third-party SIEMs.
- Threat-intelligence platforms (TIPs)Integration with Anomali, ThreatConnect, MISP, and other TIP platforms.
- ServiceNow, JiraInvestigation and case management integration.
Custom integrations
Custom- Internal CTI platformsCustom integration for internal threat-intel platforms.
- Sector ISACs and ISAOsSector-intelligence sharing integration.
- Brand protection and takedown workflowsInternal brand-protection workflows and takedown automation.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- Moderate
- Typical time to value
- Feeds live in days. SIEM and NDR enrichment integrated in two to four weeks. Brand and attack-surface monitoring operationalized in four to eight weeks.
- Prerequisites
- Existing SOC and SIEM landscape
- Named CTI or SOC owner
- Existing threat-intel subscriptions for de-duplication policy
- Brand-protection and attack-surface scope
- Feed-prioritization policy framework
- What Merito usually handles
- OpenText Threat Intelligence runs as SaaS feed delivery with native integration into the SecOps line. Merito handles feed integration, feed-prioritization policy design, brand-and-attack-surface monitoring scope, and the operational discipline that prevents feed overload.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Threat Intelligence is SaaS-licensed by feed scope, analyst seat count, and integration breadth. Pricing depends on coverage breadth, brand-monitoring scope, and SecOps integration. License acquisition flows through Merito; the feed-integration program scopes under a separate engagement.
- Editions and modules
Threat Intelligence IOC feeds
Curated IOC feeds for SIEM and NDR enrichment.
Best for: SOCs adding IOC enrichment to existing detection.
Threat Intelligence with brand and attack-surface monitoring
Adds brand impersonation, attack-surface exposure, and supply-chain risk monitoring.
Best for: Programs sensitive to brand-impersonation attacks or supply-chain exposure.
Threat Intelligence with Core Adversary Signals
Bundled with Core Adversary Signals for IOC plus TTP coverage.
Best for: Programs consolidating threat intelligence subscriptions.
- Common expansion areas
- Add Core Adversary Signals for MITRE ATT&CK content depth
- Add Core Threat Detection and Response or Enterprise Security Manager for SIEM enrichment
- Add Network Detection and Response for traffic-pattern IOC matching
- Add Security Log Analytics for retroactive IOC matching across long-retention data
Merito services
How Merito helps you win with OpenText Threat Intelligence
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Threat Intelligence Implementation
Feed integration, feed-prioritization policy design, brand-and-attack-surface monitoring scope, SecOps integration.
Explore service02MAPS Assessment
SOC and CTI program scoping for OpenText Threat Intelligence alongside Recorded Future, Mandiant Advantage, and specialist providers.
Explore service03DevOps Consulting
Threat-intel-driven response automation and CTI workflow integration.
Explore service04Premium Support
Named engineer, priority SLAs, and release-time coverage for OpenText Threat Intelligence.
Explore service05Managed Services
Long-term run support including feed-prioritization policy maintenance, brand-monitoring operations, and SecOps integration upkeep.
Explore service06Training and Enablement
Role-based training for CTI analysts, SOC leads, and brand-protection teams.
Explore service07Staff Augmentation
Merito-placed SOC engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Threat Intelligence licensing
License the feeds. Design the prioritization. Same engagement.
OpenText Threat Intelligence pricing arrives with feed integration, feed-prioritization policy, brand-monitoring operationalization, and SecOps integration that turn IOC feeds into useful enrichment rather than yet another noisy subscription.
Merito point of view
Threat-intel feeds are not the same as threat-intel value. Prioritize before subscribing more.
Merito has audited SOCs paying for four threat-intel subscriptions and getting less value than programs running one well-prioritized feed integration. Feed overload is the dominant failure mode in CTI programs: too many IOC sources flooding the SIEM, conflicting confidence scores, no de-duplication discipline, and a triage queue that ignores all of it. OpenText Threat Intelligence is the right answer when programs want a curated feed integrated natively with their SecOps line; programs that already run mature Recorded Future or Mandiant Advantage subscriptions usually do not need a duplicate.
Merito recommends OpenText Threat Intelligence specifically for programs running OpenText SecOps line, when sector or regional intelligence is real, and when brand-and-attack-surface monitoring is in scope. For programs picking specialist threat-intelligence breadth, Recorded Future is the breadth leader and Mandiant Advantage is investigation-led. Merito surfaces those alternatives honestly during scoping.
The pairing with Core Adversary Signals is the load-bearing move on adversary-aware SOC operations. Threat Intelligence covers IOC depth (specific known-bad infrastructure); Core Adversary Signals covers TTP depth (how adversaries operate). Programs running both get IOC plus TTP coverage; programs running only one get half the picture.
What buyers usually underestimate
- Subscribing to multiple threat-intel feeds without feed-prioritization or de-duplication policy.
- Routing all IOC enrichment into the SIEM without confidence-score awareness, generating false-positive triage volumes.
- Treating Threat Intelligence as a checkbox subscription without integrating into actual SOC and IR workflows.
- Adopting Threat Intelligence without Core Adversary Signals, getting IOC coverage without TTP context.
- Running specialist feeds (Recorded Future, Mandiant) plus OpenText without a clear authoritative-source policy per IOC type.
Related from Merito
Continue exploring OpenText Threat Intelligence on Merito
Related solutions
Related services
Related products
- OpenText Core Adversary SignalsMITRE ATT&CK TTP content paired with IOC feeds for full adversary coverage.
- OpenText Core Threat Detection and ResponseSaaS SIEM that consumes IOC enrichment.
- OpenText Enterprise Security ManagerOn-prem SIEM that consumes IOC enrichment.
- OpenText Security Log AnalyticsLong-retention store for retroactive IOC matching.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Threat Intelligence FAQs
Consultation request
Talk to Merito about OpenText Threat Intelligence
Share your existing CTI subscriptions, SOC integration goals, and brand-protection scope. A Merito OpenText specialist follows up within one business day.
Curated IOC depth
Beyond raw open-source aggregation
Quality curation, confidence scoring, and sector-specific feeds. Native pairing with Core Adversary Signals.
Brand and surface monitoring
Beyond IOC feeds
Brand impersonation, attack-surface exposure, and supply-chain risk monitoring.
Next step
Prioritize feeds before subscribing to more.
A Merito OpenText Threat Intelligence engagement starts with feed-prioritization policy and SecOps integration. Feed overload is the dominant failure mode in CTI programs.