Curated Threat Intelligence,
delivered to your firewalls.
Zedmos CTI ingests dozens of open-source TI feeds (URLhaus, abuse.ch, CERT.pl, USOM, Spamhaus DROP, EmergingThreats, ThreatFox, OpenPhish, …), strips out false positives that historically blocked legitimate services like drive.google.com, github.com or microsoft.com, and serves clean per-category blocklists over HTTPS to thousands of firewalls.
Our commitment to you
Every line in our default firewall feed is corroborated. A domain or IP only enters domains.txt / ips.txt if at least one of these is true:
- • ≥2 distinct upstream feeds independently published it (multi-source consensus)
- • Active enrichment classified it as malicious — GreyNoise, AbuseIPDB confidence ≥75, or VirusTotal ≥3 engine detections
- • Zedmos honeypot mesh observed the IP attacking our sensors (≥3 sensors / 24h)
- • Single-source from a strict T1 feed: USOM (Türkiye national CERT) · CERT.pl · Spamhaus DROP · abuse.ch Feodo low-FP recommended
- • Manually approved (audit-logged with timestamp + reason)
We never claim verified on absence of evidence. Single-source claims from community feeds ship only in the opt-in community-domains.txt file with explicit "not independently corroborated" labelling.
If we get this wrong, we get it wrong publicly: the daily known-good smoke test (54 must-not-block indicators including hyperscaler endpoints, OS update channels, banks, e-government), the daily random cross-validation sample, and every false-positive caught are surfaced at /v1/public/verification. No filter on what we report. Wrong claims hurt us more than they hurt you — that's the contract.
Live stats
Auto-refreshes every 30 seconds · sourced from /v1/public/stats
Every distribution snapshot is signable with our long-lived ed25519 key. Verify with stock OpenSSL — no Zedmos library needed.
Every number on this page has a definition. /v1/public/methodology documents what we count, what we DON'T count, FP-filter stages, and SLA targets. /v1/public/transparency emits the same numbers as JSON.
Every cert issued on Certificate Transparency logs is scored on brand-keyword, lookalike, IDN homograph, and lexical entropy in real time. Operator approval required before promotion to firewall feeds.
Suspicious newly-issued certs · last 24h
Certificate Transparency log monitor — brand impersonation, DGA-style domains, IDN homograph attempts. Operator approval required before promotion.
| Domain | Score | Brand | Flags | Issuer | Seen |
|---|---|---|---|---|---|
| CertStream connecting — first batch in <60 s. | |||||
Hot indicators · last 24 hours
Aggregated from firewall-fleet sightings (anonymized — no PII, only count + reporting firewall count).
| Indicator | Type | Hits 24h | Firewalls | Last sighting |
|---|---|---|---|---|
| loading… | ||||
Top categories
unique IOCs per categoryDistribution snapshots
files served via HTTPS to firewalls| Kind | Category | Type | Lines | Bytes | Last built |
|---|---|---|---|---|---|
| loading… | |||||
Sources & credibility
Every upstream feed is classified into a credibility tier. We publish the full catalog at /v1/public/sources — provider, license, last audit, status.
2024–2026 ecosystem changes affecting our sources
- abuse.ch (URLhaus / ThreatFox / Feodo / MalwareBazaar / SSLBL) — Auth-Key mandatory since 2025-06-30. 12 of our feeds need a free key from auth.abuse.ch. Operator must provision
ABUSECH_AUTH_KEY. - Spamhaus eDROP merged into DROP on 2024-04-10. We migrated to
drop_v4.json/drop_v6.json/asndrop.json. - Tor Project — old
/torbulkexitlistdeprecated 2020-04-01. Our feed pinned to canonical/api/bulk. - Talos public IP-blocklist retired 2024-09; replacement at snort.org has T&C click-through that breaks automation. Not auto-fetched.
- Bambenek DGA — commercial license required since 2024-07-01. Not redistributed.
- Cloudflare Radar Top Domains — CC-BY-NC-4.0 license restricts commercial redistribution. Disabled. Tranco's CF component inherits the same caveat — Majestic Million (CC-BY-3.0) is the unambiguous commercial-safe alternative.
- SSLBL JA3 fingerprints — last update 2021-08-03. Disabled here in production due to documented Smart-TV / IoT collisions.
- PhishTank — has had multi-month CSV outages historically (MISP issue #9855). Best-effort, not load-bearing.
- Full list at /v1/public/sources —
deprecation_warnings[]field.
Audit status (last 24h)
"operational" = HTTP 200 + content received. We deliberately do not call low-cadence feeds (Spamhaus DROP, Feodo Tracker) "stale" — they publish only when actionable changes happen. "stale" is reserved for freshness-critical feeds that exceed their expected cadence.
Top operators
Per-feed catalog (sample top by tier)
| Tier | Feed | Operator | License | Status | Last fetch |
|---|---|---|---|---|---|
| loading… | |||||
Showing curated sample. Full catalog as JSON →
Verify our claims yourself
No Zedmos library required. Use stock OpenSSL.
ed25519 signed bundle verification
Copy-paste, run, observe Signature Verified Successfully. Tamper one byte → instant Verification Failure.
TOKEN=tihub_...
# 1. fetch the body, the detached signature, and the public key
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt \
-H "authorization: Bearer $TOKEN" -o body.txt
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt.sig \
-H "authorization: Bearer $TOKEN" \
| jq -r .signature_b64 | base64 -d > sig.bin
curl -sS https://www.zedmos.net/v1/public/keys/sign.pem -o pub.pem
# 2. verify (openssl 3.0+, no extra packages)
openssl pkeyutl -verify -pubin -inkey pub.pem -rawin \
-in body.txt -sigfile sig.bin
# → Signature Verified SuccessfullyCross-check the live numbers
Every counter on this page comes from /v1/public/transparency. /v1/public/methodology defines what each counter means and what we explicitly DO NOT count.
# live numbers (no-auth)
curl -sS https://www.zedmos.net/v1/public/transparency \
| jq .live_numbers
# definitions + FP-filter stages + SLA targets + what we don't count
curl -sS https://www.zedmos.net/v1/public/methodology \
| jq '.definitions, .fp_filter_stages, .what_we_do_NOT_count'What we shipped
Every successful change lands here. The home page is updated after every deploy.
Allowlist-drift cleanup — 113,942 false positives caught and removed
Honest finding: as Tranco/Umbrella allowlist anchors grew daily, 113,942 previously-ingested indicators (37% of our domain corpus) drifted into a state where the FP filter would now reject them — but they kept shipping to firewalls. We caught this in our own audit, swept them in a single pass, and now run the sweep every 6 hours as a maintenance job so it can never re-accumulate. Default firewall feed dropped from 215,608 → 137,748 indicators (~36% reduction); every remaining line strictly meets tier criteria.
Three-tier cross-validation pipeline live · every shipped IOC corroborated
We don't ship a single line to a customer firewall without provenance. The default domains.txt / ips.txt / sha256.txt files now contain only verified (≥2 distinct upstream sources, OR active enrichment confirmation, OR honeypot-confirmed, OR manually approved) and trusted (single-source from a strict T1 feed: USOM TR-CERT, CERT.pl, Spamhaus DROP, abuse.ch Feodo low-FP) indicators. The community tier (single-source from T2-T5 feeds) is opt-in only at community-domains.txt.
Active enrichment at ingest: GreyNoise (free Community API) classifies legitimate scanners (Google DNS, Cloudflare DNS, Shodan) → never blocked. AbuseIPDB confidence ≥75 promotes single-source IPs to verified. VirusTotal positives ≥3 promotes domains/IPs/hashes.
Honeypot ground truth: a separate ingest endpoint (/v1/honeypot/event, sensor-token auth) accepts attack observations from Zedmos honeypot mesh nodes. Quorum rule: ≥3 distinct sensors hit by the same IP in 24h, OR ≥10 hits to one sensor → IP promoted to verified with honeypot_confirmed=true. This is literal ground truth — the IP attacked our infrastructure right now.
Daily proof: a random sample of shipped IOCs is checked against tier criteria every 24h. Latest run: —. Live numbers and per-tier breakdown at /v1/public/verification.cross_validation.
New today: SHA-256 hashes (sha256.txt + per-category yara.yar rules) · HMAC-signed webhooks for new_iocs / smoke_failed / cloud_fp_caught events · SOAR connectors for Cortex/TheHive + XSOAR + TheHive responder · per-token scope enforcement by kind/category/tier, ready for multi-tenant deployment.
Cloud-IP false-positive audit — caught 8,663 in our own catalog
Self-audit found 8,663 IPs (4.27%) of our IP corpus sitting inside published AWS / GCP / Cloudflare / GitHub CIDR ranges — IPs which would have caused real outages on customer firewalls had they been blocked. Caught and suppressed in a single sweep against 202,787 candidates.
Breakdown: AWS 2,619 · GCP 3,137 · GitHub 2,904 · Cloudflare 3. All moved to the review queue with fp_reason=cloud_provider_range; snapshots rebuilt — none ship to firewalls today.
Going forward: ingest pipeline now performs an inline bisect-based cloud-range membership check before any IP IOC is promoted; the cloud-range allowlist is refreshed daily from the four upstream providers via a maintenance worker. Live numbers and full provenance: /v1/public/verification.
STIX 2.1 + TAXII 2.1 server
Native application/taxii+json;version=2.1 server with discovery, collections, manifest and STIX bundle endpoints. 16 collections live — one per kind+category combo. Compatible with MISP, OpenCTI, Splunk Add-on, Anomali ThreatStream and Microsoft Sentinel out of the box.
9 firewall-native output formats
Same indicators, every format your stack speaks: plain text, Suricata DNS rules, Pi-hole adlist, OPNsense / pfSense URL-table, MikroTik RouterOS script, Unbound / BIND RPZ, STIX 2.1 bundle, TAXII 2.1 collection, MISP feed. No custom-format upcharge.
MITRE ATT&CK ingestion
30,649 STIX objects mirrored from mitre/cti — enterprise + mobile + ICS domains. Indicators ship with kill-chain phase tagging today; technique-id mapping (T1566.002 etc.) lands in v0.3.
Tranco + Cisco Umbrella allowlist anchors
Daily-refreshed anchors: Tranco top-domains, Cisco Umbrella, AWS/GCP/Cloudflare/GitHub published CIDR ranges. Allowlist now — entries (…). Combined with Mozilla PSL for accurate co.uk / com.tr / appspot.com handling. Live: /v1/public/verification.
Closed-loop sightings (anonymized)
Firewalls can POST /v1/sightings/bulk aggregate hit counts (no PII). The hot-indicators panel above is powered by this. Privacy-preserving HMAC + bloom-dedup hardening lands in v0.3.
GreyNoise + AbuseIPDB enrichment
On-demand IP context. GreyNoise classifies "internet noise" vs "common business service" — automatic FP suppression for things like 8.8.8.8. AbuseIPDB second-source confidence cross-check.
ed25519 signed bundles + audited methodology
Detached .sig signatures on every distribution snapshot, verifiable by stock OpenSSL. Public key at /v1/public/keys/sign.pem. /v1/public/methodology documents exactly what each counter means and what we DON'T count. Recipe →
MITRE ATT&CK technique tagging on STIX
Every STIX 2.1 indicator now ships with technique-id external references (e.g. T1566.002 Spearphishing Link for phishing IOCs, T1071.001 Web Protocols C2 for botnet IOCs). Auto-links to OpenCTI / MISP / Splunk SEC dashboards.
Sigma rule export per category
10th output format: /v1/feeds/<k>/<c>/sigma.yml. Portable to Splunk SPL, Elastic ES|QL, Sentinel KQL, QRadar via sigmac / uncoder.io.
CertStream watcher (best-effort)
Long-lived WS to Calidog CertStream. Brand-keyword + Levenshtein lookalike + Shannon-entropy DGA scorer. Operator approval required before promotion. Note: depends on calidog.io availability — sometimes the upstream firehose pauses.
MISP feed format export — 10th format
Per-category MISP feed: /v1/feeds/<k>/<c>/misp/manifest.json + /<event-uuid>.json + hashes.csv. Drops directly into MISP Feeds → Add. Full attribute Tags (TLP, kind, category) included.
abuse.ch ecosystem fully wired (7/7 platforms + Auth-Key wizard)
URLhaus + ThreatFox + Feodo + MalwareBazaar + SSLBL + YARAify + Hunting reference. Free Auth-Key required from auth.abuse.ch — validated against the upstream before persisting, then bulk-applied to all 14 abuse.ch feeds. Operation Endgame (May 2024 LE takedown) context surfaced honestly — Feodo Tracker is empty because the threats it tracked are dismantled.
Honest disclosure — 8 ecosystem changes surfaced
2024–2026 retired the assumption that "abuse.ch + Talos + Bambenek = free baseline." We surface the changes that broke that assumption (abuse.ch Auth-Key, Talos retired, Bambenek paid, Cloudflare CC-BY-NC) on the Sources page rather than hide them. Each feed publishes deprecation_note + license_caveat + auth_required.
8 new feeds: DigitalSide, TweetFeed, Cybercrime-tracker…
Cybercrime-tracker first run added 19,145 banking-trojan C2 indicators. DigitalSide (CC0), TweetFeed (Twitter OSINT), MalwareBazaar (sample hashes for STIX), AlienVault OTX (free), MISP CIRCL (Phase 2). Total feed count: 22 → 30.
Live SLA status page
/status publishes mean-indicator-age, P99, feed-OK ratio, snapshot freshness. Auto-refreshes every 20s. Most CTI vendors hide these metrics — we show them by default.
What is CTI?
Cyber Threat Intelligence — context-rich data about adversaries, the infrastructure they use, and how to detect them.
High-level intelligence on threat actors, geopolitical motivations, industry targeting and long-running campaigns. Read by CISOs and risk officers.
TTPs (Tactics, Techniques and Procedures) mapped to MITRE ATT&CK. Detection engineers use this to write SIEM rules and IDS signatures.
Indicators of Compromise (IOCs): malicious domains, IPs, CIDRs, file hashes, JA3/JA4 fingerprints. Fed into firewalls, EDRs, DNS sinkholes. This is what Zedmos CTI specializes in.
Raw open-source TI feeds are noisy. URLhaus might list a Google Drive URL because attackers used it for malware staging — but the parent domain
drive.google.com is, of course, legitimate.
Without curation, a firewall that suffix-matches such a feed will block hundreds of millions of legitimate users from Google Drive, GitHub, Microsoft 365 and more.
Zedmos CTI runs every IOC through a five-stage filter:
hard allowlist ·
root-domain protection ·
multi-source consensus ·
format validation ·
manual review queue.
How it works
From upstream feed to firewall — every minute, every indicator.
BullMQ-scheduled HTTP fetchers honour each feed's polling interval. Plain, hosts, CSV and JSON formats are parsed natively.
5-stage pipeline: allowlist suffix match, registrable-root protection, multi-source consensus, syntactic validation, manual review.
Per-category, per-type files are written sorted-unique with a SHA-256 ETag. Atomic rename means firewalls never see a partial file.
NGINX reverse-proxy with per-FW Bearer auth, ETag/304 revalidation, gzip, rate-limits and a 60-second cache zone scaled for thousands of firewalls.
Public API
All endpoints emit Cache-Control and ETag. Firewall feeds require a Bearer token.
/v1/public/stats
no auth
/v1/stix/info
no auth
/v1/public/health
no auth
Firewall feed endpoints Bearer
Same indicators, your favourite format. Substitute <kind> ∈ ti | security | waf and <cat> with a category from /v1/stix/info.
/v1/feeds/<kind>/<cat>/domains.txt/v1/feeds/<kind>/<cat>/ips.txt/v1/feeds/<kind>/<cat>/suricata.rules/v1/feeds/<kind>/<cat>/pihole.txt/v1/feeds/<kind>/<cat>/opnsense.txt/v1/feeds/<kind>/<cat>/mikrotik.rsc/v1/feeds/<kind>/<cat>/unbound.rpz/v1/feeds/<kind>/<cat>/stix.jsonTAXII 2.1 server Bearer
https://cti.zedmos.net/taxii2/# Live stats (no auth)
curl -sS https://www.zedmos.net/v1/public/stats | jq .iocs
# Suricata rules (Bearer required)
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/suricata.rules \
-H "authorization: Bearer tihub_..."
# STIX 2.1 bundle for Splunk / MISP / OpenCTI
curl -sS https://cti.zedmos.net/v1/feeds/ti/phishing/stix.json?limit=1000 \
-H "authorization: Bearer tihub_..."
# TAXII 2.1 collection list
curl -sS https://cti.zedmos.net/taxii2/api1/collections/ \
-H "authorization: Bearer tihub_..." \
-H "accept: application/taxii+json;version=2.1"What you get
Allowlist of major cloud, social, OS-update and CDN domains. Registrable-root protection prevents a feed listing google.com from killing every Google subdomain.
NGINX proxy_cache + ETag + gzip means a firewall fetching a 1 MB feed every 10 minutes costs us a few KB of revalidation traffic per request.
No engine recompile required: replace the upstream URL in agent.json with the matching cti.zedmos.net path, drop in a Bearer token, restart the agent.
Each IOC tracks its provenance across feeds. Operators can require a minimum number of independent sources before an indicator gets shipped to firewalls.
Every change to the catalog — feed updates, IOC promotions, allowlist edits — is recorded with timestamps and reasons. Suitable for compliance evidence.