Guides
Start typing to search…

What are intel tags?

Intel tags are labels used in Recon to highlight specific intelligence signals associated with a vulnerability.

They help you quickly understand why a vulnerability is important, without needing to manually review multiple threat intelligence sources.

Each tag represents a signal identified by Cytidel, such as:

  • public discussion about a vulnerability
  • evidence of exploitation
  • new proof-of-concept code
  • vendor or security advisories

By surfacing these signals directly in the platform, intel tags provide quick context for prioritising vulnerabilities.

Why intel tags matter

Security teams often review hundreds or thousands of vulnerabilities. Intel tags help you quickly identify which ones deserve attention.

They allow you to:

  • Spot emerging threats faster
  • Understand why a vulnerability’s risk is increasing
  • Detect vulnerabilities gaining attention from researchers or attackers
  • Prioritise remediation based on real-world threat activity

Rather than relying only on static metrics like CVSS, intel tags surface dynamic intelligence signals collected from many sources.

Where you'll see intel tags

Intel tags appear throughout Recon, including:

  • the Trends page
  • CVE detail pages
  • Bulk Analyser reports
  • Smart Alerts

Tags are displayed alongside each vulnerability to highlight the intelligence signals associated with it.

Intel tags can appear in two states:

  • Active – The signal applies to the vulnerability. The tag is fully visible, indicating that the intelligence condition has been detected (for example, a public proof-of-concept or confirmed exploitation).
  • Inactive – The signal does not currently apply. The tag remains visible but appears dimmed, allowing you to quickly see which intelligence signals are not present for that vulnerability.

Cytidel's intel tags

Cytidel uses intel tags to highlight important intelligence signals associated with a vulnerability. Each tag indicates a specific type of context that may affect how urgently a vulnerability should be investigated or remediated.

  • CISA – The vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalogue, meaning it has been confirmed as actively exploited in the wild.
  • NVD – The vulnerability has not yet been published in the National Vulnerability Database, indicating it may originate from early disclosures such as vendor advisories or security research.
  • POC – A public proof-of-concept or exploit code has been identified, which can increase the likelihood of exploitation.
  • KTA – The vulnerability is associated with a known threat actor, suggesting it may be discussed, analysed, or used by attackers.
  • TUE – The vulnerability was disclosed as part of Microsoft Patch Tuesday, often affecting widely used Microsoft products and systems.
  • PPE – Signals suggest potential public exploitation, indicating the vulnerability may already be abused in real-world attacks.
  • SPOT – The vulnerability has been highlighted in Cytidel Spotlight, meaning it has been flagged by Cytidel’s threat analysts as particularly relevant.

These tags provide quick insight into the threat landscape surrounding a vulnerability, helping security teams prioritise remediation more effectively.

Use intel tags to prioritise vulnerabilities

Intel tags help security teams move beyond severity scores and prioritise vulnerabilities based on real-world threat signals.

When reviewing vulnerabilities, look for tags that indicate:

  • emerging signals (=not in NVD)
  • increased attention from researchers or threat actors (= POC, KTA)
  • active exploitation signals (= PPE)
  • confirmed exploitation (=CISA KEV)

Vulnerabilities associated with these signals are often higher priority for investigation or remediation.

Updated 24 days ago