From feeds to flows: Using a unified linkage model to operationalize threat intelligence

The problem: Static intelligence in a dynamic world

Every CISO knows the fatigue that comes with modern threat intelligence. Dozens of vendor feeds pour in daily — STIX packages, IP blocklists, domain indicators, malware hashes — all claiming to help your organization stay one step ahead.

Yet most threat feeds still behave like spreadsheets of badness. They tell you what to watch for, but not why it matters or how it moves through your environment.

The result is a paradox of abundance: CISOs have more data than ever before, but less operational clarity. Analysts are overwhelmed by indicators disconnected from context or mission relevance.

Each feed represents a snapshot of a potential threat, but it does not capture the dynamic pathway through which that threat could exploit relationships within the enterprise.

Traditional intelligence products describe discrete artifacts; real-world attacks exploit linkages amongst users and cloud services, between supply-chain vendors and data repositories, between identity providers and DevOps pipelines.

The shift from threat feeds to threat flows requires a model that can describe those linkages, quantify their trustworthiness and prioritize risk based on how threats actually travel.

That’s where the Unified Linkage Model (ULM) comes in.

Rhizomatic networks and the modern attack surface

Classical network defense models assume hierarchical systems — servers at the core, clients at the edge and clear boundaries in between. But digital enterprises no longer look like trees; they behave more like rhizomes — living systems of lateral, recursive connections.

A rhizomatic network, a term from Deleuze and Guattari’s A Thousand Plateaus and explored in this context elsewhere, is one where any node can seemingly connect to almost any other, directly or indirectly, through APIs, shared identity layers or multi-cloud infrastructure. In these environments, roots have become less permanent and topologies have become less predictable. Within this landscape, dependencies emerge dynamically and relationships evolve faster than documentation can keep up. This shift from hierarchy to rhizome changes the way we know how threats propagate. A compromise in one SaaS tenant can ripple laterally through adjacent cloud accounts, CI/CD pipelines or shared identity providers with surprising speed.

Attackers no longer exploit static perimeters — they weaponize relationships.

The ULM provides a structured way to visualize this chaos. By mapping three core linkage types — adjacency, inheritance and trustworthiness — the ULM reveals how risk moves rhizomatically through complex ecosystems. It transforms modern network entanglement into something quantifiable, allowing CISOs to reason about propagation rather than static exposure.

The unified linkage model (ULM)

The ULM was conceived initially to describe how cyber risk propagates through interdependent systems — not merely by asset or vulnerability, but by relationship. Instead of seeing networks as linear hierarchies, ULM views them as living ecosystems where risk flows along three primary linkage types:

1. Adjacency linkages: Proximity or shared interfaces between systems, such as network segments, APIs or shared infrastructure.
2. Inheritance linkages: Dependencies and configuration flows, such as a compromised library in a build pipeline or inherited IAM policies.
3. Trustworthiness linkages: Human or contractual relationships, such as vendor access, federated identities or service-to-service tokens.

Each linkage represents a potential path of exploitation. Rather than treating each threat artifact in isolation, ULM maps how those artifacts connect — showing how an attacker could traverse from an initial compromise point to an ultimate target through adjacency, inheritance and trust.

This concept reframes threat intelligence from collection to connection. In the ULM view, the organization’s environment is not simply a list of assets but a graph of interactions. Threats are not isolated incidents but flow across linkages.

From feeds to flows: Building a living threat graph

Imagine receiving a feed that reports a malicious IP address associated with a phishing campaign. In most SOCs, that indicator enters a SIEM rule or firewall blocklist — a transactional act of defense. The intelligence stops there.

Now apply ULM thinking:

• The malicious IP is associated with a compromised third-party marketing tool.
• That tool has API keys embedded in your marketing automation system.
• The automation platform uses OAuth tokens that connect to your corporate CRM.
• The CRM is integrated with your cloud identity provider.

Each linkage forms part of a threat flow — a connected chain of potential exploitation that moves laterally through business processes, not just through ports and protocols.

By mapping linkages, the CISO can see that the “malicious IP” is not an isolated data point; it’s the first observable in a multi-stage flow that touches customer data, credentials and identity infrastructure.

When threat intelligence is structured as linkages, not lists, analysts can:

• Correlate faster: Identify shared infrastructure or behavior patterns across feeds.
• Prioritize better: Focus on threats that intersect with high-value or high-trust linkages.
• Predict earlier by anticipating propagation through modeling adjacent or inherited dependencies.

In other words, threat feeds become threat flows — intelligence with direction, momentum and consequence.

Operationalizing ULM in threat intelligence pipelines

1. Ingest and normalize

ULM begins by ingesting diverse threat feeds — commercial, open-source, government and internal telemetry. Each artifact (IP, domain, hash, tactic or technique) becomes a node in the linkage model, enriched with metadata such as MITRE ATT&CK techniques, timestamps or confidence scores.

2. Establish linkages

The system identifies relationships between nodes using multiple criteria:

• Adjacency: Shared IP ranges, ASN or cloud hosting; shared libraries or API keys.
• Inheritance: Supply-chain dependencies, build-system components or configuration drift.
• Trustworthiness: Credential sharing, federated SSO connections, vendor contracts or known trust relationships.

Linkages are scored for strength and directionality — similar to weights in a graph — producing a threat-linkage graph showing how a compromise could cascade across systems.

3. Integrate with MITRE ATT&CK and TIPs and FAIR

ULM aligns naturally with MITRE ATT&CK’s technique-level data.Each linkage can be annotated with the ATT&CK tactics it enables — from Initial Access to Impact. Integration with Threat Intelligence Platforms such as MISP or ThreatConnect allows ULM graphs to update dynamically as new indicators appear.

A previously benign linkage can instantly become high-risk when connected to a newly malicious node, turning static intel into a living, breathing operational map.

Similarly, the ULM bridges quantitative risk frameworks like FAIR and FAIR-CAM by embedding linkage dynamics into loss-event modeling, thereby enabling risk assessments not only of the magnitude of loss but of the pathway through which loss may propagate.

4. Visualize threat flows

Visualization is key. And in the emerging environment of AI/ML models and cloud-based resources, this visualization can occur. Using ULM, CISOs can see attack pathways as flow diagrams rather than spreadsheets.

For instance:

A connection to a compromised supplier’s GitHub repo (inheritance linkage)

→ injects code into a shared container image (adjacency linkage)

→ which is deployed into production through an automated pipeline (trust linkage).

Such visualizations reveal choke points where a single control — code-signing enforcement or identity segmentation — can break multiple flow paths at once.

ULM as a bridge between intelligence and authorization

One of the persistent frustrations in enterprise security is the divide between intelligence and governance. Threat feeds inform SOCs; frameworks like NIST SP 800-37 Rev. 2, ISO/IEC 27001:2022 or the CMMC 2.0 Model govern compliance. The two rarely meet.

ULM provides the connective tissue.

Because ULM formalizes relationships between systems, it can feed directly into risk management frameworks:

• NIST RMF Step 1–2 (Categorize/Select controls): Use ULM to identify linkage-dense areas where compromise would have the highest propagation potential.
• Step 3–4 (Implement/Assess): Validate that controls exist along key linkages — authentication boundaries, code-inheritance chains, vendor access.
• Step 6 (Monitor): Continuously refresh linkages with new threat intel, transforming continuous monitoring into continuous linkage validation.

In compliance contexts, ULM metrics — such as linkage density, trustworthiness scores and adjacency exposures — become measurable inputs for CMMC maturity, ISO 27001 risk registers or Zero Trust Architecture (SP 800-207) policy enforcement.

A threat flow, therefore, is not only a technical visualization but an auditable artifact of due diligence.

Zero trust and the flow perspective

Zero trust architecture (ZTA) is often summarized as “never trust, always verify,” as formalized in NIST SP 800-207. ULM adds nuance by showing what to verify and where trust actually exists. Every trust boundary in a zero-trust design corresponds to one or more linkages in ULM:

• A user authenticating through an identity provider — a trustworthiness linkage.
• A microservice calling another via API — an adjacency linkage.
• A software update pipeline pulling from a third-party repo — an inheritance linkage.

When threat intelligence is mapped onto those linkages, the CISO gains real-time visibility into which trust paths are under active threat.

Instead of treating zero trust as a static segmentation map, ULM enables a dynamic trust model — continuously updated by threat-flow data.

This approach converts zero trust from an architectural goal to an operational feedback system. Each linkage is verified not only against access policies but also against active threat flows.

CISO use case: Prioritizing by linkage impact

Consider two simultaneous alerts:

1. A phishing domain targeting the finance department.
2. A compromised API key in a DevOps integration.

Both seem essential, but which deserves immediate attention?

A traditional feed-based approach might treat them equally. The ULM view quickly shows that the API key sits on a high-trust, high-inheritance linkage — it connects the build system to production containers and those containers share adjacency with customer data stores.

The phishing domain, by contrast, leads to isolated user inboxes with strong controls. By quantifying the linkage weight, the CISO can prioritize the DevOps compromise, knowing that its flow potential — the ability to move from one system to another — is far higher. This is attack-path prioritization, not just vulnerability management. It is the difference between chasing every indicator and focusing on the flows that matter.

Toward a flow-based defense

Security teams often describe their posture in terms of perimeters, boundaries, endpoints or controls. But adversaries don’t think in boxes — they believe in flows. They exploit the connective tissue: the forgotten trust token, the unmonitored CI/CD handoff, the shared SaaS credential.

The ULM provides a way to think and act like an attacker while maintaining the analytical rigor of a defender. By modeling linkages, CISOs can:

• Visualize attack surfaces: Understand not just what assets exist, but how they relate to each other.
• Quantify propagation risk: Measure how fast and far a compromise could move.
• Operationalize threat intel: Feed dynamic linkage updates into monitoring and response playbooks.
• Align intelligence with compliance: Demonstrate to auditors and boards that risk is understood in context.

In practice, adopting ULM doesn’t require replacing existing tools. Most organizations already possess the data — network maps, identity graphs, vulnerability scanners and threat feeds.

ULM unifies them into a linkage framework, transforming siloed outputs into a coherent risk narrative.

The CISO’s call to action

For decades, we have been trained to collect — logs, indicators, feeds. The next era of cybersecurity requires that we understand connections: how elements interact, inherit and propagate.

By adopting a linkage mindset, CISOs can elevate threat intelligence from reactive to predictive. The ULM provides the analytical bridge between static data and dynamic defense — a means to see threats not as isolated alerts but as flows of intent moving through digital ecosystems.

The message is simple but powerful:

Stop simply reading threat feeds.

Start mapping threat flows.

That is how you operationalize threat intelligence in the age of rhizomatic, interconnected systems — and how CISOs finally gain the visibility to act, not just react.

Additional details are available in my original research paper:  Unified Linkage Models: Recontextualizing Cybersecurity (United States Cybersecurity magazine).

This article is published as part of the Foundry Expert Contributor Network.
Want to join?