Today, watchTowr is launching watchTowr Intel: a new, dedicated threat intelligence capability integrated into the watchTowr Platform.
watchTowr Intel is already operational. Attacker Eye, the real-world attacker telemetry network at its core, has already captured zero-day exploitation in the wild and recovered active exploits directly from attacker infrastructure. This post explains what the capability is, how it works, and why it was built.
The problem watchTowr Intel was built to solve
Over 48,000 CVEs were added to CVE.org‘s database in 2025 alone, nearly double the number from 2022. Of those, only 1-2% saw exploitation in the wild. Security teams have no reliable way to know in advance which 1-2% it will be.
CVSS scores measure theoretical severity. Vendor advisories describe what was found, not what is being used. CVE feeds grow faster than any team can triage them. By the time a vulnerability reaches a headline, attackers are frequently already inside affected environments. The question security teams actually need to answer is not “what could be exploited?” but “what is being exploited right now, and are we exposed to it?”
What watchTowr Intel is
watchTowr Intel is the threat intelligence layer of the watchTowr Platform, built around three components: Attacker Eye, watchTowr Instinct, and a dedicated threat intelligence team. Each addresses a different part of the problem.
Attacker Eye
Attacker Eye is watchTowr’s proprietary global honeypot network. Rather than generic decoys, it deploys hyper-realistic sensors built to resemble the enterprise edge devices attackers actually target. When those devices are exploited in the wild, the network captures the exploit itself, the techniques used after initial access, the backdoors deployed, and the attacker infrastructure involved.
In August 2025, when CrushFTP disclosed CVE-2025-54309, a critical authentication bypass affecting over 30,000 internet-facing instances, watchTowr deployed a CrushFTP sensor into the Attacker Eye network. Within hours, the sensor captured live exploitation traffic. By analyzing the HTTP requests hitting the sensor, the watchTowr team reconstructed the exploit from attacker behavior alone, without access to a patch or a vendor advisory. The full technical account is published on watchTowr Labs.
Attacker Eye does not analyze vulnerabilities after the fact. It observes exploitation as it occurs, which means the intelligence it produces reflects what attackers are doing, not what researchers expect them to do.
watchTowr Instinct
watchTowr Instinct is our vulnerability prioritization engine. Rather than defaulting to CVSS, Instinct evaluates the class of vulnerability, the product’s typical exposure profile, current attacker behavior observed through Attacker Eye, and historical patterns of how similar issues have been weaponized. The output is a prioritized view of which vulnerabilities are highly likely to be exploited in the near term, giving security teams the lead time to act before weaponization rather than after.
The watchTowr Intel team
Attacker Eye and Instinct produce signal. The watchTowr Intel team contextualizes it. Analysts track nation-state actors, APT groups, and ransomware operators, translating what Attacker Eye’s sensors capture and what Instinct flags into findings security leaders can act on. The team publishes research and analysis through the watchTowr blog, the Rapid Reaction series, and monthly Insights posts.
Ryan Dewhurst, watchTowr’s Head of Threat Intelligence tells his team that, “our mission extends beyond client protection. We will share timely, actionable intelligence with the wider security community through authoritative blogs and social channels, contributing meaningful insights, not noise.”
Already integrated into the watchTowr Platform
watchTowr Intel is not a standalone product. The telemetry from Attacker Eye and the prioritization from Instinct feed directly into Rapid Reaction, the capability that determines whether an organization is exposed to an emerging threat within hours of disclosure. When a technique is confirmed in the wild, the platform validates whether affected environments are actually vulnerable to it, using the same tactics real attackers are using.
By combining Proactive Threat Intelligence, External Attack Surface Management and Autonomous Mitigation, the watchTowr Platform gives security teams the one thing they need most: time to respond.
Book a demo to see how watchTowr Threat Intel powers our Preemptive Exposure Management
