Join the FINMISP service
FINMISP is the National Cyber Security Centre Finland’s (NCSC-FI) cyber threat intelligence sharing service for organisations. Join the service if you want to use and share technical threat intelligence efficiently.
When is FINMISP suitable for you?
You will benefit most from the service if your organisation
- needs to receive and use technical threat intelligence
- is able to produce and share threat intelligence with other actors
- understands whether the MISP platform is suitable for its activities
- wants to develop cyber threat intelligence sharing through cooperation
As a general rule, the service is intended for Finnish organisations critical to security of supply.
How FINMISP works and how to use the service
FINMISP forms a national threat intelligence sharing network in which the NCSC-FI acts as a central node.
The service brings together
- national threat intelligence sharing
- international information sources
- exchange of information between organisations
You can use the FINMISP service in two ways:
- through your own MISP instance
- through the web interface
The web interface gives you quick access to the service’s information content and enables you to start producing and sharing threat intelligence.
Your own MISP instance enables you to create an automated and real-time information sharing pipeline between your organisation and FINMISP. Your organisation is responsible for installing and maintaining your own instance. The NCSC-FI will provide support and guidance on deploying and using FINMISP.

FINMISP combines data collected from information security incidents and turns it into threat intelligence.
Through the service, your organisation gets
- comprehensive and relevant information from high-quality sources
- fast information sharing between actors critical to security of supply
- a tool for reactive and proactive measures
- better capabilities to analyse information security incidents
FINMISP data and classification
FINMISP is mainly used to share technical threat intelligence, meaning indicators of compromise.
An indicator of compromise (IOC) is a technical indicator that may point to an information security breach or cyber attack.
FINMISP has its own classification system, which determines how context and metadata are attached to information. This ensures that shared threat intelligence is consistent and usable.
In FINMISP
- confidential information is not shared
- information sharing is restricted using the TLP protocol
TLP (Traffic Light Protocol) defines who information may be shared with and how it may be used.