Integration · threat intel CISA AIS for SignalGuard
Context threat intel

CISA AIS for SignalGuard

CISA's Automated Indicator Sharing feed wired in via TAXII 2.1. Sector-tagged threat indicators for Commercial Facilities — the fastest free path to event-relevant CTI for venue SOCs.

Run a scan with this signal wired in Enroll in CISA AIS

The Cybersecurity and Infrastructure Security Agency runs Automated Indicator Sharing (AIS) as a STIX 2.1 / TAXII 2.1 threat-indicator feed for critical-infrastructure operators. The Commercial Facilities Sector ISAO carries event-relevant advisories — venue threats, sports-facility indicators, public-assembly TTPs — that paid CTI vendors typically don't isolate from their general feeds.

SignalGuard ships a TAXII 2.1 client that polls AIS at configurable intervals and normalizes STIX 2.1 objects into the brief's threat-intel layer. The result: free, sector-tagged CTI alongside whatever paid intel you already run.

What it tells you

  • What threat indicators are CISA + sector ISAOs tracking for entertainment venues right now? Active IPs, domains, file hashes, and TTPs scoped to the Commercial Facilities Sector.
  • Which indicators match my recent activity? When SignalGuard sees an indicator overlap with chatter or operational telemetry, the brief surfaces it.
  • What advisories are sector-relevant this week? CISA emergency directives and joint advisories filtered for the Commercial Facilities Sector tag.
  • How does this compare to what my paid intel vendor is saying? Cross-reference between AIS indicators and your enriched feeds (Recorded Future, Mandiant, Flashpoint) to triangulate confidence.

Pricing reality

Free. CISA AIS is a federal program with no fee and no contract.

StepWhat's requiredCost
EnrollmentSign PII agreement at cisa.gov/aisFree
AuthenticationTAXII 2.1 token issued by CISAFree
PollingConfigurable interval, no rate cap for normal useFree
SignalGuard ingestionSTIX 2.1 normalization into threat-intel layerIncluded in plan

Best for

  • MSSPs running venue SOCs — sector-tagged CTI to layer onto per-venue dashboards.
  • Parent-org security teams — portfolio-wide indicator screening with a federal source-of-truth citation.
  • Stadium ops with mature CTI programs — adding the AIS feed alongside existing paid CTI for cross-source confirmation and cost-effective coverage.

How SignalGuard wires it

Native integration. SignalGuard ships a TAXII 2.1 client that polls CISA AIS at configurable intervals; STIX 2.1 indicators are normalized into the brief's threat-intel layer. Setup:

  1. Enroll at cisa.gov/ais. Sign the PII agreement (no payment, no contract).
  2. CISA issues a TAXII token. Drop it into your SignalGuard workspace as CISA_AIS_TOKEN. The token is AES-256-GCM encrypted at rest.
  3. Configure poll interval (default: 15 minutes) and sector filter (default: Commercial Facilities). SignalGuard handles paging, dedup, and STIX-object normalization.

Indicators flow into the threat-intel layer of every scan in scope. No per-scan setup; the client runs continuously in the background.

Run a scan

Run a scan with CISA AIS wired in → or review pricing tiers to see how threat-intel signals fit into your plan.

Go deeper

Frequently asked

The questions ops leads ask before wiring CISA AIS into SignalGuard.

What is CISA AIS?
CISA's Automated Indicator Sharing program is the federal STIX/TAXII feed of threat indicators — a continuously updated stream of IPs, domains, hashes, and TTPs that critical-infrastructure operators can consume free of charge. The Commercial Facilities Sector ISAO surfaces event-relevant advisories that paid CTI vendors don't separate from their general feeds.
Pricing?
Free. CISA AIS requires signing a PII agreement at cisa.gov/ais. No contract, no payment, no recurring fee. Token-based authentication via TAXII 2.1.
Why does an event security team care about CISA AIS?
The Commercial Facilities Sector ISAO carries indicators and advisories specific to entertainment venues, sports facilities, and public assembly. Paid CTI vendors mix these into broader feeds. AIS isolates the sector-tagged stream, which is the fastest path to event-relevant CTI for venue SOCs.
How does SignalGuard wire it?
Native. SignalGuard ships a TAXII 2.1 client that polls CISA AIS at configurable intervals; STIX 2.1 indicators are normalized into the brief's threat-intel layer. BYOK via CISA_AIS_TOKEN once you've completed the AIS enrollment.

Related integrations

All integrations
Integration Recorded Future for SignalGuard Enterprise threat-intel enrichment across dark web, Telegram, X, and news. BYOK. Integration Mandiant for SignalGuard Mandiant Advantage threat-intel enrichment via BYOK. Integration Flashpoint for SignalGuard Flashpoint Ignite intel coverage on dark-web and Telegram threat surfaces. Integration Cybersixgill for SignalGuard Cybersixgill dark-web intel enrichment via BYOK. Integration OFAC sanctions for SignalGuard Daily-updated SDN and Consolidated Sanctions Lists. Free, no key required. Integration ACLED for SignalGuard Geocoded protest, riot, and political-violence events with actor codes.

Wire this signal in

Drop in your CISA AIS token. SignalGuard does the rest.

Free federal feed, encrypted at rest. Swap or revoke any time from /integrations.

Run a scan

Last updated