Reading view

The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine

Four Critical Source Types. One Platform. Recorded Future is the Only Threat Intelligence Vendor that Collects and Analyzes Across Four Types of Data Sources.

When a critical vulnerability emerges, most organizations scramble for answers.

What’s being exploited?
Who’s targeting it?
Are we exposed?

During the emergence of the React2Shell vulnerability, one Recorded Future customer didn’t rely on speculation. Using Recorded Future’s IP scanning intelligence, they identified which IPs were actively scanning for exploitation, analyzed the exact request patterns being used, and immediately assessed their own exposure.

Instead of reacting to headlines, they acted on real-time intelligence.

In the first article in our series covering our unique data sourcing model, we looked at why source scale and diversity are essential for maximum threat protection. Now we’ll explain the four source types in more detail to see how, together, they empower our customers to prioritize, pinpoint, and act faster to stop threats.

This is the power of Recorded Future’s technical collection engine.

Technical intelligence at internet scale

Recorded Future continuously collects and analyzes telemetry from across the internet, including:

  • Network traffic analysis across billions of daily network intelligence records (with over 200 points of presence (PoP))
  • Internet-wide scanning and infrastructure monitoring
  • Malware detonation and behavioral analysis
  • Vulnerability exploitation tracking

This technical intelligence provides direct visibility into attacker infrastructure, behavior, and intent.

Finding what others miss

Technical collection becomes most valuable when it reveals what’s hidden.

In one investigation, Recorded Future identified suspicious traffic on a specific port through its Malicious Traffic Analysis. This insight led a security team to uncover additional command-and-control communication that had been missed due to incomplete logging, expanding the scope of the compromise.

This isn’t just detection—it’s discovery.

Deep malware intelligence through sandboxing

Understanding malware requires more than static indicators.

Recorded Future processes over 1.5 million malware samples daily through its sandbox, enabling deep behavioral analysis of:

  • Command-line execution
  • Process activity
  • Network communication
  • Exploit techniques

This allows analysts to move beyond “Is this malicious?” to:

  • How does it behave?
  • What infrastructure does it use?
  • How can we detect it elsewhere?

Customers consistently highlight this capability as transformative.

In one case, a security analyst identified a unique command-line artifact within sandbox results. By pivoting on that behavior in their environment, they uncovered an additional infection vector that would have otherwise gone undetected—avoiding a far more complex incident response scenario.

Intelligence from the underground

Technical signals alone don’t tell the full story.

Recorded Future augments telemetry with intelligence from criminal forums, marketplaces, and adversary communications, revealing:

  • Stolen data and credentials
  • Emerging attack techniques
  • Threat actor intent
  • Ransomware victimology
  • Telegram

This provides critical context for prioritizing risk and understanding adversary motivations.

Community intelligence: strength in numbers

Recorded Future’s Collective Insights capability aggregates detections across organizations, helping customers identify patterns they might not see alone. This is especially important for preparing for monthly C-suite briefs on the latest threat assessments.

One logistics customer used this capability to investigate a multi-stage intrusion, correlating activity across their environment and linking it to nation-state actors in real time. Another customer uses Collective Insights to provide clear visibility into the specific malware most frequently blocked within their own environment, rather than relying on general trends.

This shared intelligence transforms isolated detections into campaign-level understanding.

Proactive defense in practice

This combination of technical, underground, and community intelligence enables proactive defense.

Customers often use Recorded Future’s Threat Map to identify an emerging threat actor and deploy detections in advance. Weeks later, when the actor launches a phishing campaign, customers can immediately detect and block the activity—preventing compromise before it begins.

Where open source fits

Open-source intelligence provides valuable context, but on its own it’s incomplete. Without technical telemetry, behavioral analysis, and external digital risk monitoring, organizations risk seeing only part of the threat landscape.

At Recorded Future, open sources are one part of a broader intelligence ecosystem that also supports data leakage detection, code repository monitoring, social media monitoring, and analysis of web infrastructure and content—including HTML and DOM elements—to identify brand abuse, exposed data, impersonation, and other external threats.

The bottom line

Recorded Future’s technical collection engine doesn’t just gather data. It reveals:

  • Who’s attacking
  • How attacks are executed
  • Where infrastructure is operating
  • When action is required

One platform for comprehensive threat intelligence

While some platforms focus on immediate detection, the Recorded Future Platform maintains years of historical data to reveal long-term patterns. And it automatically connects intelligence from diverse sources, turning separate data streams into unified insights.

From initial reconnaissance through criminal planning, active infrastructure attacks, and malware deployment, our four intelligence source types work together to enable proactive defense across the entire attack lifecycle.

In the next blog in our series, we’ll show how human experts connect the dots, validating our intelligence and making it actionable so you can prevent threats.

To see our four types of data sources in action in the Recorded Future Platform, request a custom demo.

  •  

Recorded Future Launches Impact and Metrics Dashboard

Today, Recorded Future is announcing the Impact and Metrics Dashboard, a new way for every Recorded Future customer to see the value their intelligence program generates without building reports by hand. The dashboard pulls data from your environment, alerts, integrations, threat detections, and analyst activity, then surfaces the metrics that map to the business and security outcomes your leadership cares about.

Security teams have always known that intelligence drives better outcomes. The hard part has been proving it in the language of the business. Boards, CFOs, and CIOs aren't asking for threat counts. They want measurable risk reduction tied to business context, and they want it in numbers they can defend.

Our 2025 ROI Report, validated across nearly 300 customers, puts numbers to what security teams already know. Recorded Future customers have reported achieving 351.3% ROI annually. 57% say the platform has substantially reduced their overall cyber risk. 96% would recommend it to a peer.

But the numbers that resonate most are not the averages. They are the attacks that your team was able to get ahead of. Ransomware stopped before detonation. Credentials reset before an adversary could use them. Fraud campaigns contained before they could reach customers. Until now, capturing that story meant pulling data from across the platform, stitching it together by hand, and rebuilding the same readout every quarter.

The most powerful version of that story is yours and that is what the Impact and Metrics Dashboard is built to show.

What the dashboard covers

Platform-Wide Security Value: Your headline number. Aggregate risk reduction and intelligence coverage across your environment, built for leadership conversations.

Threat Prioritization: See which threat actors and malware families are relevant to your organization, and how Recorded Future AI cuts noise so your team focuses on what matters. Customers who aligned their alerting to PIRs reported identifying new threats 65% faster.

Threat Detection: Understand how intelligence is moving through your security stack, from malware detected in your telemetry to integrations and threat hunting activity. Customers often receive critical alerts hours or days earlier than from other vendors.

Digital Risk Protection: Quantify exposure reduced from fraud, brand impersonation, and credential threats. For organizations with significant brand or customer risk, this is where ROI becomes immediately tangible and immediately explainable to a CFO.

Account & Credential Monitoring: See identity threats surfaced and remediated before they became incidents.

Recorded Future AI & Insikt GroupⓇ Research: Recorded Future’s expert Intelligence team & AI does the work for you, providing deeper insights than most teams could do alone. Measure analyst hours recaptured through AI-powered automation and the volume of expert research your team has put to work. Your efficiency case, in your own numbers.

Today the dashboard surfaces key metrics to start the conversation and give your team something concrete to point to. Over time the calculations will get more personalized, the benchmarks more specific to your organization, and the integration with your business context deeper.

The Impact and Metrics Dashboard is available now for every customer. To find it, navigate to Dashboards > Impact and Metrics in your Recorded Future instance. For setup help or questions, contact your Technical Account Manager (TAM).

Screenshot of the Recorded Future Impact and Metrics Dashboard, displaying key security metrics, risk reduction data, and actionable intelligence insights.

  •  

2026 FIFA World Cup: What Public Safety Officials Need to Know

Starting tomorrow, millions of people will gather in sixteen host cities across the United States, Canada, and Mexico to cheer on their teams in the 2026 FIFA World Cup. Securing the tournament will require preparing for a mix of physical security risks, cyber threats, scams, protests, politically motivated activity, and reputational disruption tied to one of the world’s most visible sporting events.

The World Cup’s global profile creates an attractive target environment for a wide range of threat actors. Cybercriminals are already exploiting tournament demand through fraudulent domains, fake stores, credential-harvesting sites, and advertising campaigns. Hacktivists and influence operators will likely try to use the event’s visibility to amplify political narratives or claim responsibility for disruptive activity. At the same time, public safety officials must manage the physical security challenges associated with large crowds, soft targets, protests, transportation hubs, hospitality infrastructure, and fan zones.

Together, these risks create a blended cyber-physical threat environment that requires coordination across public safety, cybersecurity, fraud, legal, communications, brand protection, executive protection, travel security, and third-party risk teams.
An assessment of physical, cyber, and fraud threats to the 2026 FIFA World Cup, visualizing various risk categories associated with the event

Figure 1: Assessment of physical, cyber, and fraud risks affecting the 2026 FIFA World Cup

(Source: Recorded Future)

  •  

China's Noncombatant Evacuation Operations: 2005–2025

Over the past two decades, noncombatant evacuation operations (NEOs) have emerged as an important tool for protecting China’s overseas interests. To assess China’s NEO capabilities for the US Army War College China Landpower Studies Center’s 2026 Carlisle Conference on the PLA (People’s Liberation Army), Insikt Group built an original dataset of 37 Chinese NEOs carried out between January 2005 and August 2025. This blog post has been adapted from Insikt Group’s conference paper, and our “China 2005–2025 Noncombatant Evacuation Operation Dataset” is attached as a PDF.

One of Insikt Group’s most notable findings is that, over the past twenty years, China has consistently mobilized civilian resources to facilitate NEOs, demonstrating China’s reliance on these resources for NEOs and its capability to call upon diverse instruments of national power to protect overseas interests. During this period, at least 65% of China’s NEOs involved support from Chinese state-owned enterprises (SOEs), private enterprises, or United Front/civil society organizations located in the host country, third-party countries, or China. The contributions of SOEs, private enterprises, and United Front/civil society organizations to China’s NEOs include:

  • Organizing evacuation efforts on the ground
  • Communicating official instructions
  • Providing air, land, and maritime transportation
  • Providing relief to evacuees once they arrive in neighboring countries or return to China-


The Chinese Communist Party (CCP) and the Chinese government have continued to take advantage of civilian resources for NEOs since August 2025 — such as for its Iran NEO in early 2026 — and will almost certainly continue to mobilize these resources in the future.

Overview of China’s NEOs

China carried out at least 37 NEOs in 28 different countries between 2005 and 2025 (see image below). China carried out eleven NEOs in Africa, nine in the Middle East, and nine in Asia, with the other eight occurring in the Caribbean, Pacific Islands, Europe, and North America. China conducted multiple NEOs in the Central African Republic, Haiti, Iran, Israel, Kyrgyzstan, Lebanon, Libya, and South Sudan.

Map highlighting 28 countries in which China carried out Noncombatant Evacuation Operations (2005-2025)
The 28 countries in which China carried out a NEO between 2005 and 2025 (Source: Recorded Future)

  •  
❌