• Claim your CyberUSA intel exchange credentials

  • The Call to Action

    Design an incident-exchange program that will

    Enable Sharing

    Share meaningful cyber incident data safely, easily and early in the response process, in order to leverage external expertise during remediation efforts and provide early warning to help others reduce their own exposure.

    Expand Expertise

    Collaborate with skilled security analysts from vetted providers, in order to analyze attack indicators, develop defensive strategies and decrease time to mitigation.

    Provide Context and Support Decision-Making

    Avoid duplication of effort and benefit from what others have already learned.

  • Frequently Asked Questions

    How will sharing incident reports bring value to our company?

    With CyberUSA, incident exchange becomes an essential part of the effort to tackle ongoing cyber incidents and not a reactive, one-directional communication after the threat has been resolved.

    Using CyberUSA Intel Exchange you can:

    • Exchange incident data very early in the response process. This allows you to leverage external expertise in your own remediation efforts and provide early warning to help other organizations lower their own exposure.
    • Collaborate with skilled analysts from vetted CyberUSA corporate members to analyze attack indicators, develop defensive strategies and decrease time to mitigation.
    • Find out quickly if what you are seeing is being worked on elsewhere and benefit from what others have already learned.

    What types of information do CyberUSA members exchange?

    Our platform is designed to help incident response teams share exchange incidents of concern. By focusing less on raw data streams and more on context around incident reports developed by security operators, we aim to help members make sense of the data they are already seeing and provide valuable external context and decision support. We are able to process incident reports in a number of different formats, including STIX, or supply a template for you. We also have an API that can be used to build connectors with a number of ticketing systems.

    How does CyberUSA help me find reports that are relevant to my organization?

    Once an incident report is submitted, the platform's correlation engine automatically extracts a number of different technical indicators and identifies linkages with other reported incidents and open source feeds. If similarities are found with other recent or ongoing attacks, the submitter receives immediate insight from related reports on things like indicators of compromise, malware hashes, and mitigation techniques. In this way, TruSTAR provides immediate support to the “submitter’s” incident response efforts as they work to resolve a newly discovered attack.

    What if I have a question about an incident report or want to reach out to another member?

    The ability to collaborate with other CyberUSA members is a key benefit of the platform and is done through our tightly integrated and secure collaboration portal. Members can remain anonymous when reaching out to each other or operate under their company identity. For cases requiring more sensitive coordination procedures, members have the option of forming additional private groups (enclaves). Members may also reach out to TruSTAR’s Responder team, which is comprised of incident response experts monitoring CyberUSA activity. For many of our members, this virtual expansion of their in-house security analyst expertise is a key benefit of using the platform.

    Will this create more work for our incident response team?

    CyberUSA makes submission as easy as possible and reduces the likelihood of human error by automating removal of attributable data through use of automated redaction that can be applied to any report format the member already uses, including STIX-formatted and unformatted text incident reports. CyberUSA offers a number of different submission options to enable it to fit seamlessly with your team’s environment and operations. With access to other CyberUSA corporate members, your security operators will save time as they leverage the expertise of others within our network to help mitigate an incident more quickly.

    Is the exchange STIX-compliant?

    Yes, CyberUSA is designed to work with STIX-formatted incident reports. In fact, our template can be used with any report format the member already uses

    Where is CyberUSA Intel Exchange deployed in my environment? Are there any special technical requirements to consider?

    The most common way to interact with the CyberUSA Intel Exchange is through the TruSTAR Station, a web application accessible from any web browser.


    For users especially concerned about anonymity, CyberUSA offers an optional piece of on-prem software called the TruSTAR Agent, which is a web application deployed inside an environment of your choosing (corporate intranet, cloud hosting provider, etc.) used to compose, import, anonymize and anonymously submit incident reports. See Agent documentation for technical details.

    What is TruSTAR’s Privacy Policy?

    • In a nutshell, TruSTAR maintains the privacy of your account data and of your shared Incident Report data. In the case of the incident report data, our guiding principle is that the member is in complete control of what they share. At TruSTAR, we work hard to ensure that we do not know the source of any incident report data, and only the customer can control its content.

      What is an ‘incident’?

      • Tickets, alerts, phishing emails, malware analysis reports, etc

        How do I exchange incident intel?

        • Sanitize & Submit: CyberUSA.trustar.co

        • Forward email: [email protected]

        • RESTful API: api.trustar.co

        • Integrations: Jira, Splunk, etc

          What about other sharing groups?

          • Power existing sharing relationships

          • Share TLP White alerts to the group for correlation and visualization

          • Use an internal enclave to operationalize other internal/external intelligence relationships.

            Why should I sign-up now?

            • Early adopters receive 2 no-cost seats/credentials to the CyberUSA Intel Exchange

            • 25+ Feeds + APIs

            • CyberUSA Intel Exchange Incidents

            • TS Community Reporting (Cross-sector)

            • API access + Integrations, and more!

              What about governance and liability?

              • Authorized users are submitted by member organizations and approved by CyberUSA.

              • Once data is published by an Authorized User - it is owned by the community.

              • ToU and community policing disincentivizes voyeurs, leechers, etc.  
              • Join the exchange today!

                Each CyberUSA member will receive 2 free licenses