Zedmos CTI
Curated Threat Intelligence

Built for analysts, not just blocklists

Every IOC carries a quantitative score, a MITRE technique, and a kill-chain phase. Every alert can spawn a takedown. Every export carries severity metadata. This is what curated looks like.

scoring

IOC scoring · 4 dimensions

Every indicator gets four numbers (0-100), refreshed nightly and at ingest. We expose them on every endpoint — including Suricata priority:N and Check Point CSV severity.

  • confidence Bayesian: source tier × consensus × enrichment × sighting feedback
  • threat Severity (1-10) × category CVSS-like weight × tier multiplier
  • popularity Log-scaled over distinct sources + 30d sightings + age window
  • composite Weighted 45 / 35 / 20 — drives default sort + tier gating
{
  "ioc": "1dv.online",
  "tier": "verified",
  "categories": ["phishing","botnet_cc","turkish_usom"],
  "scores": {
    "confidence": 77,
    "threat":     54,
    "popularity": 50,
    "composite":  64,
    "scorer_version": 1
  },
  "recommendation":
    "BLOCK — composite score 64 (medium-high)"
}
tags:
  - category.phishing
  - kind.security
  - attack.initial-access
  - attack.t1566.001
  - attack.t1566.002
MITRE ATT&CK

Every IOC mapped to a technique

Each Zedmos category maps to a curated list of ATT&CK tactics + techniques (Enterprise v15). Sigma exports carry attack.tXXXX.YYY tags. STIX bundles include kill_chain_phases + external_references to attack.mitre.org.

Live coverage matrix →
EASM

External Attack Surface Management

Declare your domains, IPs, CIDRs and URLs. We scan nightly and surface:

  • Missing HSTS / CSP / clickjacking protection
  • Server / X-Powered-By banner leaks
  • Exposed .git, .env, .aws/credentials, phpinfo (content-signature validated — no wildcard FPs)
  • Dangling CNAMEs to S3 / Azure / Cloudfront / GitHub Pages
  • DNS no-resolution + parked-asset detection

Plus tier: 50 assets · Premium: unlimited, hourly cadence.

POST /admin/v1/admin/easm/assets/<id>/scan
{
  "ok": true,
  "result": {
    "asset_value": "api.example.com",
    "duration_ms": 9182,
    "checks_run": 3,
    "findings_new": 3,
    "errors": []
  }
}
variants_enumerated: 75
variants_resolved:    10
algorithms used:
  · char-omission       (zedms.com, edmos.com)
  · char-transposition  (zdemos.com)
  · char-substitution   (zedmoz.com)
  · bitsquatting        (redmos, zelmos, zeemos)
  · homograph           (zеdmos.com cyrillic e)
  · hyphen-insertion    (zed-mos.com)
  · duplicate-char      (zeedmos.com)
  · tld-swap            (zedmos.shop / .xyz)
brand protection

Typosquat & homograph hunter

For each root domain we enumerate up to 1,500 visually-similar variants across 8 algorithms, resolve them on public DNS in parallel, and emit a BrandAlert for each one that's actually registered. From there: one-click takedown drafting with RDAP-pulled abuse contacts and a state-machine that tracks the case through to removed.

crypto

Ed25519-signed snapshots

Every distribution snapshot is signed. Customers verify with the published Zedmos public key — auditors can prove the feed wasn't tampered with in transit.

USOM

Turkish CERT live feed

Direct ingest from siberguvenlik.gov.tr/api. 220k+ IOCs across 5 indicator types — exclusive to Zedmos in this curated form.

sovereign

Self-host option

Premium ships a self-host bundle (Docker · Mongo · Redis). Your IOC pulls never leave your perimeter. Required for many EU public-sector tenders.

Ready to see your coverage?

Spin up a free Community account in 60 seconds. No credit card. The Suricata rules, Sigma YAML, and STIX bundles are downloadable immediately.

See pricing →