Curated Threat Intelligence,
delivered to your firewalls.
Zedmos CTI ingests dozens of open-source TI feeds (URLhaus, abuse.ch, CERT.pl, USOM, Spamhaus DROP, EmergingThreats, ThreatFox, OpenPhish, …), strips out false positives that historically blocked legitimate services like drive.google.com, github.com or microsoft.com, and serves clean per-category blocklists over HTTPS to thousands of firewalls.
Threat sources from across the globe — one decision per packet
Curated feeds stream into the hub, every IOC is scored with STIX 2.1 confidence, every IP enriched offline with country + ASN, and the consensus snapshot ships only verified+trusted indicators to your firewalls. Cloud-AS allowlist keeps Microsoft 365 / Google Workspace alive; daily cross-validation proves every line.
- Multi-source consensus → verified-tier promotion
- Offline GeoASN at line rate (3.3M ops/s, no quota risk)
- Cloud-AS exception protects legitimate SaaS infra
- ed25519-signed snapshots, verifiable with stock OpenSSL
Live stats
Auto-refreshes every 30 seconds · sourced from /v1/public/stats
Every distribution snapshot is signable with our long-lived ed25519 key. Verify with stock OpenSSL — no Zedmos library needed.
Every number on this page has a definition. /v1/public/methodology documents what we count, what we DON'T count, FP-filter stages, and SLA targets. /v1/public/transparency emits the same numbers as JSON.
Every cert issued on Certificate Transparency logs is scored on brand-keyword, lookalike, IDN homograph, and lexical entropy in real time. Operator approval required before promotion to firewall feeds.
Suspicious newly-issued certs · last 24h
Certificate Transparency log monitor — brand impersonation, DGA-style domains, IDN homograph attempts. Operator approval required before promotion.
| Domain | Score | Brand | Flags | Issuer | Seen |
|---|---|---|---|---|---|
| CertStream connecting — first batch in <60 s. | |||||
Hot indicators · last 24 hours
Aggregated from firewall-fleet sightings (anonymized — no PII, only count + reporting firewall count).
| Indicator | Type | Hits 24h | Firewalls | Last sighting |
|---|---|---|---|---|
| loading… | ||||
Hot threats — last 24h
— new IOCs surfaced · what is burning right now| loading… |
Top categories
unique IOCs per categoryDistribution snapshots
files served via HTTPS to firewalls| Kind | Category | Type | Lines | Bytes | Last built |
|---|---|---|---|---|---|
| loading… | |||||
Threat origins by country
Where the malicious IPs and CIDR ranges in our catalog are hosted — sourced from offline GeoASN at ingest time.
/v1/public/threats-by-countryHow to read this: these are IPs / CIDRs hosted in each country (BGP geolocation), not necessarily where the threat actor lives. High counts in US, DE, GB, NL, SG include hyperscaler-hosted threats — adversaries rent legitimate cloud capacity. Domain IOCs (5M+) have no country attribution and are excluded from this view. The honest takeaway: where to look first, not who to blame.
Top 25 by IP/CIDR count. Caveat: domains (~94% of catalog) have no country attribution — this is the IP-only slice. Raw JSON →
Sources & credibility
Every upstream feed is classified into a credibility tier. We publish the full catalog at /v1/public/sources — provider, license, last audit, status.
Audit status (last 24h)
"operational" = HTTP 200 + content received. We deliberately do not call low-cadence feeds (Spamhaus DROP, Feodo Tracker) "stale" — they publish only when actionable changes happen. "stale" is reserved for freshness-critical feeds that exceed their expected cadence.
Top operators
Per-feed catalog (sample top by tier)
| Tier | Feed | Operator | License | Status | Last fetch |
|---|---|---|---|---|---|
| loading… | |||||
Showing curated sample. Full catalog as JSON →
Verify our claims yourself
No Zedmos library required. Use stock OpenSSL.
ed25519 signed bundle verification
Copy-paste, run, observe Signature Verified Successfully. Tamper one byte → instant Verification Failure.
TOKEN=tihub_...
# 1. fetch the body, the detached signature, and the public key
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt \
-H "authorization: Bearer $TOKEN" -o body.txt
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt.sig \
-H "authorization: Bearer $TOKEN" \
| jq -r .signature_b64 | base64 -d > sig.bin
curl -sS https://www.zedmos.net/v1/public/keys/sign.pem -o pub.pem
# 2. verify (openssl 3.0+, no extra packages)
openssl pkeyutl -verify -pubin -inkey pub.pem -rawin \
-in body.txt -sigfile sig.bin
# → Signature Verified SuccessfullyCross-check the live numbers
Every counter on this page comes from /v1/public/transparency. /v1/public/methodology defines what each counter means and what we explicitly DO NOT count.
# live numbers (no-auth)
curl -sS https://www.zedmos.net/v1/public/transparency \
| jq .live_numbers
# definitions + FP-filter stages + SLA targets + what we don't count
curl -sS https://www.zedmos.net/v1/public/methodology \
| jq '.definitions, .fp_filter_stages, .what_we_do_NOT_count'What is CTI?
Cyber Threat Intelligence — context-rich data about adversaries, the infrastructure they use, and how to detect them.
High-level intelligence on threat actors, geopolitical motivations, industry targeting and long-running campaigns. Read by CISOs and risk officers.
TTPs (Tactics, Techniques and Procedures) mapped to MITRE ATT&CK. Detection engineers use this to write SIEM rules and IDS signatures.
Indicators of Compromise (IOCs): malicious domains, IPs, CIDRs, file hashes, JA3/JA4 fingerprints. Fed into firewalls, EDRs, DNS sinkholes. This is what Zedmos CTI specializes in.
Raw open-source TI feeds are noisy. URLhaus might list a Google Drive URL because attackers used it for malware staging — but the parent domain
drive.google.com is, of course, legitimate.
Without curation, a firewall that suffix-matches such a feed will block hundreds of millions of legitimate users from Google Drive, GitHub, Microsoft 365 and more.
Zedmos CTI runs every IOC through a five-stage filter:
hard allowlist ·
root-domain protection ·
multi-source consensus ·
format validation ·
manual review queue.
How it works
From upstream feed to firewall — every minute, every indicator.
BullMQ-scheduled HTTP fetchers honour each feed's polling interval. Plain, hosts, CSV and JSON formats are parsed natively.
5-stage pipeline: allowlist suffix match, registrable-root protection, multi-source consensus, syntactic validation, manual review.
Per-category, per-type files are written sorted-unique with a SHA-256 ETag. Atomic rename means firewalls never see a partial file.
NGINX reverse-proxy with per-FW Bearer auth, ETag/304 revalidation, gzip, rate-limits and a 60-second cache zone scaled for thousands of firewalls.
Public API
All endpoints emit Cache-Control and ETag. Firewall feeds require a Bearer token.
Get an API token
Register with your email, verify the link we send from info@zedmos.net, sign in, and mint a Bearer token that unlocks every /v1/feeds/* endpoint above. Tokens are shown once — keep them safe.
Sign in to Zedmos CTI
Manage your API tokens.
Check your inbox
We sent a verification link to your email. Click the link to activate your account, then come back here and sign in.
Sender: info@zedmos.net. Check spam if you don't see it within a couple of minutes — the link is valid for 24 hours.
Your API tokens
—Authorization: Bearer <token>. Save it in a password manager — we never store the plaintext./v1/public/stats
no auth
/v1/stix/info
no auth
/v1/public/health
no auth
Firewall feed endpoints Bearer
Same indicators, your favourite format. Substitute <kind> ∈ ti | security | waf and <cat> with a category from /v1/stix/info.
/v1/feeds/<kind>/<cat>/domains.txt/v1/feeds/<kind>/<cat>/ips.txt/v1/feeds/<kind>/<cat>/suricata.rules/v1/feeds/<kind>/<cat>/pihole.txt/v1/feeds/<kind>/<cat>/opnsense.txt/v1/feeds/<kind>/<cat>/mikrotik.rsc/v1/feeds/<kind>/<cat>/unbound.rpz/v1/feeds/<kind>/<cat>/stix.jsonTAXII 2.1 server Bearer
https://cti.zedmos.net/taxii2/# Live stats (no auth)
curl -sS https://www.zedmos.net/v1/public/stats | jq .iocs
# Suricata rules (Bearer required)
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/suricata.rules \
-H "authorization: Bearer tihub_..."
# STIX 2.1 bundle for Splunk / MISP / OpenCTI
curl -sS https://cti.zedmos.net/v1/feeds/ti/phishing/stix.json?limit=1000 \
-H "authorization: Bearer tihub_..."
# TAXII 2.1 collection list
curl -sS https://cti.zedmos.net/taxii2/api1/collections/ \
-H "authorization: Bearer tihub_..." \
-H "accept: application/taxii+json;version=2.1"What you get
Allowlist of major cloud, social, OS-update and CDN domains. Registrable-root protection prevents a feed listing google.com from killing every Google subdomain.
NGINX proxy_cache + ETag + gzip means a firewall fetching a 1 MB feed every 10 minutes costs us a few KB of revalidation traffic per request.
No engine recompile required: replace the upstream URL in agent.json with the matching cti.zedmos.net path, drop in a Bearer token, restart the agent.
Each IOC tracks its provenance across feeds. Operators can require a minimum number of independent sources before an indicator gets shipped to firewalls.
Every change to the catalog — feed updates, IOC promotions, allowlist edits — is recorded with timestamps and reasons. Suitable for compliance evidence.
Legal & Accessibility
Last updated · May 2026Same legal terms that govern www.zedmos.com apply to this CTI hub. Sections are collapsible — click any heading to expand.
Legal Legal Notice (Impressum) expand
Information pursuant to § 5 TMG (German Telemedia Act) and § 18 (2) MStV.
Project provider
Serhat RencberUntere Hauptstraße 15
78532 Tuttlingen
Germany
Contact
Email: info@zedmos.com
Person responsible for content
under § 18 (2) MStV
Serhat RencberUntere Hauptstraße 15
78532 Tuttlingen
EU online dispute resolution
The European Commission provides a platform for online dispute resolution (ODR): ec.europa.eu/consumers/odr. We are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
Liability for content
The contents of these pages have been prepared with the greatest possible care. However, we cannot guarantee the accuracy, completeness or timeliness of the content. As a project provider, we are responsible for our own content on these pages according to § 7 (1) TMG and general law. Pursuant to §§ 8 to 10 TMG, however, we are not obliged as a project provider to monitor transmitted or stored third-party information.
Liability for links
Our website contains links to external third-party websites over whose content we have no influence. Therefore, we cannot accept any liability for this third-party content. The respective provider or operator of the linked pages is always responsible for the content of the linked pages.
Copyright
Content and works on these pages created by the site operators are subject to German copyright law. Contributions by third parties are marked as such. Duplication, editing, distribution and any kind of exploitation outside the limits of copyright require the written consent of the respective author.
GDPR Privacy Policy expand
Information about the processing of personal data in accordance with Art. 13 GDPR.
1. Project Controller
The controller responsible for data processing on this website is:
Serhat Rencber
Untere Hauptstraße 15
78532 Tuttlingen, Germany
Email: info@zedmos.com
2. Data collected when you visit this site
When you access this website, the web server automatically stores information in so-called server log files transmitted by your browser. This includes:
- IP address of the requesting device (truncated after 7 days)
- Date and time of the request
- Requested URL and HTTP status code
- Bytes transferred
- Browser identifier (User-Agent), referrer (if available)
Legal basis is Art. 6 (1) (f) GDPR (legitimate interest in operational security, content delivery, and abuse prevention). No combination with other data sources takes place. Logs are automatically deleted after at most 14 days unless a security incident requires longer retention.
3. Hosting
This website is hosted in a data centre operated by IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany in Frankfurt am Main (Germany). A data processing agreement (DPA) in accordance with Art. 28 GDPR has been concluded with the provider. No transfers to third countries take place.
4. Fonts
We use the typefaces "Inter" and "JetBrains Mono". These are downloaded at build time and served exclusively from our own server. No connection is made to Google servers when visiting the site.
5. Cookies and local storage
This site uses no tracking cookies. We store only two purely technical preferences in your browser's localStorage that you have triggered yourself:
theme— your choice between light and dark modelocale— your language preference (cookie, 1 year)
These settings never leave your browser and are not used for profiling.
6. Contacting us by email
If you contact us by email, your details (email address, content of the message) will be stored for the purpose of processing the inquiry and any follow-up questions. Legal basis is Art. 6 (1) (b) GDPR (pre-contractual measure) or Art. 6 (1) (f) GDPR. The data will be deleted as soon as the inquiry has been finally processed, unless statutory retention obligations prevent this.
7. No analytics, no tracking, no advertising
This site uses neither web analytics tools (e.g. Google Analytics, Matomo) nor social media plug-ins, embedded maps, ad networks, or comparable third-party services.
8. Your rights
You have the following rights at any time:
- Right of access to data we hold about you (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure ("right to be forgotten", Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
An informal email to the address above is sufficient to exercise your rights.
9. Competent supervisory authority
The competent data protection supervisory authority is determined by the controller's place of establishment. A full list of all German supervisory authorities is available at bfdi.bund.de.
10. Updates to this policy
We reserve the right to update this privacy policy so that it always complies with current legal requirements or to reflect changes in our services. The version applicable to your next visit will be the one available at that time.
A11y Accessibility Statement expand
Our commitment to an accessible website and the current state of conformance.
1. Scope
Zedmos is aimed exclusively at enterprises (B2B) and does not operate any electronic commerce services for consumers within the meaning of the German Accessibility Strengthening Act (BFSG). This site therefore falls outside the mandatory scope of the BFSG. We nevertheless consider accessibility a core commitment and align voluntarily with the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA.
2. Current state of conformance
By our own assessment, this website is largely conformant with WCAG 2.1 AA. The following points are known and are being continuously improved:
- Some technical architecture diagrams are embedded as purely decorative SVGs and are signalled as such to screen readers; a textual alternative is provided in the surrounding description.
- Animated background gradients respect the
prefers-reduced-motionuser preference. - A light/dark mode toggle is available at the top right of the navigation for users who prefer a higher-contrast presentation.
3. Underlying practices
To ensure accessibility we apply, among others, the following practices:
- Semantic HTML with a correct heading hierarchy
- Full keyboard operability without keyboard traps
- Visible focus ring on all interactive elements
- ARIA labels on icon-only buttons (e.g. language and theme switch)
- WCAG-AA contrast for body text and UI components
- Scalable font sizes, no fixed pixel layout
4. Feedback and contact
Have you noticed content that is not accessible? Would you like to receive information in a more accessible format? Please let us know:
Email: info@zedmos.com
We aim to address reported issues as quickly as possible.
5. Conciliation procedure
Because this site does not fall within the scope of the BFSG, the statutory conciliation procedure under § 21 BFSG does not apply. We will, however, take every report seriously and implement improvements where they are technically and economically feasible.