Curated Threat Intelligence,
delivered to your firewalls.
Zedmos CTI ingests dozens of open-source TI feeds (URLhaus, abuse.ch, CERT.pl, USOM, Spamhaus DROP, EmergingThreats, ThreatFox, OpenPhish, …), strips out false positives that historically blocked legitimate services like drive.google.com, github.com or microsoft.com, and serves clean per-category blocklists over HTTPS to thousands of firewalls.
Live stats
Auto-refreshes every 30 seconds · sourced from /v1/public/stats
Every distribution snapshot is signable with our long-lived ed25519 key. Verify with stock OpenSSL — no Zedmos library needed.
Every number on this page has a definition. /v1/public/methodology documents what we count, what we DON'T count, FP-filter stages, and SLA targets. /v1/public/transparency emits the same numbers as JSON.
Every cert issued on Certificate Transparency logs is scored on brand-keyword, lookalike, IDN homograph, and lexical entropy in real time. Operator approval required before promotion to firewall feeds.
Suspicious newly-issued certs · last 24h
Certificate Transparency log monitor — brand impersonation, DGA-style domains, IDN homograph attempts. Operator approval required before promotion.
| Domain | Score | Brand | Flags | Issuer | Seen |
|---|---|---|---|---|---|
| CertStream connecting — first batch in <60 s. | |||||
Hot indicators · last 24 hours
Aggregated from firewall-fleet sightings (anonymized — no PII, only count + reporting firewall count).
| Indicator | Type | Hits 24h | Firewalls | Last sighting |
|---|---|---|---|---|
| loading… | ||||
Top categories
unique IOCs per categoryDistribution snapshots
files served via HTTPS to firewalls| Kind | Category | Type | Lines | Bytes | Last built |
|---|---|---|---|---|---|
| loading… | |||||
Sources & credibility
Every upstream feed is classified into a credibility tier. We publish the full catalog at /v1/public/sources — operator, license, last audit, status.
2024–2026 ecosystem changes affecting our sources
- abuse.ch (URLhaus / ThreatFox / Feodo / MalwareBazaar / SSLBL) — Auth-Key mandatory since 2025-06-30. 12 of our feeds need a free key from auth.abuse.ch. Operator must provision
ABUSECH_AUTH_KEY. - Spamhaus eDROP merged into DROP on 2024-04-10. We migrated to
drop_v4.json/drop_v6.json/asndrop.json. - Tor Project — old
/torbulkexitlistdeprecated 2020-04-01. Our feed pinned to canonical/api/bulk. - Talos public IP-blocklist retired 2024-09; replacement at snort.org has T&C click-through that breaks automation. Not auto-fetched.
- Bambenek DGA — commercial license required since 2024-07-01. Not redistributed.
- Cloudflare Radar Top Domains — CC-BY-NC-4.0 license restricts commercial redistribution. Disabled. Tranco's CF component inherits the same caveat — Majestic Million (CC-BY-3.0) is the unambiguous commercial-safe alternative.
- SSLBL JA3 fingerprints — last update 2021-08-03. Disabled here in production due to documented Smart-TV / IoT collisions.
- PhishTank — has had multi-month CSV outages historically (MISP issue #9855). Best-effort, not load-bearing.
- Full list at /v1/public/sources —
deprecation_warnings[]field.
Audit status (last 24h)
"operational" = HTTP 200 + content received. We deliberately do not call low-cadence feeds (Spamhaus DROP, Feodo Tracker) "stale" — they publish only when actionable changes happen. "stale" is reserved for freshness-critical feeds that exceed their expected cadence.
Top operators
Per-feed catalog (sample top by tier)
| Tier | Feed | Operator | License | Status | Last fetch |
|---|---|---|---|---|---|
| loading… | |||||
Showing curated sample. Full catalog as JSON →
Verify our claims yourself
No Zedmos library required. Use stock OpenSSL.
ed25519 signed bundle verification
Copy-paste, run, observe Signature Verified Successfully. Tamper one byte → instant Verification Failure.
TOKEN=tihub_...
# 1. fetch the body, the detached signature, and the public key
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt \
-H "authorization: Bearer $TOKEN" -o body.txt
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt.sig \
-H "authorization: Bearer $TOKEN" \
| jq -r .signature_b64 | base64 -d > sig.bin
curl -sS https://www.zedmos.net/v1/public/keys/sign.pem -o pub.pem
# 2. verify (openssl 3.0+, no extra packages)
openssl pkeyutl -verify -pubin -inkey pub.pem -rawin \
-in body.txt -sigfile sig.bin
# → Signature Verified SuccessfullyCross-check the live numbers
Every counter on this page comes from /v1/public/transparency. /v1/public/methodology defines what each counter means and what we explicitly DO NOT count.
# live numbers (no-auth)
curl -sS https://www.zedmos.net/v1/public/transparency \
| jq .live_numbers
# definitions + FP-filter stages + SLA targets + what we don't count
curl -sS https://www.zedmos.net/v1/public/methodology \
| jq '.definitions, .fp_filter_stages, .what_we_do_NOT_count'What we shipped
Every successful change lands here. The home page is updated after every deploy.
STIX 2.1 + TAXII 2.1 server
Native application/taxii+json;version=2.1 server with discovery, collections, manifest and STIX bundle endpoints. 16 collections live — one per kind+category combo. Compatible with MISP, OpenCTI, Splunk Add-on, Anomali ThreatStream and Microsoft Sentinel out of the box.
9 firewall-native output formats
Same indicators, every format your stack speaks: plain text, Suricata DNS rules, Pi-hole adlist, OPNsense / pfSense URL-table, MikroTik RouterOS script, Unbound / BIND RPZ, STIX 2.1 bundle, TAXII 2.1 collection, MISP feed. No custom-format upcharge.
MITRE ATT&CK ingestion
30,649 STIX objects mirrored from mitre/cti — enterprise + mobile + ICS domains. Indicators ship with kill-chain phase tagging today; technique-id mapping (T1566.002 etc.) lands in v0.3.
Tranco + Cisco Umbrella allowlist anchors
Daily-refreshed top-domain anchors expand the allowlist from 166 → 20,437 registrable roots. Combined with Mozilla PSL for accurate co.uk / com.tr / appspot.com handling, the false-positive surface is now near-zero.
Closed-loop sightings (anonymized)
Firewalls can POST /v1/sightings/bulk aggregate hit counts (no PII). The hot-indicators panel above is powered by this. Privacy-preserving HMAC + bloom-dedup hardening lands in v0.3.
GreyNoise + AbuseIPDB enrichment
On-demand IP context (operator console). GreyNoise classifies "internet noise" vs "common business service" — automatic FP suppression for things like 8.8.8.8. AbuseIPDB second-source confidence cross-check.
ed25519 signed bundles + audited methodology
Detached .sig signatures on every distribution snapshot, verifiable by stock OpenSSL. Public key at /v1/public/keys/sign.pem. /v1/public/methodology documents exactly what each counter means and what we DON'T count. Recipe →
MITRE ATT&CK technique tagging on STIX
Every STIX 2.1 indicator now ships with technique-id external references (e.g. T1566.002 Spearphishing Link for phishing IOCs, T1071.001 Web Protocols C2 for botnet IOCs). Auto-links to OpenCTI / MISP / Splunk SEC dashboards.
Sigma rule export per category
10th output format: /v1/feeds/<k>/<c>/sigma.yml. Portable to Splunk SPL, Elastic ES|QL, Sentinel KQL, QRadar via sigmac / uncoder.io.
CertStream watcher (best-effort)
Long-lived WS to Calidog CertStream. Brand-keyword + Levenshtein lookalike + Shannon-entropy DGA scorer. Operator approval required before promotion. Note: depends on calidog.io availability — sometimes the upstream firehose pauses.
MISP feed format export — 10th format
Per-category MISP feed: /v1/feeds/<k>/<c>/misp/manifest.json + /<event-uuid>.json + hashes.csv. Drops directly into MISP Feeds → Add. Full attribute Tags (TLP, kind, category) included.
abuse.ch ecosystem fully wired (7/7 platforms + Auth-Key wizard)
URLhaus + ThreatFox + Feodo + MalwareBazaar + SSLBL + YARAify + Hunting reference. Auth-Key wizard in operator console — paste a free key from auth.abuse.ch, the wizard validates against the upstream before persisting, then bulk-updates 14 feeds. Operation Endgame (May 2024 LE takedown) context surfaced honestly — Feodo Tracker is empty because the threats it tracked are dismantled.
Honest disclosure — 8 ecosystem changes surfaced
2024–2026 retired the assumption that "abuse.ch + Talos + Bambenek = free baseline." We surface the changes that broke that assumption (abuse.ch Auth-Key, Talos retired, Bambenek paid, Cloudflare CC-BY-NC) on the Sources page rather than hide them. Each feed publishes deprecation_note + license_caveat + auth_required.
8 new feeds: DigitalSide, TweetFeed, Cybercrime-tracker…
Cybercrime-tracker first run added 19,145 banking-trojan C2 indicators. DigitalSide (CC0), TweetFeed (Twitter OSINT), MalwareBazaar (sample hashes for STIX), AlienVault OTX (free), MISP CIRCL (Phase 2). Total feed count: 22 → 30.
Live SLA status page
/status publishes mean-indicator-age, P99, feed-OK ratio, snapshot freshness. Auto-refreshes every 20s. Most CTI vendors hide these metrics — we show them by default.
What is CTI?
Cyber Threat Intelligence — context-rich data about adversaries, the infrastructure they use, and how to detect them.
High-level intelligence on threat actors, geopolitical motivations, industry targeting and long-running campaigns. Read by CISOs and risk officers.
TTPs (Tactics, Techniques and Procedures) mapped to MITRE ATT&CK. Detection engineers use this to write SIEM rules and IDS signatures.
Indicators of Compromise (IOCs): malicious domains, IPs, CIDRs, file hashes, JA3/JA4 fingerprints. Fed into firewalls, EDRs, DNS sinkholes. This is what Zedmos CTI specializes in.
Raw open-source TI feeds are noisy. URLhaus might list a Google Drive URL because attackers used it for malware staging — but the parent domain
drive.google.com is, of course, legitimate.
Without curation, a firewall that suffix-matches such a feed will block hundreds of millions of legitimate users from Google Drive, GitHub, Microsoft 365 and more.
Zedmos CTI runs every IOC through a five-stage filter:
hard allowlist ·
root-domain protection ·
multi-source consensus ·
format validation ·
manual review queue.
How it works
From upstream feed to firewall — every minute, every indicator.
BullMQ-scheduled HTTP fetchers honour each feed's polling interval. Plain, hosts, CSV and JSON formats are parsed natively.
5-stage pipeline: allowlist suffix match, registrable-root protection, multi-source consensus, syntactic validation, manual review.
Per-category, per-type files are written sorted-unique with a SHA-256 ETag. Atomic rename means firewalls never see a partial file.
NGINX reverse-proxy with per-FW Bearer auth, ETag/304 revalidation, gzip, rate-limits and a 60-second cache zone scaled for thousands of firewalls.
Public API
All endpoints emit Cache-Control and ETag. Firewall feeds require a Bearer token.
/v1/public/stats
no auth
/v1/stix/info
no auth
/v1/public/health
no auth
Firewall feed endpoints Bearer
Same indicators, your favourite format. Substitute <kind> ∈ ti | security | waf and <cat> with a category from /v1/stix/info.
/v1/feeds/<kind>/<cat>/domains.txt/v1/feeds/<kind>/<cat>/ips.txt/v1/feeds/<kind>/<cat>/suricata.rules/v1/feeds/<kind>/<cat>/pihole.txt/v1/feeds/<kind>/<cat>/opnsense.txt/v1/feeds/<kind>/<cat>/mikrotik.rsc/v1/feeds/<kind>/<cat>/unbound.rpz/v1/feeds/<kind>/<cat>/stix.jsonTAXII 2.1 server Bearer
https://cti.zedmos.net/taxii2/# Live stats (no auth)
curl -sS https://www.zedmos.net/v1/public/stats | jq .iocs
# Suricata rules (Bearer required)
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/suricata.rules \
-H "authorization: Bearer tihub_..."
# STIX 2.1 bundle for Splunk / MISP / OpenCTI
curl -sS https://cti.zedmos.net/v1/feeds/ti/phishing/stix.json?limit=1000 \
-H "authorization: Bearer tihub_..."
# TAXII 2.1 collection list
curl -sS https://cti.zedmos.net/taxii2/api1/collections/ \
-H "authorization: Bearer tihub_..." \
-H "accept: application/taxii+json;version=2.1"What you get
Allowlist of major cloud, social, OS-update and CDN domains. Registrable-root protection prevents a feed listing google.com from killing every Google subdomain.
Web UI to add/edit feeds, search the IOC database, bulk-approve or reject the false-positive review queue, manage allowlists, mint per-firewall tokens, and read the audit log.
NGINX proxy_cache + ETag + gzip means a firewall fetching a 1 MB feed every 10 minutes costs us a few KB of revalidation traffic per request.
No engine recompile required: replace the upstream URL in agent.json with the matching cti.zedmos.net path, drop in a Bearer token, restart the agent.
Each IOC tracks its provenance across feeds. Operators can require a minimum number of independent sources before an indicator gets shipped to firewalls.
Every admin action — feed change, IOC add/delete, token mint, allowlist edit — is recorded with actor, IP, payload and timestamp. Suitable for compliance evidence.