MISP → Recorded Future
MISP ↔ Recorded Future: integration to migration path.
MISP deploys alongside Recorded Future first — pulling RF's risk lists in as one feed while ISAC and OSINT sources land in parallel — then takes over the SIEM indicator layer one phase at a time. No flag day, no forced re-credentialing, and every step rolls back in minutes.
This is an honest partial retirement. RF keeps the SKUs MISP cannot author — analyst-curated risk scoring, brand intelligence, dark-web monitoring and Insikt finished intelligence. We say so up front, because the rest of the plan only matters if you can trust where it stops.
The idea
Become the indicator index of record. Keep RF for what only RF does.
The topology that makes this zero-downtime: MISP pulls Recorded Future's Connect API risk lists in as a feed and stands up beside it as the single indicator index the SIEM trusts, with RF risk scores riding in as taxonomy tags. RF keeps validating and scoring while the SIEM is dual-published and MISP is shadow-tested, so MISP becomes the source of truth for indicators without the SIEM ever losing the RF signal. Once MISP owns the indicator layer, RF's licence scopes down to brand, dark-web and Insikt — each step independent, each reversible.
The phases
Seven steps. Each one reversible.
Baseline & inventory
We document every Recorded Future SKU you actually use, the Connect API endpoints your SIEM pulls, risk-list cadence, and where analysts pivot in the RF UI. Read-only — RF stays the only source.
MISP goes live behind RF
MISP stands up in HA (multi-node, MariaDB primary + replica, Redis, module workers) and pulls RF risk lists in as a feed, tagging each indicator with its RF risk score. ISAC and OSINT feeds onboard in parallel. Nothing in the SIEM consumes MISP yet.
Dual-publish to the SIEM index
The SIEM ingests both RF Connect API and MISP into one indicator index, each row carrying both attributions and a max-confidence score. RF stays authoritative for production correlation while MISP is shadow-tested.
MISP becomes SIEM primary
SIEM correlation flips to MISP as the primary source; RF is still pulled into MISP, just not SIEM-direct. The sightings loop wires up so SOC hits and analyst FP-marks feed MISP's local decay model. RF's browser extension stays as a parallel pivot.
Onboard ISAC + community sharing
MISP federates with your sector ISAC over Sync Servers and TAXII collections, one per TLP tier, and you publish internally-derived indicators back at the right TLP. ISAC NDA and TLP acceptance are signed before any push direction goes live.
Reduce the RF licence
With MISP owning the indicator layer end-to-end, RF's bulk Connect API pulls stop and its licence is scoped down to Brand Intelligence, Insikt and dark-web. Risk scoring becomes per-alert SOAR enrichment rather than a bulk write.
Steady state
MISP is the indicator primary; RF Brand Intelligence, dark-web and Insikt are retained because they have no honest OSS parity. There is deliberately no Phase 7 — full RF retirement is not recommended.
Feature parity
Where MISP matches RF, and where it honestly does not.
| Capability | MISP | Recorded Future | Parity |
|---|---|---|---|
| IoC storage / model | Events / Attributes / Objects / Galaxies | RF entity model (IP/domain/hash/URL/vulnerability) + Intelligence Cards | At parity |
| STIX 2.1 / TAXII export | Native STIX 2.1 export plus a built-in TAXII 2.1 server | STIX 2.1 export on some tiers; Connect API is REST/JSON, not TAXII | Partial |
| Feed ingestion | Feeds + Sync Servers (ISAC, OSINT, commercial, internal) | Connect API risk lists (single vendor source) | Partial |
| Enrichment | ~50 misp-modules (VirusTotal, Shodan, GreyNoise, recordedfuture) | RF-only inline enrichment via Intelligence Cards / browser extension | At parity |
| Analyst-curated risk scoring | Taxonomy tags hold a score; no analyst team authors it | RF analyst-curated risk score (0–99) + evidence string | SaaS only |
| Dark-web / forum monitoring | None at vetted-source level (ransomware.live is a partial mirror) | RF dark-web + underground forum monitoring | SaaS only |
| Brand intelligence | None at scale (urlscan/dnstwist/HIBP partial DIY) | RF Brand Intelligence (typosquat / leaked-cred / exec impersonation) | SaaS only |
| Sightings / feedback | Sighting (hit / FP / expiry) keyed on attribute UUID; feeds decay | RF accepts feedback but not first-class; client-side correlation | OSS only |
| IoC decay | Local decay models (enrichment-default, nids-default, polynomial) → decay_score 0–100 | Server-side score updates; no client decay knob | OSS only |
| Community publish / TLP | Sharing Groups + distribution levels + tlp:* taxonomy + STIX marking-definition | Consumer-side only; cannot publish your IoCs to a community | OSS only |
| Real-time stream | ZeroMQ publisher (tcp://*:50000) | Connect API poll-only | Partial |
| API surface | REST (/events/restSearch, /attributes/restSearch, /sightings/add) | Connect API (/v2/<entity>/<value>, /v2/<entity>/risklist) | At parity |
| Finished intelligence | None (extract IoCs from PDFs into External analysis events) | Insikt finished intelligence + ransomware dossiers | SaaS only |
| Cost model | Self-hosted compute + ops; LGPL, zero licence | Per-tier SaaS licence (Connect / Brand / Insikt SKUs) | Partial |
What we're honest about
The caveats most vendors leave out.
Analyst-curated risk scoring stays with RF
MISP has the fields to hold a score, but no analyst team to author one. RF's 0–99 risk score plus its evidence string have no OSS parity, so we keep RF for scoring as per-alert SOAR enrichment rather than pretend MISP can replace it.
Dark-web and brand monitoring don't migrate
RF's underground-forum access, vetted leak-site mirrors, typosquat detection, leaked-credential and exec-impersonation monitoring have no OSS equivalent at scale. urlscan, dnstwist and HIBP are partial DIY substitutes, not a replacement — so you keep buying those SKUs.
TLP and republication boundaries are load-bearing
RF licence terms typically forbid republishing RF-sourced indicators to a community, and any hop from MISP to SIEM to SOAR can strip a TLP marking. We pin RF-sourced events to your organisation only, enforce TLP at every hop, and run a quarterly boundary audit.
Self-hosting MISP means you own uptime
Once MISP is the indicator primary, MISP being down means the SIEM index goes stale — RF's cloud was the backstop. That is why we run it as HA across nodes with a MariaDB replica, a documented staleness budget, a tested DR restore, and an RF-direct fallback for outage scenarios.
Why this beats a flag day
Reversible in minutes; nothing cancelled until it has soaked.
Every integration phase rolls back in under 15 minutes — disable the MISP-source rows, re-flip the SIEM connector priority, or revert to pull-only — because RF runs in parallel the whole way through. We never reduce the RF licence until MISP has held the indicator layer as primary for at least 30 days against the false-positive and sightings gates, and even then RF's brand and Insikt SKUs are retained, not cancelled. You are never betting the SOC on one big cutover.
See whether your threat-intel stack migrates cleanly.
A 30-minute call with a senior threat-intel engineer. We map your RF SKUs, your SIEM and SOAR plumbing, and your ISAC posture — then tell you honestly which indicator work MISP can own and which RF capabilities you keep paying for.
Map my migration →