When Glance's detection pipeline confirms a new phishing domain or business email compromise (BEC) pattern, that intelligence should not stay inside Glance. It should reach every SIEM, SOAR, and threat-hunting platform that could use it to protect other targets. STIX 2.1 and TAXII 2.1 are the standards that make machine-to-machine threat intelligence sharing possible without vendor lock-in. This article explains both standards from first principles and documents exactly how to integrate the Glance live IOC feed into your security infrastructure.
What is STIX?
STIX — Structured Threat Information Expression — is a JSON-based language for describing cyber threat intelligence. Version 2.1, maintained by OASIS, defines 18 domain objects (SDOs) that cover the full threat intelligence lifecycle. The most operationally relevant for phishing and BEC are:
- Indicator — a pattern that identifies a threat (e.g., domain name matching a phishing campaign)
- Threat Actor — attribution information about the group or individual behind an attack
- Campaign — a grouping of related attack activity sharing infrastructure or TTPs
- Attack Pattern — MITRE ATT&CK technique mappings (e.g., T1566.001 for spear phishing attachment)
- Malware — properties and behaviors of malicious code delivered via email
- Relationship — explicit links between SDOs (Indicator indicates Threat Actor)
Each STIX object carries a required confidence field (0–100), a tlp marking (WHITE / GREEN / AMBER / RED per the Traffic Light Protocol), and a valid_until timestamp. These three fields together determine how a downstream system should act on the indicator: share it, keep it internal, or retire it.
What is TAXII?
TAXII — Trusted Automated eXchange of Intelligence Information — is the transport protocol for STIX objects. TAXII 2.1 is a RESTful API specification that defines how servers expose STIX collections and how clients subscribe to them. The core resources are:
API Root
The base URL of a TAXII server. Exposes metadata about available collections and the server's capabilities. Example: https://threat-intel.glance-co.com/taxii/v2.1/
Collection
A named set of STIX objects with a specific focus. Glance exposes three collections: phishing-domains, bec-patterns, and malicious-senders. Each has read-only access for subscribers and write access for the Glance pipeline.
Manifest
A lightweight list of object IDs and timestamps, allowing clients to perform differential sync — fetching only objects modified since their last poll, without re-downloading the full collection.
Glance's Live Feed
The Glance STIX feed is a continuous-publication intelligence stream. When the detection pipeline confirms a new phishing domain — via multi-user corroboration, DNS reputation checks, and ML scoring above threshold — a STIX Indicator object is automatically generated and published to the TAXII feed within 90 seconds.
Published indicator types include: domain-name IOCs for phishing infrastructure, email-message patterns for BEC header fingerprints, and url patterns for credential- harvesting landing pages. Each object includes MITRE ATT&CK technique references and a confidence score derived from the aggregate detection pipeline output.
Feed volume as of Q1 2026: approximately 340 new high-confidence indicators per day. False positive rate on indicators published at confidence >= 85: under 0.4%, measured against retrospective takedown confirmations by domain registrars and Google Safe Browsing additions.
Integration Example
Fetching the latest phishing-domain indicators via curl:
# 1. Discover collections curl -u "$API_KEY:$API_SECRET" \ https://threat-intel.glance-co.com/taxii/v2.1/collections/ \ -H "Accept: application/taxii+json;version=2.1" # 2. Pull indicators added in the last hour (differential sync) SINCE=$(date -u -d "1 hour ago" +"%Y-%m-%dT%H:%M:%SZ") curl -u "$API_KEY:$API_SECRET" \ "https://threat-intel.glance-co.com/taxii/v2.1/collections/phishing-domains/objects/?added_after=$SINCE" \ -H "Accept: application/taxii+json;version=2.1" | jq '.objects[] | select(.confidence >= 85)'
For SIEM integration, most platforms support TAXII 2.1 natively. In Splunk, configure a new TAXII feed under Enterprise Security → Intelligence Downloads. In Microsoft Sentinel, use the Threat Intelligence — TAXII data connector. In Elastic SIEM, configure a TAXII threat intel indicator integration. Use the manifest endpoint to enable incremental polling without full-collection downloads.
B2G Use Cases
Government and law enforcement are the highest-leverage consumers of real-time phishing intelligence because a single confirmed domain take-down protects every downstream target simultaneously. Current Glance government integration use cases include:
- CISA AIS (Automated Indicator Sharing) — Glance indicators are published via AIS-compatible STIX bundles for federal civilian agency consumption
- DHS NCATS — National Cybersecurity Assessment and Technical Services teams use Glance IOCs for pre-engagement reconnaissance validation
- State-level fusion centers — subscribing to the phishing-domains collection to enrich alerts for constituents reporting fraud
- Telecom SOC teams — ingesting malicious-senders collection to block SMS phishing (smishing) originating from confirmed email phishing actors
- Law enforcement forensics — BEC pattern collection provides header fingerprints used in attribution and criminal prosecution
Enterprise and government subscribers get full TAXII 2.1 feed access, API credentials, and dedicated integration support. Contact our security partnerships team.
Access Threat Intel FeedFrequently Asked Questions
What authentication does the Glance TAXII feed require?
The Glance TAXII 2.1 feed uses HTTP Basic authentication over TLS 1.3. Enterprise and government subscribers receive API credentials through the Glance security portal. Client certificate authentication (mTLS) is available for high-security environments on request.
How current is the Glance threat intelligence feed?
New phishing domains and BEC patterns are published to the STIX feed within 90 seconds of automated confirmation by the Glance detection pipeline. The feed is updated continuously — there is no batch window. TAXII clients polling at 5-minute intervals will see a maximum lag of 5 minutes from detection to availability.
Does Glance publish false positives to the STIX feed?
Each STIX indicator includes a confidence score (0–100) derived from the number of independent user reports, cross-validation against existing threat intel sources, and the output of the Glance ML pipeline. Indicators below confidence 60 are not published to the government feed. High-confidence indicators (85+) are flagged as such and carry a separate TLP:WHITE marking for unrestricted sharing.
Integrate Glance Threat Intelligence Into Your SOC
TAXII 2.1 feed. 340+ new high-confidence IOCs per day. Government-ready TLP markings. MITRE ATT&CK mapped.
Get Feed Access