Map rule: every hotspot, region, line, and card should be read as a derived intelligence lens. It does not prove traffic volume, attacker origin, victim location, compromise, or exposure in your organization.
Threat Map Limitations
The threat map shows campaign attention, not live attack traffic.
Use this guide when interpreting regions, campaign cards, filters, hotspots, and animated map elements. The map is a visual summary of loaded campaign and vulnerability intelligence, not a sensor feed from user environments.
Where loaded campaign and vulnerability records cluster by region, type, sector, or theme.
Which campaign lenses may deserve SOC, patch, or threat-intel validation.
No direct proof of live packet flows, local attacks, source IP origin, or victim location.
Preserve source, time, filters, and limitations when sharing map-derived conclusions.
What The Map Means
Read the map as a visual index into loaded intelligence
Hotspots are signal-weighted clusters
A hotspot means related records are present in the loaded campaign view. It is not a measurement of attack packets or confirmed victim count.
Regions are orientation labels
Regional grouping helps analysts scan reporting context, but it should not be treated as definitive attacker origin or exact victim geography.
Lines are visual storytelling
Animated lines and paths communicate campaign relationships and attention flow. They are not observed network routes.
Filters change the story
Ransomware, phishing, DDoS, and exploited-CVE filters narrow the loaded set. A missing result may reflect filter scope, not absence of activity.
Safe Inferences
What the map can support with careful wording
A campaign theme is visible
The current map can show that a campaign, attack type, region, or vulnerability theme is represented in loaded records.
A filter produces a review queue
The map can help collect ransomware, phishing, DDoS, or exploited-CVE records into a working set.
A regional lens may matter
Regional context can help threat intel and leadership understand where reporting is clustering.
A next owner is needed
The best output is often a SOC hunt, source review, vendor check, exposure validation, or leadership caveat.
Do Not Claim
Unsupported conclusions from the map alone
Attackers are targeting us from this region
Needs telemetry, source validation, threat-intel corroboration, and environment context.
Our assets are victims in this campaign
Needs local asset, exposure, alert, owner, and incident-response evidence.
The hotspot is current live traffic
Needs network, cloud, endpoint, identity, or application telemetry. The map does not collect that traffic.
A quiet region means no risk
Needs source coverage review, filter review, and environment validation before lowering attention.
Actor attribution is final
Needs corroborated threat-intel sources and careful confidence language.
A campaign card proves compromise
Needs SOC or IR evidence from your environment.
Review Routine
How to use the map without overclaiming
1Check source stateConfirm live, cached, demo, stale, or unavailable status.
2Capture contextRecord filters, source confidence, time, and visible campaign records.
3Route validationAsk SOC, patch, threat intel, or asset owners for confirming evidence.
4Preserve caveatsKeep limitations in tickets, hunts, and leadership summaries.
Copy Template
Threat map interpretation note
Threat map note - [campaign/filter/region] Map view used: [all / ransomware / phishing / DDoS / exploited CVEs] Visible signal: [campaign card, hotspot, region, record count, source] Safe interpretation: [loaded reporting cluster / review queue / campaign theme] What it does not prove: [live traffic / local targeting / compromise / attribution / exposure] Validation needed: [source confidence, telemetry, affected assets, owner, source links] Owner and review trigger: [SOC/threat intel/patch/leadership, date or source update]
Recommended route: use the map to choose what deserves review, then validate sources, telemetry, exposure, and campaign confidence before sharing conclusions.