The Risk Letters

Threat intelligence that matters

The Risk Letters is different — it's not an abstract feed of CVE numbers. It's intelligence filtered through decades of hands-on experience with the systems these vulnerabilities actually affect.

We built The Risk Letters because we needed it ourselves and we were tired of the gap between raw threat data and the enormous amount of decisions security teams need to make before lunch.

What we believe

01 Signal over noise — one actionable insight is worth more than a hundred unfiltered CVEs. We correlate across sources so you don't have to.
02 Recommendations, not summaries — every threat comes with a specific action. If we can't tell you what to do about it, we don't include it.
03 Transparency of method — we show our sources, explain our reasoning, and never present AI-generated analysis as human insight without disclosure.
04 Free for those who need it most — researchers, students, academics, and non-profits get full access at no cost. Security intelligence shouldn't be gated by budget.

How your brief gets built

Every day at 05:00 CET, an automated pipeline begins collecting data from the six primary upstream risk sources and correlates this with hundreds of open source intelligence feeds. By 07:00, your brief is in your inbox.

05:00 CET

Collect

Parallel ingestion from six feeds. New CVEs, exploitation predictions, known exploited vulnerabilities, threat actor campaigns, malicious infrastructure, and ATT&CK technique mappings.

05:15 CET

Correlate

Cross-reference across feeds and OSINT sources. A CVE with rising EPSS score + a KEV entry + an OTX pulse and OSINT correlations mentioning the same actor = a signal that single-source monitoring would miss.

07:00 CET

Deliver

Structured brief with context, not just data. Every threat paired with specific recommendations — which patch, which system, by when along with cross-domain correlations, geo-political analysis, financial risks and more.

Intelligence sources

NVD Vulnerability disclosures

CISA KEV Known exploited

EPSS Exploit predictions

OTX Threat pulses & IOCs

AbuseIPDB Malicious infrastructure

MITRE ATT&CK Technique mappings

Every brief includes

01 Actively exploited vulnerabilities — every CISA KEV addition with exploitation context, not just a CVE number. Remediation deadlines and specific patch links included.
02 Threat actor profiles — who's active, what they're targeting, their TTPs mapped to MITRE ATT&CK, and IOC counts you can ingest into your SIEM today.
03 Cross-feed signal correlation — the highest-value section. We connect dots that individual sources can't see: a CVE trending in exploitation probability + a threat pulse about a known actor targeting your sector = a signal that demands attention now.
04 Inline recommendations — every threat comes with specific, actionable steps. Not "patch your systems" — but which patch, which system, and by when.
05 Geographic threat intelligence — malicious IP hotspots, actor targeting patterns by region, and country-level risk context for multinational teams.

Start your morning informed

No noise, no recycled press releases — just cross-correlated signals with specific recommendations you can act on today. Delivered 07:00 CET.

Free

The full daily brief for individuals and teams getting started.

+ Daily intelligence brief
+ CVE & KEV coverage
+ Threat actor tracking
+ Critical alerts
+ Archive access

Subscribe free

Professional

39 EUR/month

Personalized intel matched to your tech stack, plus machine-readable feeds.

+ Everything in Free
+ Tech stack monitoring (CVE + library)
+ STIX/TAXII API access

Start Professional plan