Built for analysts, not just blocklists
Every IOC carries a quantitative score, a MITRE technique, and a kill-chain phase. Every alert can spawn a takedown. Every export carries severity metadata. This is what curated looks like.
IOC scoring · 4 dimensions
Every indicator gets four numbers (0-100), refreshed nightly and at ingest. We expose them
on every endpoint — including Suricata priority:N and Check Point CSV severity.
- confidence Bayesian: source tier × consensus × enrichment × sighting feedback
- threat Severity (1-10) × category CVSS-like weight × tier multiplier
- popularity Log-scaled over distinct sources + 30d sightings + age window
- composite Weighted 45 / 35 / 20 — drives default sort + tier gating
{
"ioc": "1dv.online",
"tier": "verified",
"categories": ["phishing","botnet_cc","turkish_usom"],
"scores": {
"confidence": 77,
"threat": 54,
"popularity": 50,
"composite": 64,
"scorer_version": 1
},
"recommendation":
"BLOCK — composite score 64 (medium-high)"
}
tags:
- category.phishing
- kind.security
- attack.initial-access
- attack.t1566.001
- attack.t1566.002
Every IOC mapped to a technique
Each Zedmos category maps to a curated list of ATT&CK tactics + techniques (Enterprise v15).
Sigma exports carry attack.tXXXX.YYY tags. STIX bundles include
kill_chain_phases + external_references to attack.mitre.org.
External Attack Surface Management
Declare your domains, IPs, CIDRs and URLs. We scan nightly and surface:
- Missing HSTS / CSP / clickjacking protection
- Server / X-Powered-By banner leaks
- Exposed
.git,.env,.aws/credentials, phpinfo (content-signature validated — no wildcard FPs) - Dangling CNAMEs to S3 / Azure / Cloudfront / GitHub Pages
- DNS no-resolution + parked-asset detection
asset_value: api.example.com
duration_ms: 9182
checks_run: 7
findings_new: 3
errors: []
variants_enumerated: 75
variants_resolved: 10
algorithms used:
· char-omission (zedms.com, edmos.com)
· char-transposition (zdemos.com)
· char-substitution (zedmoz.com)
· bitsquatting (redmos, zelmos, zeemos)
· homograph (zеdmos.com cyrillic e)
· hyphen-insertion (zed-mos.com)
· duplicate-char (zeedmos.com)
· tld-swap (zedmos.shop / .xyz)
Typosquat & homograph hunter
For each root domain we enumerate up to 1,500 visually-similar variants across 8 algorithms, resolve them on public DNS in parallel, and emit a BrandAlert for each one that's actually registered. From there: one-click takedown drafting with RDAP-pulled abuse contacts and a state-machine that tracks the case through to removed.
Ed25519-signed snapshots
Every distribution snapshot is signed. Customers verify with the published Zedmos public key — auditors can prove the feed wasn't tampered with in transit.
Turkish CERT live feed
Direct ingest from siberguvenlik.gov.tr/api. 220k+ IOCs across 5 indicator types — exclusive to Zedmos in this curated form.
Self-host option
A self-host bundle (Docker · MongoDB · Redis) is available for environments where the IOC pulls must not leave the perimeter — e.g. EU public-sector tenders.
See it in action
The full API reference, including curl snippets for every feed format and vendor export, is in the developer guide.