ThreatQ in an Air-Gapped Environment

What is an air-gapped environment?

An air-gapped environment is a network security measure employed to ensure a computer or computer network is secure by physically isolating it from unsecured networks, such as the public Internet or an unsecured local area network. This means a computer or network is disconnected from all other systems.


The challenge when using Threat Intelligence

Organizations often find it challenging to use their threat intelligence in an air-gapped environment because many threat intelligence feeds and platforms require some form of internet connection to work correctly or to their fullest capacity. Complete separation from external internet and network connections for security reasons, hinders their capabilities.  ThreatQ helps your organization to meet this challenge.

When determining how to deploy a threat intelligence platform in an air-gapped environment, there are some common considerations that influence the design and implementation.

ThreatQ - Air-gapped Environment

7 Considerations For Threat Intelligence In Air-Gapped Environments

Effective Placement

Threat data can be captured from both internal and external sources, each present their own individual challenges when working within an air-gapped environment. In both cases, the effectiveness of a threat intelligence platform will boil down to correct placement within the architecture.

Architecture Of The Threat Intelligence Platform

All threat intelligence platform providers claim to offer an ‘on-premises’ solution. However, it is important to note that an ‘on-premise’ solution does not necessarily mean that it will work effectively in an air-gapped environment; it may offer less functionality or require additional components.

Platform Updates

Updates are an important part of any threat intelligence platform. The updates will enable new functionality and patch any newly discovered security vulnerabilities. An air-gapped solution must be able to receive updates on a regular and timely basis and should involve simple installs that keep the entire architecture in line with custom functionality.

Enrichment And Analysis Sources

A key feature of the threat intelligence platform is the provision of a data enrichment and analysis capability. This capability offers enrichment of threat data from both internal and external sources. Correct placement of the threat intelligence platform and how enrichment and analysis services will be used must be considered to avoid compromising the security of the wider environment.


A threat intelligence platform should have the ability to ingest threat data from multiple internal and external sources into a single data model. Once ingested, it should be possible to nurture the data to better fit business requirements. Finally, it should be possible to build or implement bi-directional integrations with other security technologies. Understanding the desired integrations will help guide architectural decisions and simplify the deployment process.

Splitting Threat Intelligence Platform Functions

It may be necessary to split the core functions of the threat intelligence platform when designing for an air-gapped environment. This decision is generally informed by the placement and associated functional decisions for the environment.

Timeliness Of Data Delivery From External Sources

The requirement to air-gap a threat intelligence platform results in a lack of access to the externally facing services that are useful in the day-to-day operations that use threat intelligence (e.g., access to external enrichment sources). It is still possible to leverage external services as a source of threat data and enrichment, but timeliness must be considered when doing so.


Learn more about the considerations and how to implement ThreatQ in an air-gapped environment.

Air Gapped Environment Whitepaper for ThreatQuotient