Curated Threat Intelligence,
delivered to your firewalls.
Zedmos CTI ingests dozens of open-source TI feeds (URLhaus, abuse.ch, CERT.pl, USOM, Spamhaus DROP, EmergingThreats, ThreatFox, OpenPhish, …), strips out false positives that historically blocked legitimate services like drive.google.com, github.com or microsoft.com, and serves clean per-category blocklists over HTTPS to thousands of firewalls.
Threat sources from across the globe — one decision per packet
Curated feeds stream into the hub, every IOC is scored with STIX 2.1 confidence, every IP enriched offline with country + ASN, and the consensus snapshot ships only verified+trusted indicators to your firewalls. Cloud-AS allowlist keeps Microsoft 365 / Google Workspace alive; daily cross-validation proves every line.
- Multi-source consensus → verified-tier promotion
- Offline GeoASN at line rate (3.3M ops/s, no quota risk)
- Cloud-AS exception protects legitimate SaaS infra
- ed25519-signed snapshots, verifiable with stock OpenSSL
Live stats
Auto-refreshes every 30 seconds · sourced from /v1/public/stats
Every distribution snapshot is signable with our long-lived ed25519 key. Verify with stock OpenSSL — no Zedmos library needed.
Every number on this page has a definition. /v1/public/methodology documents what we count, what we DON'T count, FP-filter stages, and SLA targets. /v1/public/transparency emits the same numbers as JSON.
Every cert issued on Certificate Transparency logs is scored on brand-keyword, lookalike, IDN homograph, and lexical entropy in real time. Operator approval required before promotion to firewall feeds.
Suspicious newly-issued certs · last 24h
Certificate Transparency log monitor — brand impersonation, DGA-style domains, IDN homograph attempts. Operator approval required before promotion.
| Domain | Score | Brand | Flags | Issuer | Seen |
|---|---|---|---|---|---|
| CertStream connecting — first batch in <60 s. | |||||
Hot indicators · last 24 hours
Aggregated from firewall-fleet sightings (anonymized — no PII, only count + reporting firewall count).
| Indicator | Type | Hits 24h | Firewalls | Last sighting |
|---|---|---|---|---|
| loading… | ||||
Hot threats — last 24h
— new IOCs surfaced · what is burning right now| loading… |
Top categories
unique IOCs per categoryDistribution snapshots
files served via HTTPS to firewalls| Kind | Category | Type | Lines | Bytes | Last built |
|---|---|---|---|---|---|
| loading… | |||||
Threat origins by country
Where the malicious IPs and CIDR ranges in our catalog are hosted — sourced from offline GeoASN at ingest time.
/v1/public/threats-by-countryHow to read this: these are IPs / CIDRs hosted in each country (BGP geolocation), not necessarily where the threat actor lives. High counts in US, DE, GB, NL, SG include hyperscaler-hosted threats — adversaries rent legitimate cloud capacity. Domain IOCs (5M+) have no country attribution and are excluded from this view. The honest takeaway: where to look first, not who to blame.
Top 25 by IP/CIDR count. Caveat: domains (~94% of catalog) have no country attribution — this is the IP-only slice. Raw JSON →
Sources & credibility
Every upstream feed is classified into a credibility tier. We publish the full catalog at /v1/public/sources — provider, license, last audit, status.
Audit status (last 24h)
"operational" = HTTP 200 + content received. We deliberately do not call low-cadence feeds (Spamhaus DROP, Feodo Tracker) "stale" — they publish only when actionable changes happen. "stale" is reserved for freshness-critical feeds that exceed their expected cadence.
Top operators
Per-feed catalog (sample top by tier)
| Tier | Feed | Operator | License | Status | Last fetch |
|---|---|---|---|---|---|
| loading… | |||||
Showing curated sample. Full catalog as JSON →
Verify our claims yourself
No Zedmos library required. Use stock OpenSSL.
ed25519 signed bundle verification
Copy-paste, run, observe Signature Verified Successfully. Tamper one byte → instant Verification Failure.
TOKEN=tihub_...
# 1. fetch the body, the detached signature, and the public key
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt \
-H "authorization: Bearer $TOKEN" -o body.txt
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/domains.txt.sig \
-H "authorization: Bearer $TOKEN" \
| jq -r .signature_b64 | base64 -d > sig.bin
curl -sS https://www.zedmos.net/v1/public/keys/sign.pem -o pub.pem
# 2. verify (openssl 3.0+, no extra packages)
openssl pkeyutl -verify -pubin -inkey pub.pem -rawin \
-in body.txt -sigfile sig.bin
# → Signature Verified SuccessfullyCross-check the live numbers
Every counter on this page comes from /v1/public/transparency. /v1/public/methodology defines what each counter means and what we explicitly DO NOT count.
# live numbers (no-auth)
curl -sS https://www.zedmos.net/v1/public/transparency \
| jq .live_numbers
# definitions + FP-filter stages + SLA targets + what we don't count
curl -sS https://www.zedmos.net/v1/public/methodology \
| jq '.definitions, .fp_filter_stages, .what_we_do_NOT_count'What is CTI?
Cyber Threat Intelligence — context-rich data about adversaries, the infrastructure they use, and how to detect them.
High-level intelligence on threat actors, geopolitical motivations, industry targeting and long-running campaigns. Read by CISOs and risk officers.
TTPs (Tactics, Techniques and Procedures) mapped to MITRE ATT&CK. Detection engineers use this to write SIEM rules and IDS signatures.
Indicators of Compromise (IOCs): malicious domains, IPs, CIDRs, file hashes, JA3/JA4 fingerprints. Fed into firewalls, EDRs, DNS sinkholes. This is what Zedmos CTI specializes in.
Raw open-source TI feeds are noisy. URLhaus might list a Google Drive URL because attackers used it for malware staging — but the parent domain
drive.google.com is, of course, legitimate.
Without curation, a firewall that suffix-matches such a feed will block hundreds of millions of legitimate users from Google Drive, GitHub, Microsoft 365 and more.
Zedmos CTI runs every IOC through a five-stage filter:
hard allowlist ·
root-domain protection ·
multi-source consensus ·
format validation ·
manual review queue.
How it works
From upstream feed to firewall — every minute, every indicator.
BullMQ-scheduled HTTP fetchers honour each feed's polling interval. Plain, hosts, CSV and JSON formats are parsed natively.
5-stage pipeline: allowlist suffix match, registrable-root protection, multi-source consensus, syntactic validation, manual review.
Per-category, per-type files are written sorted-unique with a SHA-256 ETag. Atomic rename means firewalls never see a partial file.
NGINX reverse-proxy with per-FW Bearer auth, ETag/304 revalidation, gzip, rate-limits and a 60-second cache zone scaled for thousands of firewalls.
Public API
All endpoints emit Cache-Control and ETag. Firewall feeds require a Bearer token.
Get an API token
Register with your email + password. An admin will review and approve manually (no verification email yet). Once approved you can sign in and mint a Bearer token that unlocks every /v1/feeds/* endpoint above. Tokens are shown once — keep them safe.
Sign in to Zedmos CTI
Manage your API tokens.
Check your inbox
Your registration for your email has been queued. An admin will review and contact you out-of-band when approved. Click the link to activate your account, then come back here and sign in.
Sender: info@zedmos.net. Check spam if you don't see it within a couple of minutes — the link is valid for 24 hours.
Your API tokens
—Authorization: Bearer <token>. Save it in a password manager — we never store the plaintext./v1/public/stats
no auth
/v1/stix/info
no auth
/v1/public/health
no auth
Firewall feed endpoints Bearer
Same indicators, your favourite format. Substitute <kind> ∈ ti | security | waf and <cat> with a category from /v1/stix/info.
/v1/feeds/<kind>/<cat>/domains.txt/v1/feeds/<kind>/<cat>/ips.txt/v1/feeds/<kind>/<cat>/suricata.rules/v1/feeds/<kind>/<cat>/pihole.txt/v1/feeds/<kind>/<cat>/opnsense.txt/v1/feeds/<kind>/<cat>/mikrotik.rsc/v1/feeds/<kind>/<cat>/unbound.rpz/v1/feeds/<kind>/<cat>/stix.jsonTAXII 2.1 server Bearer
https://cti.zedmos.net/taxii2/# Live stats (no auth)
curl -sS https://www.zedmos.net/v1/public/stats | jq .iocs
# Suricata rules (Bearer required)
curl -sS https://cti.zedmos.net/v1/feeds/ti/malware_virus/suricata.rules \
-H "authorization: Bearer tihub_..."
# STIX 2.1 bundle for Splunk / MISP / OpenCTI
curl -sS https://cti.zedmos.net/v1/feeds/ti/phishing/stix.json?limit=1000 \
-H "authorization: Bearer tihub_..."
# TAXII 2.1 collection list
curl -sS https://cti.zedmos.net/taxii2/api1/collections/ \
-H "authorization: Bearer tihub_..." \
-H "accept: application/taxii+json;version=2.1"What you get
Allowlist of major cloud, social, OS-update and CDN domains. Registrable-root protection prevents a feed listing google.com from killing every Google subdomain.
NGINX proxy_cache + ETag + gzip means a firewall fetching a 1 MB feed every 10 minutes costs us a few KB of revalidation traffic per request.
No engine recompile required: replace the upstream URL in agent.json with the matching cti.zedmos.net path, drop in a Bearer token, restart the agent.
Each IOC tracks its provenance across feeds. Operators can require a minimum number of independent sources before an indicator gets shipped to firewalls.
Every change to the catalog — feed updates, IOC promotions, allowlist edits — is recorded with timestamps and reasons. Suitable for compliance evidence.
Legal & Accessibility
Last updated · May 2026Same legal terms that govern www.zedmos.com apply to this CTI hub. Sections are collapsible — click any heading to expand.
Legal Legal Notice (Impressum) expand
Information pursuant to § 5 TMG (German Telemedia Act) and § 18 (2) MStV.
Project provider
Serhat RencberUntere Hauptstraße 15
78532 Tuttlingen
Germany
Contact
Email: info@zedmos.com
Person responsible for content
under § 18 (2) MStV
Serhat RencberUntere Hauptstraße 15
78532 Tuttlingen
EU online dispute resolution
The European Commission provides a platform for online dispute resolution (ODR): ec.europa.eu/consumers/odr. We are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
Liability for content
The contents of these pages have been prepared with the greatest possible care. However, we cannot guarantee the accuracy, completeness or timeliness of the content. As a project provider, we are responsible for our own content on these pages according to § 7 (1) TMG and general law. Pursuant to §§ 8 to 10 TMG, however, we are not obliged as a project provider to monitor transmitted or stored third-party information.
Liability for links
Our website contains links to external third-party websites over whose content we have no influence. Therefore, we cannot accept any liability for this third-party content. The respective provider or operator of the linked pages is always responsible for the content of the linked pages.
Copyright
Content and works on these pages created by the site operators are subject to German copyright law. Contributions by third parties are marked as such. Duplication, editing, distribution and any kind of exploitation outside the limits of copyright require the written consent of the respective author.
GDPR Privacy Policy expand
Information about the processing of personal data in accordance with Art. 13 GDPR.
1. Project Controller
The controller responsible for data processing on this website is:
Serhat Rencber
Untere Hauptstraße 15
78532 Tuttlingen, Germany
Email: info@zedmos.com
2. Data collected when you visit this site
When you access this website, the web server automatically stores information in so-called server log files transmitted by your browser. This includes:
- IP address of the requesting device (truncated after 7 days)
- Date and time of the request
- Requested URL and HTTP status code
- Bytes transferred
- Browser identifier (User-Agent), referrer (if available)
Legal basis is Art. 6 (1) (f) GDPR (legitimate interest in operational security, content delivery, and abuse prevention). No combination with other data sources takes place. Logs are automatically deleted after at most 14 days unless a security incident requires longer retention.
3. Hosting
This website is hosted in a data centre operated by IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany in Frankfurt am Main (Germany). A data processing agreement (DPA) in accordance with Art. 28 GDPR has been concluded with the provider. No transfers to third countries take place.
4. Fonts
We use the typefaces "Inter" and "JetBrains Mono". These are downloaded at build time and served exclusively from our own server. No connection is made to Google servers when visiting the site.
5. Cookies and local storage
This site uses no tracking cookies. We store only two purely technical preferences in your browser's localStorage that you have triggered yourself:
theme— your choice between light and dark modelocale— your language preference (cookie, 1 year)
These settings never leave your browser and are not used for profiling.
6. Contacting us by email
If you contact us by email, your details (email address, content of the message) will be stored for the purpose of processing the inquiry and any follow-up questions. Legal basis is Art. 6 (1) (b) GDPR (pre-contractual measure) or Art. 6 (1) (f) GDPR. The data will be deleted as soon as the inquiry has been finally processed, unless statutory retention obligations prevent this.
7. No analytics, no tracking, no advertising
This site uses neither web analytics tools (e.g. Google Analytics, Matomo) nor social media plug-ins, embedded maps, ad networks, or comparable third-party services.
8. Your rights
You have the following rights at any time:
- Right of access to data we hold about you (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure ("right to be forgotten", Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
An informal email to the address above is sufficient to exercise your rights.
9. Competent supervisory authority
The competent data protection supervisory authority is determined by the controller's place of establishment. A full list of all German supervisory authorities is available at bfdi.bund.de.
10. Updates to this policy
We reserve the right to update this privacy policy so that it always complies with current legal requirements or to reflect changes in our services. The version applicable to your next visit will be the one available at that time.
A11y Accessibility Statement expand
Our commitment to an accessible website and the current state of conformance.
1. Scope
Zedmos is aimed exclusively at enterprises (B2B) and does not operate any electronic commerce services for consumers within the meaning of the German Accessibility Strengthening Act (BFSG). This site therefore falls outside the mandatory scope of the BFSG. We nevertheless consider accessibility a core commitment and align voluntarily with the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA.
2. Current state of conformance
By our own assessment, this website is largely conformant with WCAG 2.1 AA. The following points are known and are being continuously improved:
- Some technical architecture diagrams are embedded as purely decorative SVGs and are signalled as such to screen readers; a textual alternative is provided in the surrounding description.
- Animated background gradients respect the
prefers-reduced-motionuser preference. - A light/dark mode toggle is available at the top right of the navigation for users who prefer a higher-contrast presentation.
3. Underlying practices
To ensure accessibility we apply, among others, the following practices:
- Semantic HTML with a correct heading hierarchy
- Full keyboard operability without keyboard traps
- Visible focus ring on all interactive elements
- ARIA labels on icon-only buttons (e.g. language and theme switch)
- WCAG-AA contrast for body text and UI components
- Scalable font sizes, no fixed pixel layout
4. Feedback and contact
Have you noticed content that is not accessible? Would you like to receive information in a more accessible format? Please let us know:
Email: info@zedmos.com
We aim to address reported issues as quickly as possible.
5. Conciliation procedure
Because this site does not fall within the scope of the BFSG, the statutory conciliation procedure under § 21 BFSG does not apply. We will, however, take every report seriously and implement improvements where they are technically and economically feasible.
What we shipped
Every successful change lands here. The home page is updated after every deploy.
Self-service user portal — register, manage API keys, track usage
New self-service flow at /register → /login → /dashboard. Users sign up with email + password (no mail required); registrations enter a pending_approval queue; an admin enables the account; users then sign in and issue Bearer tokens for the CTI feed API. All inputs hardened with zod strict-mode + bcrypt cost 12 + NoSQL-injection guards + 5/hour signup rate-limit + 10-attempt lockout. Tokens display live use_count and last_used_ip on the dashboard.
Allowlist-drift cleanup — 113,942 false positives caught and removed
Honest finding: as Tranco/Umbrella allowlist anchors grew daily, 113,942 previously-ingested indicators (37% of our domain corpus) drifted into a state where the FP filter would now reject them — but they kept shipping to firewalls. We caught this in our own audit, swept them in a single pass, and now run the sweep every 6 hours as a maintenance job so it can never re-accumulate. Default firewall feed dropped from 215,608 → 137,748 indicators (~36% reduction); every remaining line strictly meets tier criteria.
Three-tier cross-validation pipeline live · every shipped IOC corroborated
We don't ship a single line to a customer firewall without provenance. The default domains.txt / ips.txt / sha256.txt files now contain only verified (≥2 distinct upstream sources, OR active enrichment confirmation, OR honeypot-confirmed, OR manually approved) and trusted (single-source from a strict T1 feed: USOM TR-CERT, CERT.pl, Spamhaus DROP, abuse.ch Feodo low-FP) indicators. The community tier (single-source from T2-T5 feeds) is opt-in only at community-domains.txt.
Active enrichment at ingest: GreyNoise (free Community API) classifies legitimate scanners (Google DNS, Cloudflare DNS, Shodan) → never blocked. AbuseIPDB confidence ≥75 promotes single-source IPs to verified. VirusTotal positives ≥3 promotes domains/IPs/hashes.
Honeypot ground truth: a separate ingest endpoint (/v1/honeypot/event, sensor-token auth) accepts attack observations from Zedmos honeypot mesh nodes. Quorum rule: ≥3 distinct sensors hit by the same IP in 24h, OR ≥10 hits to one sensor → IP promoted to verified with honeypot_confirmed=true. This is literal ground truth — the IP attacked our infrastructure right now.
Daily proof: a random sample of shipped IOCs is checked against tier criteria every 24h. Latest run: —. Live numbers and per-tier breakdown at /v1/public/verification.cross_validation.
New today: SHA-256 hashes (sha256.txt + per-category yara.yar rules) · HMAC-signed webhooks for new_iocs / smoke_failed / cloud_fp_caught events · SOAR connectors for Cortex/TheHive + XSOAR + TheHive responder · per-token scope enforcement by kind/category/tier, ready for multi-tenant deployment.
Cloud-IP false-positive audit — caught 8,663 in our own catalog
Self-audit found 8,663 IPs (4.27%) of our IP corpus sitting inside published AWS / GCP / Cloudflare / GitHub CIDR ranges — IPs which would have caused real outages on customer firewalls had they been blocked. Caught and suppressed in a single sweep against 202,787 candidates.
Breakdown: AWS 2,619 · GCP 3,137 · GitHub 2,904 · Cloudflare 3. All moved to the review queue with fp_reason=cloud_provider_range; snapshots rebuilt — none ship to firewalls today.
Going forward: ingest pipeline now performs an inline bisect-based cloud-range membership check before any IP IOC is promoted; the cloud-range allowlist is refreshed daily from the four upstream providers via a maintenance worker. Live numbers and full provenance: /v1/public/verification.
STIX 2.1 + TAXII 2.1 server
Native application/taxii+json;version=2.1 server with discovery, collections, manifest and STIX bundle endpoints. 16 collections live — one per kind+category combo. Compatible with MISP, OpenCTI, Splunk Add-on, Anomali ThreatStream and Microsoft Sentinel out of the box.
9 firewall-native output formats
Same indicators, every format your stack speaks: plain text, Suricata DNS rules, Pi-hole adlist, OPNsense / pfSense URL-table, MikroTik RouterOS script, Unbound / BIND RPZ, STIX 2.1 bundle, TAXII 2.1 collection, MISP feed. No custom-format upcharge.
MITRE ATT&CK ingestion
30,649 STIX objects mirrored from mitre/cti — enterprise + mobile + ICS domains. Indicators ship with kill-chain phase tagging today; technique-id mapping (T1566.002 etc.) lands in v0.3.
Tranco + Cisco Umbrella allowlist anchors
Daily-refreshed anchors: Tranco top-domains, Cisco Umbrella, AWS/GCP/Cloudflare/GitHub published CIDR ranges. Allowlist now — entries (…). Combined with Mozilla PSL for accurate co.uk / com.tr / appspot.com handling. Live: /v1/public/verification.
Closed-loop sightings (anonymized)
Firewalls can POST /v1/sightings/bulk aggregate hit counts (no PII). The hot-indicators panel above is powered by this. Privacy-preserving HMAC + bloom-dedup hardening lands in v0.3.
GreyNoise + AbuseIPDB enrichment
On-demand IP context. GreyNoise classifies "internet noise" vs "common business service" — automatic FP suppression for things like 8.8.8.8. AbuseIPDB second-source confidence cross-check.
ed25519 signed bundles + audited methodology
Detached .sig signatures on every distribution snapshot, verifiable by stock OpenSSL. Public key at /v1/public/keys/sign.pem. /v1/public/methodology documents exactly what each counter means and what we DON'T count. Recipe →
MITRE ATT&CK technique tagging on STIX
Every STIX 2.1 indicator now ships with technique-id external references (e.g. T1566.002 Spearphishing Link for phishing IOCs, T1071.001 Web Protocols C2 for botnet IOCs). Auto-links to OpenCTI / MISP / Splunk SEC dashboards.
Sigma rule export per category
10th output format: /v1/feeds/<k>/<c>/sigma.yml. Portable to Splunk SPL, Elastic ES|QL, Sentinel KQL, QRadar via sigmac / uncoder.io.
CertStream watcher (best-effort)
Long-lived WS to Calidog CertStream. Brand-keyword + Levenshtein lookalike + Shannon-entropy DGA scorer. Operator approval required before promotion. Note: depends on calidog.io availability — sometimes the upstream firehose pauses.
MISP feed format export — 10th format
Per-category MISP feed: /v1/feeds/<k>/<c>/misp/manifest.json + /<event-uuid>.json + hashes.csv. Drops directly into MISP Feeds → Add. Full attribute Tags (TLP, kind, category) included.
abuse.ch ecosystem fully wired (7/7 platforms + Auth-Key wizard)
URLhaus + ThreatFox + Feodo + MalwareBazaar + SSLBL + YARAify + Hunting reference. Free Auth-Key required from auth.abuse.ch — validated against the upstream before persisting, then bulk-applied to all 14 abuse.ch feeds. Operation Endgame (May 2024 LE takedown) context surfaced honestly — Feodo Tracker is empty because the threats it tracked are dismantled.
Honest disclosure — 8 ecosystem changes surfaced
2024–2026 retired the assumption that "abuse.ch + Talos + Bambenek = free baseline." We surface the changes that broke that assumption (abuse.ch Auth-Key, Talos retired, Bambenek paid, Cloudflare CC-BY-NC) on the Sources page rather than hide them. Each feed publishes deprecation_note + license_caveat + auth_required.
8 new feeds: DigitalSide, TweetFeed, Cybercrime-tracker…
Cybercrime-tracker first run added 19,145 banking-trojan C2 indicators. DigitalSide (CC0), TweetFeed (Twitter OSINT), MalwareBazaar (sample hashes for STIX), AlienVault OTX (free), MISP CIRCL (Phase 2). Total feed count: 22 → 30.
Live SLA status page
/status publishes mean-indicator-age, P99, feed-OK ratio, snapshot freshness. Auto-refreshes every 20s. Most CTI vendors hide these metrics — we show them by default.