Curated Threat Intelligence,
delivered to your firewalls.
Zedmos CTI ingests dozens of open-source TI feeds (URLhaus, abuse.ch, CERT.pl, USOM, Spamhaus DROP, EmergingThreats, ThreatFox, OpenPhish, …), strips out false positives that historically blocked legitimate services like drive.google.com, github.com or microsoft.com, and serves clean per-category blocklists over HTTPS to thousands of firewalls.
Threat sources from across the globe — one decision per packet
Curated feeds stream into the hub, every IOC is scored with STIX 2.1 confidence, every IP enriched offline with country + ASN, and the consensus snapshot ships only verified+trusted indicators to your firewalls. Cloud-AS allowlist keeps Microsoft 365 / Google Workspace alive; daily cross-validation proves every line.
- Multi-source consensus → verified-tier promotion
- Offline GeoASN at line rate (3.3M ops/s, no quota risk)
- Cloud-AS exception protects legitimate SaaS infra
- ed25519-signed snapshots, verifiable with stock OpenSSL
Live stats
Auto-refreshes every 30 seconds · sourced from /v1/public/stats
Every distribution snapshot is signable with our long-lived ed25519 key. Verify with stock OpenSSL — no Zedmos library needed.
Every number on this page has a definition. /v1/public/methodology documents what we count, what we DON'T count, FP-filter stages, and SLA targets. /v1/public/transparency emits the same numbers as JSON.
Every cert issued on Certificate Transparency logs is scored on brand-keyword, lookalike, IDN homograph, and lexical entropy in real time. Operator approval required before promotion to firewall feeds.
Suspicious newly-issued certs · last 24h
Certificate Transparency log monitor — brand impersonation, DGA-style domains, IDN homograph attempts. Operator approval required before promotion.
| Domain | Score | Brand | Flags | Issuer | Seen |
|---|---|---|---|---|---|
| CertStream connecting — first batch in <60 s. | |||||
Hot indicators · last 24 hours
Aggregated from firewall-fleet sightings (anonymized — no PII, only count + reporting firewall count).
| Indicator | Type | Hits 24h | Firewalls | Last sighting |
|---|---|---|---|---|
| loading… | ||||
Hot threats — last 24h
— new IOCs surfaced · what is burning right nowCommunity-URL drift caught + admin password self-serve UI
FW agent.json: legacy community-*.txt URLs
on existing-enrolled firewalls drifted to 0-line snapshots after a stale-tier demote, generating a
security_empty_fetch WARN every refresh cycle. One-shot rewrite to plain
domains.txt (default tier = verified+trusted union, always populated)
cleared the warning storm in 75 minutes; sample is clean. Plus: TiHub admin UI now has a self-serve
"Change my password" modal — current+new+confirm, min 10 chars, audit-logged.
Orion internal admin panel shipped — 12 pages, 26 endpoints, 79/79 E2E live pass
New internal console at orion.zedmos.com:5555: tenants · firewalls · customers · licenses · tickets · agents ·
SASE · WireGuard · audit · settings — backed by a zedmos-backend bridge
(/api/orion-admin/*, 26 endpoints) using a per-deploy ORION_ADMIN_TOKEN.
Full E2E live pass with real data — 2,315 SASE events, 176k commands, 128 sessions audited.
4 critical TiHub fixes · 22k FP IOCs purged
Live security-root audit landed: cloudranges bisect overlapping-CIDR merge (3,444 cloud-drift IPs purged) · AdGuard / PublicDNS leak fix (34 manual allowlist) · datacenter-blind tiering replaced with SAFE_DC_AS_REGEX exception (18,794 down-tiered) · GeoASN backfill 0 → 243,891 IPs enriched.
Offline GeoIP+ASN at line rate (3.3M ops/s)
iptoasn.com IPv4 dump (29.6 MB / 521k ranges / CC0 / daily) embedded in the TiHub backend. Bogon FP, country + ASN + AS-name written to every IOC at ingest. Classifier (datacenter/vpn/residential + known-abuse ASN bonus) feeds enrich-promote scoring as advisory signal. Weekly BullMQ refresh.
Security catalog expanded 17 → 34 categories
Every UI-visible category is now wired end-to-end. Stalkerware → spyware_adware + keyloggers · jarelllama →
parked (parser patch for 0.0.0.0DOMAIN) · hagezi_doh →
potentially_dangerous · hagezi_nrd + shreshta → newly_registered + first_seen · 30-min decay-watch job
maintains dead + newly_recovered cohorts.
| loading… |
| loading… |
Top categories
unique IOCs per categoryDistribution snapshots
files served via HTTPS to firewalls| Kind | Category | Type | Lines | Bytes | Last built |
|---|---|---|---|---|---|
| loading… | |||||
Threat origins by country
Where the malicious IPs and CIDR ranges in our catalog are hosted — sourced from offline GeoASN at ingest time.
/v1/public/threats-by-countryHow to read this: these are IPs / CIDRs hosted in each country (BGP geolocation), not necessarily where the threat actor lives. High counts in US, DE, GB, NL, SG include hyperscaler-hosted threats — adversaries rent legitimate cloud capacity. Domain IOCs (5M+) have no country attribution and are excluded from this view. The honest takeaway: where to look first, not who to blame.
Top 25 by IP/CIDR count. Caveat: domains (~94% of catalog) have no country attribution — this is the IP-only slice. Raw JSON →
Sources & credibility
Every upstream feed is classified into a credibility tier. We publish the full catalog at /v1/public/sources — provider, license, last audit, status.
2024–2026 ecosystem changes affecting our sources
- abuse.ch (URLhaus / ThreatFox / Feodo / MalwareBazaar / SSLBL) — Auth-Key mandatory since 2025-06-30. 12 of our feeds need a free key from auth.abuse.ch. Operator must provision
ABUSECH_AUTH_KEY. - Spamhaus eDROP merged into DROP on 2024-04-10. We migrated to
drop_v4.json/drop_v6.json/asndrop.json. - Tor Project — old
/torbulkexitlistdeprecated 2020-04-01. Our feed pinned to canonical/api/bulk. - Talos public IP-blocklist retired 2024-09; replacement at snort.org has T&C click-through that breaks automation. Not auto-fetched.
- Bambenek DGA — commercial license required since 2024-07-01. Not redistributed.
- Cloudflare Radar Top Domains — CC-BY-NC-4.0 license restricts commercial redistribution. Disabled. Tranco's CF component inherits the same caveat — Majestic Million (CC-BY-3.0) is the unambiguous commercial-safe alternative.
- SSLBL JA3 fingerprints — last update 2021-08-03. Disabled here in production due to documented Smart-TV / IoT collisions.
- PhishTank — has had multi-month CSV outages historically (MISP issue #9855). Best-effort, not load-bearing.
- Full list at /v1/public/sources —
deprecation_warnings[]field.
Audit status (last 24h)
"operational" = HTTP 200 + content received. We deliberately do not call low-cadence feeds (Spamhaus DROP, Feodo Tracker) "stale" — they publish only when actionable changes happen. "stale" is reserved for freshness-critical feeds that exceed their expected cadence.
Top operators
Per-feed catalog (sample top by tier)
| Tier | Feed | Operator | License | Status | Last fetch |
|---|---|---|---|---|---|
| loading… | |||||
Showing curated sample. Full catalog as JSON →
Verify our claims yourself
No Zedmos library required. Use stock OpenSSL.
ed25519 signed bundle verification
Copy-paste, run, observe Signature Verified Successfully. Tamper one byte → instant Verification Failure.
TOKEN=tihub_...
# 1. fetch the body, the detached signature, and the public key
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt \
-H "authorization: Bearer $TOKEN" -o body.txt
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt.sig \
-H "authorization: Bearer $TOKEN" \
| jq -r .signature_b64 | base64 -d > sig.bin
curl -sS https://www.zedmos.net/v1/public/keys/sign.pem -o pub.pem
# 2. verify (openssl 3.0+, no extra packages)
openssl pkeyutl -verify -pubin -inkey pub.pem -rawin \
-in body.txt -sigfile sig.bin
# → Signature Verified SuccessfullyCross-check the live numbers
Every counter on this page comes from /v1/public/transparency. /v1/public/methodology defines what each counter means and what we explicitly DO NOT count.
# live numbers (no-auth)
curl -sS https://www.zedmos.net/v1/public/transparency \
| jq .live_numbers
# definitions + FP-filter stages + SLA targets + what we don't count
curl -sS https://www.zedmos.net/v1/public/methodology \
| jq '.definitions, .fp_filter_stages, .what_we_do_NOT_count'What we shipped
Every successful change lands here. The home page is updated after every deploy.
Allowlist-drift cleanup — 113,942 false positives caught and removed
Honest finding: as Tranco/Umbrella allowlist anchors grew daily, 113,942 previously-ingested indicators (37% of our domain corpus) drifted into a state where the FP filter would now reject them — but they kept shipping to firewalls. We caught this in our own audit, swept them in a single pass, and now run the sweep every 6 hours as a maintenance job so it can never re-accumulate. Default firewall feed dropped from 215,608 → 137,748 indicators (~36% reduction); every remaining line strictly meets tier criteria.
Three-tier cross-validation pipeline live · every shipped IOC corroborated
We don't ship a single line to a customer firewall without provenance. The default domains.txt / ips.txt / sha256.txt files now contain only verified (≥2 distinct upstream sources, OR active enrichment confirmation, OR honeypot-confirmed, OR manually approved) and trusted (single-source from a strict T1 feed: USOM TR-CERT, CERT.pl, Spamhaus DROP, abuse.ch Feodo low-FP) indicators. The community tier (single-source from T2-T5 feeds) is opt-in only at community-domains.txt.
Active enrichment at ingest: GreyNoise (free Community API) classifies legitimate scanners (Google DNS, Cloudflare DNS, Shodan) → never blocked. AbuseIPDB confidence ≥75 promotes single-source IPs to verified. VirusTotal positives ≥3 promotes domains/IPs/hashes.
Honeypot ground truth: a separate ingest endpoint (/v1/honeypot/event, sensor-token auth) accepts attack observations from Zedmos honeypot mesh nodes. Quorum rule: ≥3 distinct sensors hit by the same IP in 24h, OR ≥10 hits to one sensor → IP promoted to verified with honeypot_confirmed=true. This is literal ground truth — the IP attacked our infrastructure right now.
Daily proof: a random sample of shipped IOCs is checked against tier criteria every 24h. Latest run: —. Live numbers and per-tier breakdown at /v1/public/verification.cross_validation.
New today: SHA-256 hashes (sha256.txt + per-category yara.yar rules) · HMAC-signed webhooks for new_iocs / smoke_failed / cloud_fp_caught events · SOAR connectors for Cortex/TheHive + XSOAR + TheHive responder · per-token scope enforcement by kind/category/tier, ready for multi-tenant deployment.
Cloud-IP false-positive audit — caught 8,663 in our own catalog
Self-audit found 8,663 IPs (4.27%) of our IP corpus sitting inside published AWS / GCP / Cloudflare / GitHub CIDR ranges — IPs which would have caused real outages on customer firewalls had they been blocked. Caught and suppressed in a single sweep against 202,787 candidates.
Breakdown: AWS 2,619 · GCP 3,137 · GitHub 2,904 · Cloudflare 3. All moved to the review queue with fp_reason=cloud_provider_range; snapshots rebuilt — none ship to firewalls today.
Going forward: ingest pipeline now performs an inline bisect-based cloud-range membership check before any IP IOC is promoted; the cloud-range allowlist is refreshed daily from the four upstream providers via a maintenance worker. Live numbers and full provenance: /v1/public/verification.
STIX 2.1 + TAXII 2.1 server
Native application/taxii+json;version=2.1 server with discovery, collections, manifest and STIX bundle endpoints. 16 collections live — one per kind+category combo. Compatible with MISP, OpenCTI, Splunk Add-on, Anomali ThreatStream and Microsoft Sentinel out of the box.
9 firewall-native output formats
Same indicators, every format your stack speaks: plain text, Suricata DNS rules, Pi-hole adlist, OPNsense / pfSense URL-table, MikroTik RouterOS script, Unbound / BIND RPZ, STIX 2.1 bundle, TAXII 2.1 collection, MISP feed. No custom-format upcharge.
MITRE ATT&CK ingestion
30,649 STIX objects mirrored from mitre/cti — enterprise + mobile + ICS domains. Indicators ship with kill-chain phase tagging today; technique-id mapping (T1566.002 etc.) lands in v0.3.
Tranco + Cisco Umbrella allowlist anchors
Daily-refreshed anchors: Tranco top-domains, Cisco Umbrella, AWS/GCP/Cloudflare/GitHub published CIDR ranges. Allowlist now — entries (…). Combined with Mozilla PSL for accurate co.uk / com.tr / appspot.com handling. Live: /v1/public/verification.
Closed-loop sightings (anonymized)
Firewalls can POST /v1/sightings/bulk aggregate hit counts (no PII). The hot-indicators panel above is powered by this. Privacy-preserving HMAC + bloom-dedup hardening lands in v0.3.
GreyNoise + AbuseIPDB enrichment
On-demand IP context. GreyNoise classifies "internet noise" vs "common business service" — automatic FP suppression for things like 8.8.8.8. AbuseIPDB second-source confidence cross-check.
ed25519 signed bundles + audited methodology
Detached .sig signatures on every distribution snapshot, verifiable by stock OpenSSL. Public key at /v1/public/keys/sign.pem. /v1/public/methodology documents exactly what each counter means and what we DON'T count. Recipe →
MITRE ATT&CK technique tagging on STIX
Every STIX 2.1 indicator now ships with technique-id external references (e.g. T1566.002 Spearphishing Link for phishing IOCs, T1071.001 Web Protocols C2 for botnet IOCs). Auto-links to OpenCTI / MISP / Splunk SEC dashboards.
Sigma rule export per category
10th output format: /v1/feeds/<k>/<c>/sigma.yml. Portable to Splunk SPL, Elastic ES|QL, Sentinel KQL, QRadar via sigmac / uncoder.io.
CertStream watcher (best-effort)
Long-lived WS to Calidog CertStream. Brand-keyword + Levenshtein lookalike + Shannon-entropy DGA scorer. Operator approval required before promotion. Note: depends on calidog.io availability — sometimes the upstream firehose pauses.
MISP feed format export — 10th format
Per-category MISP feed: /v1/feeds/<k>/<c>/misp/manifest.json + /<event-uuid>.json + hashes.csv. Drops directly into MISP Feeds → Add. Full attribute Tags (TLP, kind, category) included.
abuse.ch ecosystem fully wired (7/7 platforms + Auth-Key wizard)
URLhaus + ThreatFox + Feodo + MalwareBazaar + SSLBL + YARAify + Hunting reference. Free Auth-Key required from auth.abuse.ch — validated against the upstream before persisting, then bulk-applied to all 14 abuse.ch feeds. Operation Endgame (May 2024 LE takedown) context surfaced honestly — Feodo Tracker is empty because the threats it tracked are dismantled.
Honest disclosure — 8 ecosystem changes surfaced
2024–2026 retired the assumption that "abuse.ch + Talos + Bambenek = free baseline." We surface the changes that broke that assumption (abuse.ch Auth-Key, Talos retired, Bambenek paid, Cloudflare CC-BY-NC) on the Sources page rather than hide them. Each feed publishes deprecation_note + license_caveat + auth_required.
8 new feeds: DigitalSide, TweetFeed, Cybercrime-tracker…
Cybercrime-tracker first run added 19,145 banking-trojan C2 indicators. DigitalSide (CC0), TweetFeed (Twitter OSINT), MalwareBazaar (sample hashes for STIX), AlienVault OTX (free), MISP CIRCL (Phase 2). Total feed count: 22 → 30.
Live SLA status page
/status publishes mean-indicator-age, P99, feed-OK ratio, snapshot freshness. Auto-refreshes every 20s. Most CTI vendors hide these metrics — we show them by default.
What is CTI?
Cyber Threat Intelligence — context-rich data about adversaries, the infrastructure they use, and how to detect them.
High-level intelligence on threat actors, geopolitical motivations, industry targeting and long-running campaigns. Read by CISOs and risk officers.
TTPs (Tactics, Techniques and Procedures) mapped to MITRE ATT&CK. Detection engineers use this to write SIEM rules and IDS signatures.
Indicators of Compromise (IOCs): malicious domains, IPs, CIDRs, file hashes, JA3/JA4 fingerprints. Fed into firewalls, EDRs, DNS sinkholes. This is what Zedmos CTI specializes in.
Raw open-source TI feeds are noisy. URLhaus might list a Google Drive URL because attackers used it for malware staging — but the parent domain
drive.google.com is, of course, legitimate.
Without curation, a firewall that suffix-matches such a feed will block hundreds of millions of legitimate users from Google Drive, GitHub, Microsoft 365 and more.
Zedmos CTI runs every IOC through a five-stage filter:
hard allowlist ·
root-domain protection ·
multi-source consensus ·
format validation ·
manual review queue.
How it works
From upstream feed to firewall — every minute, every indicator.
BullMQ-scheduled HTTP fetchers honour each feed's polling interval. Plain, hosts, CSV and JSON formats are parsed natively.
5-stage pipeline: allowlist suffix match, registrable-root protection, multi-source consensus, syntactic validation, manual review.
Per-category, per-type files are written sorted-unique with a SHA-256 ETag. Atomic rename means firewalls never see a partial file.
NGINX reverse-proxy with per-FW Bearer auth, ETag/304 revalidation, gzip, rate-limits and a 60-second cache zone scaled for thousands of firewalls.
Public API
All endpoints emit Cache-Control and ETag. Firewall feeds require a Bearer token.
/v1/public/stats
no auth
/v1/stix/info
no auth
/v1/public/health
no auth
Firewall feed endpoints Bearer
Same indicators, your favourite format. Substitute <kind> ∈ ti | security | waf and <cat> with a category from /v1/stix/info.
/v1/feeds/<kind>/<cat>/domains.txt/v1/feeds/<kind>/<cat>/ips.txt/v1/feeds/<kind>/<cat>/suricata.rules/v1/feeds/<kind>/<cat>/pihole.txt/v1/feeds/<kind>/<cat>/opnsense.txt/v1/feeds/<kind>/<cat>/mikrotik.rsc/v1/feeds/<kind>/<cat>/unbound.rpz/v1/feeds/<kind>/<cat>/stix.jsonTAXII 2.1 server Bearer
https://cti.zedmos.net/taxii2/# Live stats (no auth)
curl -sS https://www.zedmos.net/v1/public/stats | jq .iocs
# Suricata rules (Bearer required)
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/suricata.rules \
-H "authorization: Bearer tihub_..."
# STIX 2.1 bundle for Splunk / MISP / OpenCTI
curl -sS https://cti.zedmos.net/v1/feeds/ti/phishing/stix.json?limit=1000 \
-H "authorization: Bearer tihub_..."
# TAXII 2.1 collection list
curl -sS https://cti.zedmos.net/taxii2/api1/collections/ \
-H "authorization: Bearer tihub_..." \
-H "accept: application/taxii+json;version=2.1"What you get
Allowlist of major cloud, social, OS-update and CDN domains. Registrable-root protection prevents a feed listing google.com from killing every Google subdomain.
NGINX proxy_cache + ETag + gzip means a firewall fetching a 1 MB feed every 10 minutes costs us a few KB of revalidation traffic per request.
No engine recompile required: replace the upstream URL in agent.json with the matching cti.zedmos.net path, drop in a Bearer token, restart the agent.
Each IOC tracks its provenance across feeds. Operators can require a minimum number of independent sources before an indicator gets shipped to firewalls.
Every change to the catalog — feed updates, IOC promotions, allowlist edits — is recorded with timestamps and reasons. Suitable for compliance evidence.