A highly curated, time sensitive, zero-hour focused intelligence feed of known, active malicious threats

Billions of threat intelligence messages and events are generated each day.

But what do you do with it? How do you keep up with the waves of intel and powerful rip currents that keep pulling you out into the abyss? More importantly, how do you manage it to improve your perimeter security?

The hard truth is that you can’t. Until now.

What is Ptolemy:TEMPEST®?

Ptolemy:TEMPEST® is the most accurate and up-to-date, zero-hour threat intelligence feed for your edge security devices.

Ptolemy:TEMPEST® is a service that effectively increases perimeter security by providing an actionable threat feed which can be ingested directly to Cisco, Sonicwall, and Palo Alto devices. Live, active threats are auto blocked and false positives are removed from your edge devices.

The TEMPEST intel feed is powered by Ptolemy®, our Threat Intelligence Aggregation System, and is a curated data set based on intel auto-gathered by Ptolemy®, deep research by our 1MC-Labs, and discovery of threats found across our customers by our SOC Threat Hunters.

The feed updates hourly with highly time-sensitive, zero-hour focused intelligence around known, active malicious threat actors.

This provides a unique stream of zero-hour threat intel that our teams are actively hunting, known active live attackers, and other malicious actors that we have seen.

Most other services continually add malicious actors to an ever growing list and leave it up to organizations to remove them as they get cleaned and white-listed. Ptolemy:TEMPEST® works both ways, adding new threats as they are analyzed, but also removing them once they are no longer an active threat, reducing the potential for future false positives.

How it works

The SOC Threat Hunters are constantly hunting and triaging hundreds of thousands of events and attacks per day, so we know a bad actor when we see one.

Add in the data from our Threat Intel 1MC-Labs Team which keeps tabs on the dark web for future threats that are in the works.

Finally, ingest all of that, plus over 270M event messages, telemetry, and sources every hour into Ptolemy, our proprietary threat intelligence engine, and let it do the heavy lifting. New malicious threat actor infrastructure.

The resulting TEMPEST data feed is a curated list of active, malicious threats that can be used to increase perimeter security in Cisco, Sonicwall, and Palo Alto devices.

All you need to do is configure your Cisco, Sonicwall, or Palo Alto device to pull the feed every hour and just like that, you’ve got a zero-hour perimeter defense.

What does this mean for my org?

Your edge security devices will be updated with a curated list of known, actively malicious threats. The feed  is highly time sensitive and meticulously updated with’s knowledge and experience.

Ptolemy:TEMPEST® does the work for you, updating your edge device every hour with only the most current, active threats. This means new threats are added and ensures that false positives and hosts that are no longer a threat are removed from the feed.

When those changes are pulled in by your edge security device you have confidence that your organization and brand is protected in near-real time.

Now your team can get back to the tasks that matter most – driving critical initiatives and growing the business.


  • Sonicwall must be v6.5 or higher and must have the Content Filtering license (CFS v4.0) to enable external API pulls
  • Cisco must have FirePower