MCSTI - Threat Intelligence Built for the NHS

MCSTI: threat intelligence built for the NHS

Most threat intelligence wasn't written with the NHS in mind. It tells a security team that an indicator is dangerous somewhere in the world. It rarely tells them whether it matters to their trust, today, or what to do about it first.

For a stretched NHS security team, that's the whole problem. The feeds are full and the alerts keep coming. The hard part isn't knowing threats exist. It's knowing which are relevant to health and care, which are urgent, and which can wait.

So we built a platform to answer exactly that. It's called MCSTI: the McCormickCo Security Threat Intelligence platform.

Not a feed. A correlation engine.

Most threat feeds do one thing. They tell you an address is bad, or a weakness is critical, or an actor is active. MCSTI's value is that it brings all of those together and connects them.

MCSTI draws continuously on authoritative primary sources, not aggregators, and correlates them into a single picture. For any given threat, it brings together:

• The technical detail and severity from the national vulnerability sources, across every scoring standard
• The probability it will actually be exploited, with the trend over time, so a threat climbing towards active exploitation is flagged before it peaks
• Confirmation of real-world exploitation, including whether it has been used in ransomware
• Whether working exploit code exists in the wild
• The attacker's likely behaviour, mapped through the MITRE chain from weakness to attack pattern to technique
• How to defend against it, through recognised defensive countermeasures
• And, critically for the NHS, the relevant NHS CareCert advisory

The result is that a threat arrives not as a bare score, but as a complete picture: what it is, whether it's being exploited, how likely that is to get worse, what an attacker would do with it, how to stop them, and how it connects to the national NHS threat picture.

Why that matters

No single commercial vendor sells this combination. The scanning vendors tell you the weakness. The endpoint vendors tell you the actor. MITRE gives you the frameworks. Each is one piece. MCSTI stitches them together, and then does the part none of them do: anchors it to the NHS through CareCert.

That correlation is what turns a wall of alerts into a short, ordered list of what genuinely warrants action. Every item carrying enough context that the next step is obvious, and a clear sense of whether to act now or later.

It also reflects how the NHS actually has to operate. MCSTI applies a composite risk score so the critical surfaces above the noise, and classifies intelligence under the NCSC's Traffic Light Protocol so your team knows not just what they're looking at, but who they're permitted to share it with.

Built on twenty years of NHS security

MCSTI didn't come out of nowhere. We've worked in NHS and public sector security for more than two decades, back to the original Information Governance Toolkit. We've sat in the SOC, prepared the audits, and dealt with the real-world consequences when something is missed.

That experience is what shapes the platform. It's why MCSTI is anchored to CareCert and built around what an NHS analyst actually needs in front of them to make a decision, where the stakes are patient services, not just systems. It's threat intelligence designed by people who have run NHS security, for people who run NHS security.

It works with the tools you already have

Intelligence is only useful if it reaches the place your team works: your security monitoring platform.

MCSTI is built on open industry standards, so it integrates with standards-based SIEM platforms rather than locking you to one vendor. The intelligence flows into your existing monitoring and starts working in the background, correlating against your own logs and surfacing what's relevant, with the context already attached.

And if you run ManageEngine Log360, we go further. As a ManageEngine Gold Partner that runs Log360 ourselves, this is an integration we've tested and proven end to end: the platform, the feed, and the NHS-focused intelligence flowing through it, set up by the team that built both sides. Whether you bring your own SIEM or take Log360 from us, MCSTI delivers the same NHS-specific edge.

Already a DSPT View customer? You already have it.

If you use DSPT View, our purpose-built NHS assurance platform, MCSTI intelligence is included as standard, at no additional cost. There's nothing extra to procure and nothing to switch on separately: the same NHS-focused threat intelligence is already part of the platform you're using, working alongside your assurance and evidence in one place.

It's part of how we think the NHS should be supported: not a stack of separate products with separate invoices, but joined-up tooling where your assurance and your threat intelligence inform each other.

Find out more

MCSTI is the result of twenty years of NHS security experience, built into a platform that does what generic feeds can't: tell your team what matters to your organisation, and what to do about it.

If you'd like to see what MCSTI could do for your security team, we'd welcome the conversation.

Contact | McCormickCo Security — Our team can provide further detail on the technical architecture, assurance mapping, and NHS-aligned delivery approach, and support organisations in assessing how this integration can be safely and effectively implemented within their environment.

‍