A National Platform for Threat Sharing
The UK finds itself in a geopolitical context where the cyber domain is an integral part of security policy. Threat actors – primarily through ransomware attacks and DDoS – reuse vulnerabilities and leave traces in the form of IP addresses, domain names, and TTPs (Tactics, Techniques and Procedures).
Despite broad consensus on the benefits of information sharing, there has been a lack of a common national platform. The result has been that valuable threat intelligence has remained within individual organisations.
MISP UK addresses this structural gap and aligns with the national cybersecurity strategy, the NIS2 Directive, and enhanced information sharing requirements.
What is MISP?
MISP (Malware Information Sharing Platform) is an open source platform with no licensing costs. The workflow consists of five steps:
| Step | Description |
|---|---|
| 1. Collection | Gather threat indicators |
| 2. Normalisation | Structure data in standard formats |
| 3. Enrichment | Add context and metadata |
| 4. Correlation | Find relationships between indicators |
| 5. Sharing | Distribute to connected organisations |
The platform handles:
- IP addresses and domains
- Checksums (hash values)
- SSL certificates
- MITRE ATT&CK mapping
- Timelines and correlation graphs
Connection occurs via web interface or API. API integration with SIEM, IDS, and firewalls is recommended for operational value – enabling automatic blocking based on shared threat intelligence.
Timeline for MISP UK
Initial launch with 15 pilot organisations for testing and validation.
Opening for public sector – councils, NHS trusts, and government departments can apply for connection.
Private sector welcomed after legal framework is strengthened. Proposals are with government departments.
Enhanced integration with NCSC operations and expanded threat intelligence capabilities.
Who Can Connect?
Connection Requirements:
The organisation must be established in the UK and meet at least one of the following criteria:
- Operates essential services
- Covered by NIS2 regulations
- Is a government department or public body
- Provides essential IT operations or security to the above organisations
Connection Methods:
- Direct account — Access via web interface
- Synchronisation — Local MISP instance synchronised with MISP UK (recommended)
Benefits for Different Organisations
MISP UK provides access to UK-specific artefacts that commercial threat feeds rarely cover. Local threat actors and campaigns targeting UK entities are identified faster.
Free access to real-time threat intelligence despite limited resources. Faster blocking of malicious indicators and evidence base for risk assessments and targeted training initiatives.
Recommendation for Getting Started
- Secure internal buy-in — Ensure leadership support and understanding of benefits
- Train staff — Ensure appropriate competence exists to interpret and act on threat intelligence
- Start consuming — Receive data and integrate into your security systems
- Share when ready — Contribute your own threat intelligence when trust and understanding has grown
Important: It’s not mandatory to share information from day one. Start by consuming.
New Services from NCSC
Beyond MISP UK, the NCSC is launching additional services:
Scanning Services Systematic identification of your organisation’s attack surface – an evolution of existing vulnerability scanning capabilities.
National Monitoring Continuous monitoring of UK organisations’ internet exposure. Delivered through private sector partners with NCSC coordination. Launching later in 2026.
Frequently Asked Questions
Personal data should not be shared in MISP UK. The system has built-in controls. The Data Protection Authority's interpretation that IP addresses may constitute personal data is under review.
No, completely voluntary but strongly recommended by the NCSC.
Contributors perform initial review, NCSC provides assistance, and the system's built-in warning lists help filter incorrect indicators.
Yes, MISP UK has API support for integration with SIEM, IDS, firewalls, and other security systems.
Connection to NIS2 and Cybersecurity Regulations
MISP UK supports several requirements in the NIS2 Directive and UK cybersecurity regulations:
- Incident reporting — Share indicators linked to incidents
- Risk management — Use threat intelligence for risk assessments
- Supply chain security — Identify threats to suppliers
- Cooperation — Meet requirements for information sharing with authorities
How Securapilot Can Help
Securapilot supports organisations wanting to maximise the benefits of MISP UK:
- Incident management — Integrate threat intelligence into your incident response process
- Risk management — Use MISP data as input to risk assessments
- NIS2 compliance — Document and track your threat intelligence activities
- Supplier oversight — Monitor indicators linked to your suppliers
Book a demo and see how Securapilot can strengthen your threat intelligence capabilities.
Frequently asked questions
What is MISP UK?
MISP UK is the national platform for cyberthreat information sharing, based on open source technology. It's operated by the NCSC and enables organisations to share and receive threat intelligence including IP addresses, domains, checksums, and TTPs.
Who can connect to MISP UK?
Organisations established in the UK conducting essential services, covered by NIS2 regulations, government departments, or providing essential IT operations/security to such organisations. Public sector from February 2026, private sector later in 2026.
Does it cost to connect to MISP UK?
No, MISP UK is completely free. The platform is built on open source technology without licensing costs.
Must we share information to connect?
No, sharing is voluntary. The recommendation is to start by consuming data and share when trust and understanding has grown.
