- RTTL - Threat Intel Sharing Platform
Real-Time Threat List (RTTL) – a centralized threat intelligence sharing platform for sharing real-world malware samples – helping the cybersecurity industry stay ahead.
What is RTTL?
RTTL is an initiative by AMTSO. It facilitates the sharing of malware samples and related metadata in real time between AMTSO members, test labs, certification bodies, and other cybersecurity entities – supporting better testing, analysis, and defence strategies.
Who Can Use It?
- AMTSO Members: Full access with a daily contribution of 200+ samples.
- CERTs & Researchers: Can use system as a single point of contact to share data without membership and reach all major security vendors.
- Security Firms (Non-members): Can contribute and may gain limited download access depending on the policies of other contributors.
Why It Matters
- ~75,000 new samples/month, incl. CERT submissions
- ~90% of samples are verified malicious
- ~30% of new threats submitted are seen in RTTL before any other source
- RTTL is often first to detect emerging threats – making it a key threat intelligence hub
Monthly submissions in RTTL
Always Improving
RTTL evolves constantly – adding new tools, fixing bugs, and improving based on feedback from the AMTSO community.
Key Features
- Sample submission & access controls
- Sandbox integration
- Robust API & interface
“The Real-Time Threat List (RTTL) is a vital resource for the cybersecurity community, providing a centralized platform for the submission and sharing of malware samples and threat intelligence. With its robust features, extensive contributor network, and comprehensive sandbox integration, RTTL plays a crucial role in enhancing the quality and objectivity of anti-malware testing methodologies.”
– Alexander Vukcevic, AMTSO CTO
Join RTTL
Already an AMTSO member? Sign up using the form below.
Not a member? Sign up to contribute as a CERT or external researcher, or get in touch for more info.
For more background, see the FAQs below and check out our RTTL whitepaper.
- RTTL FAQs
What is the RTTL?
The Real-Time Threat List (RTTL) is a repository of malware samples collected by security companies, test labs, and other experts from around the world.
The repository is managed, maintained and secured by the Anti-Malware Testing Standards Organization (AMTSO).
Who submits samples to the RTTL?
Anti-malware and general cybersecurity companies, testing labs, CERTs, and other anti-malware experts from around the world submit verified and significant samples to the RTTL, with attached metadata such as prevalence information and details of the distribution and source of the malware.
How can I access the RTTL?
Full RTTL access is restricted to AMTSO members. To find out more about the benefits of membership, check out our joining page. If you’re already a member, you can apply for access using the form on our member website.
Limited access is granted to recognized non-member security companies, and also to other bodies such as CERTs wishing to distributed malware they discover to the wider security industry via a single point of contact. In some circumstances limited access may be granted to academics carrying out relevant research.
The granular access control system within RTTL grants all contributors control over who has access to the samples they submit to the system, defaulting to AMTSO members only, so the exact level of access available to non-member participants depends on approval from other participants.
To find out more about getting access, please contact [email protected], or simply complete the application form below. Note that participation requires approval of the RTTL Licensing Agreement.
Why is there a need for the RTTL?
As new malware emerges at an ever-increasing rate, the RTTL system was designed to provide testers of anti-malware solutions with a repository of the latest malware and related metadata that they can use to validate anti-malware products in real-time.
The system also allows efficient provision of malware samples between AMTSO’s global community of members and partners.
Who uses the samples from RTTL?
AMTSO Tester members can apply for access to a unique daily quota of samples from the RTTL system, with wider access granted after 24 hours. This ensures that testers have access to samples not widely distributed to the vendors they are testing during this window.
These sample sets are primarily used for validation and certification testing. Data from the system can also be used in sample validation processes, and in designing sample sets representative of specific regions, time frames, and other sub-categories.
Security companies make use of the sample feeds to ensure their solutions remain current, particularly the feeds coming from CERTs and other smaller research bodies.
Academics researching or analyzing trends in the anti-malware industry can also apply to use the RTTL as a rich data source.
What about ThreatList?
AMTSO also operates ThreatList, a separate but related sample-sharing system designed to replace the long-standing WildList previously used by many testing organizations. ThreatList shares many of the features of the RTTL, but is unlinked to AMTSO membership. You can find out more about the ThreatList system here.
- RTTL application form
To find out more about getting access to RTTL system, please contact [email protected], or simply complete the application form below. Note that participation requires approval of the RTTL Licensing Agreement.