Brussels connection

the best address for international procurement

NATO to buy a web-based, searchable cyber threat intelligence platform



Tender: Cyber Threat Intelligence Services

Zadavatel: NATO HQ, Brussels

Deadline: 10/5 – 15:00


A option – 1-year contract: max €300.000 – min €100.000 (as non-realistic)

B option – 3-years contract: max €900.000 – min €300.000 (as non-realistic


The Contractor must provide a web-based, searchable threat intelligence platform, technical IOC database and additional accompanying CTI services via an intuitive web interface that requires no installation of hardware or software.

The Contractor must deliver the CTI platform and accompanying CTI services via an Enterprise license. If unavailable, the platform and accompanying CTI services and technical database must be accessible to a minimum of 20 Analyst.

The Contractor must have broad coverage of the cyber threat landscape, and produce at least 25 technical evidence-based intelligence products per week. The deliverables must provide tactical, operational or strategic insights into state-aligned cyber-enabled campaigns, threat actor tactics, techniques and procedures (TTPs), motivation, intent, targeting and collection priorities, technical capabilities, organizational and bureaucratic alignment, cluster and capabilities overlaps.

The Contractor must have advanced visibility into key geographical areas of NATO interest including (but not limited to): NATO Allied Countries, Partner Nations, and areas of NATO operations., as well as a variety of sectors including government and military sectors, defence industrial bases, etc.

The Contractor must deliver tailored CTI services specific to NATO’s priority intelligence requirements (PIRs), strategic directions, interests, and mission assurance objectives. The Contractor must have a well-established workflow, and proven experience, in responding to custom Request(s) for Information (RFI) to perform deep-dive research on cyber threat intelligence topics.

In addition to an RFI package, the Contractor must supplement the team with a dedicated cyber threat intelligence analyst capable of assisting NATO’s cyber threat intelligence team with ongoing and emerging requirements, or highly specific ad-hoc questions pertaining cyber threat actor tradecraft, behaviours, campaigns, etc.

Actionable and high-fidelity intelligence support to network defence NATO-wide. Beyond intelligence reports, the Contractor must provide access to extensive technical IOC database of various types (current and historic) and YARA/Snort rulesets. Such raw data will be ingested by existing NATO security monitoring products and automated workflows so as to enhance NATO’s defensive posture. In addition, raw intelligence data will be leveraged to better contextualise internally-observed activities and their severity.

Automated and custom malware analysis solutions, and a querying research suite capable of curating non-public samples collected by the Contractor.


Acquire all-round cyber threat intelligence service from one leading vendor with extensive experience in the field, and a full-spectrum collection capability using globally distributed sensors in multiple industries. The services will enhance NATO’s cyber threat situational awareness and supplement network defence NATO-wide, providing deep understanding and enhanced visibility of threat actor behaviours, ongoing campaigns and their severity in areas of significance to NATO.


Establish a contract for the provision of best-value subscription-based CTI services that provide high-fidelity raw intelligence data and finished deliverables that will:

Provide in-depth analysis of cyber threat actor campaigns and operations, tactics, techniques and procedures (TTPs), motivation, intent, organizational alignments, clustering, technical and high-level shifts, evolutions and trends occurring on the threat landscape (e.g., changes in collection priorities, infrastructure and capabilities).

Supplement network telemetry by delivering technical IOCs and non-public artifacts for ingestion into existing cyber defence tools within the NATO enterprise, increasing visibility of threats inside the network perimeter, and providing opportunities for threat enrichment and cross-correlation with internal feeds and data in the context of incident investigation or defence fine-tuning.

Contextualize and enrich cyber threat actor campaigns and operations with telemetry, knowledgebase and expert analysis, enabling NATO cyber threat intelligence analysts to obtain a granular understanding of threat actor campaigns on the tactical and strategic level, assess severity, track patterns and evolutions pertaining to behaviours, infrastructure or capabilities, understand operational lifecycles and reveal campaign scope and depth. This knowledgebase will allow NATO cyber threat intelligence analysts to generate predictive insights about threats, and to forecast future trend lines regarding relevant threat actors’ behaviours and activities.

Outputs will be used to inform and advise a variety of technical and non-technical audiences.


Allow the Contractor the maximum flexibility to innovatively manage its corporate resources, expertise, and subcontracts (if any) so as to provide a high-value contribution in support to the NATO’s corporate and contract objectives within existing constraints and a proper service management framework.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get updates

From art exploration to the latest archeological findings, all here in our weekly newsletter.