- Overview
- Our data sources
- Coverage statistics
- Output formats
- Malicious IPv4/IPv6 address data feeds
- Malicious domain name data feed
- Malicious URL data feed
- Hosts file
- Nginx's ngx_http_access_module compatible IPv4/IPv6 denylist
- Raw IPv4/IPv6 denylists
- Raw domain denylist
- Raw CIDR denylist
- Malicious IPv4/IPv6 ranges in CIDR notation data feeds
We cover the following 9 threat types:
- Attack: malicious activity detected from the host. For example, SSH brute-force, etc.
- Botnet: a host was detected as an actor in a group of connected hosts that perform malicious activities (botnet).
- C2 or C&C: the host is a known botnet's "Command and Control" server.
- Malware: the IoC is related to malicious software distribution. It can be a host or a URL serving the malware.
- Phishing: the indicator, usually a domain name or URL, is involved in Phishing activity.
- Spam: a host engaged in sending spam.
- Suspicious: IoC's activity hasn't been verified to be of malicious nature. For instance, it may be a host scraping websites, sending large amounts of ICMP queries, etc.
- Tor: a host acts as a TOR exit node.
- Generic: IoC has been involved in some form of malicious activity but couldn't be classified into one of the other categories.
Our data sources:
Our Threat Intelligence Data Feed is powered by multiple sources, ensuring that you receive comprehensive and accurate information to protect your organization. Our sources include:
- OSINT: we collect indicators of compromise (IoCs) and threat data from open sources, combining details from nearly all available public sources into one centralized location.
- Honeypots/sensors: we operate a custom network of honeypots to trap and study attacks's infrastructure.
- Algorithmic and Machine Learning Analysis: we use known IoCs to predict and discover new potential threats, which we then validate and incorporate into our database.
- Abuse Reports: we gather abuse reports and scrutinize them for insights.
- In-House Research: our specialist team conducts independent research to pinpoint and dissect new IoCs.
Coverage statistics
The following table shows the coverage statistics for each threat type. The data is updated daily.
Output formats
There are 10 different types of data in the daily export. Each data feed is published daily at 3 AM UTC. Contact us for a streaming version of the data feed.
| Data type | Files included | IoCs included | Record count | Formats available |
|---|---|---|---|---|
| Malicious IPv4/IPv6 address data feeds | *.malicious-ips.v4.csv.gz *.malicious-ips.v4.jsonl.gz *.malicious-ips.v6.csv.gz *.malicious-ips.v6.jsonl.gz | IPv4, IPv6 | IPv4 - 1,004,672 IPv6 - 1,009,224 | CSV, JSON |
| Malicious domain name data feed | *.malicious-domains.csv.gz *.malicious-domains.jsonl.gz | Domains | 6,957,036 | CSV, JSON |
| Malicious URL data feed | *.malicious-urls.csv.gz *.malicious-urls.jsonl.gz | URLs | 1,073,285 | CSV, JSON |
| Hosts file | *.hosts.gz | Domains | 6,813,347 | Hosts file format |
| Nginx's ngx_http_access_module compatible IPv4/IPv6 denylist | *.nginx-access.v4.gz *.nginx-access.v6.gz | IPv4, IPv6 ranges in CIDR notation | IPv4 - 1,352,895 IPv6 - 1,499,909 | ngx_http_access_module compatible |
| Raw IPv4/IPv6 denylists | *.deny-ips.v4.gz *.deny-ips.v6.gz | IPv4, IPv6 | IPv4 - 929,017 IPv6 - 933,565 | List |
| Raw domain denylist | *.deny-domains.gz | Domains | 6,813,347 | List |
| Raw CIDR denylist | *.deny-cidrs.v4.gz *.deny-cidrs.v6.gz | IPv4, IPv6 ranges in CIDR notation | IPv4 - 1,352,895 IPv6 - 1,499,909 | List |
| Malicious IPv4/IPv6 ranges in CIDR notation data feeds | *.malicious-cidrs.v4.csv.gz *.malicious-cidrs.v4.jsonl.gz *.malicious-cidrs.v6.csv.gz *.malicious-cidrs.v6.jsonl.gz | IPv4, IPv6 ranges in CIDR notation | IPv4 - 1,853,752 IPv6 - 2,000,874 | CSV, JSON |
1. Malicious IPv4/IPv6 address data feeds
- Filename format: tidf.%DATE%.daily.malicious-ips.[v4|v6].[csv|jsonl]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| malicious-ips.v4.csv.gz | 5.5MB | 32MB | 1,004,672 |
| malicious-ips.v4.jsonl.gz | 6.2MB | 67MB | 1,004,672 |
| malicious-ips.v6.csv.gz | 5.6MB | 39MB | 1,009,224 |
| malicious-ips.v6.jsonl.gz | 6.3MB | 74MB | 1,009,224 |
Output format
CSV output format
ip,threatType,firstSeen,lastSeen
203.0.113.1,malware,1678172385,1678372385
2001:0db8:85a3::8a2e:0370:7334,spam,1678172385,1678372385
...
JSONL output format
...
{"ip": "203.0.113.1", "threatType":"malware", "firstSeen":"1678172385", "lastSeen":"1678372385"}
{"ip": "2001:0db8:85a3::8a2e:0370:7334", "threatType":"spam", "firstSeen":"1678172385", "lastSeen":"1678372385"}
...
Output parameters
| ip | IoC: IPv4 and IPv6 addresses. IPv6 feed also contains IPv4 addresses represented in the IPv6 notation. |
| threatType | The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic. |
| firstSeen | UNIX timestamp when the activity was detected first time. |
| lastSeen | UNIX timestamp when the activity was detected last time. |
2. Malicious domain name data feed
- Filename format: tidf.%DATE%.daily.malicious-domains.[csv|jsonl]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| malicious-domains.csv.gz | 39MB | 286MB | 6,957,036 |
| malicious-domains.jsonl.gz | 42MB | 558MB | 6,957,036 |
Output format
CSV output format
domainName,threatType,firstSeen,lastSeen
example.com,malware,1678172385,1678372385
example.org,spam,1678172385,1678372385
...
JSONL output format
...
{"domainName": "example.com", "threatType":"malware", "firstSeen":"1678172385", "lastSeen":"1678372385"}
{"domainName": "example.org", "threatType":"spam", "firstSeen":"1678172385", "lastSeen":"1678372385"}
...
Output parameters
| domainName | IoC: domain name. |
| threatType | The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic. |
| firstSeen | UNIX timestamp when the activity was detected first time. |
| lastSeen | UNIX timestamp when the activity was detected last time. |
3. Malicious URL data feed
- Filename format: tidf.%DATE%.daily.malicious-urls.[csv|jsonl]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| malicious-urls.csv.gz | 42MB | 116MB | 1,073,285 |
| malicious-urls.jsonl.gz | 44MB | 165MB | 1,073,285 |
Output format
CSV output format
url,host,threatType,firstSeen,lastSeen
"example.com/wp-admin.php?hack_me=1","example.com",malware,1678172385,1678372385
"/bad_path/bad_file.php","",malware,1678172385,1678372385
...
JSONL output format
...
{"url": "example.com/wp-admin.php?hack_me=1", "host": "example.com", "threatType":"malware", "firstSeen":"1678172385", "lastSeen":"1678372385"}
{"url": "/bad_path/bad_file.php","host": "", "threatType":"malware", "firstSeen":"1678172385", "lastSeen":"1678372385"}
...
Output parameters
| url | IoC: URL. It might be absolute (https://example.com/files/badfile.php) or relative (/files/badfile.php). Relative URLs do not have a corresponding host field. |
| host | Domain name or IP for absolute URLs. |
| threatType | The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic. |
| firstSeen | UNIX timestamp when the activity was detected first time. |
| lastSeen | UNIX timestamp when the activity was detected last time. |
4. Hosts files
A denylist in the hosts file format containing malicious domain names mapped to 0.0.0.0, to block access to them. Compatible with most operating systems. The denylist contains the IoCs active the day before the export.
- Filename format: tidf.%DATE%.daily.hosts
- Samples: tidf.2023-09-26.daily.hosts
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| hosts.gz | 34MB | 211MB | 6,813,347 |
Output format
...
0.0.0.0 example.com
0.0.0.0 example.org
...
5. Nginx ngx_http_access_module compatible IPv4/IPv6 denylists in CIDR notation
A list containing IPv4 and IPv6 ranges in CIDR notation formatted for the ngx_http_access_module. The file can be used in Nginx configuration to block malicious IP addresses. The denylist contains the IoCs active the day before the export.
- Filename format: tidf.%DATE%.daily.nginx-access.[v4|v6]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| nginx-access.v4.gz | 5.1MB | 30MB | 1,352,895 |
| nginx-access.v6.gz | 5.6MB | 44MB | 1,499,909 |
Output format
...
deny 203.0.113.1/31;
deny 2001:0db8:85a3::8a2e:0370:7334/127;
...
6. Raw IPv4/IPv6 denylists
A plain text denylist containing IPv4/IPv6 addresses to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.
- Filename format: tidf.%DATE%.daily.deny-ips.[v4|v6]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| deny-ips.v4.gz | 3.1MB | 13MB | 929,017 |
| deny-ips.v6.gz | 3.4MB | 19MB | 933,565 |
Output format
...
203.0.113.1
2001:0db8:85a3::8a2e:0370:7334
...
7. Raw domain denylist
A plain text file containing domains to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.
- Filename format: tidf.%DATE%.daily.deny-domains
- Samples: tidf.2023-09-26.daily.deny-domains
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| deny-domains.gz | 32MB | 159MB | 6,813,347 |
Output format
...
example.com
example.org
...
8. Raw CIDR denylist
A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration. The denylist contains all the active IoCs for the last 24 hours.
- Filename format: tidf.%DATE%.daily.deny-cidrs.[v4|v6].gz
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| deny-cidrs.v4.gz | 4.6MB | 23MB | 1,352,895 |
| deny-cidrs.v6.gz | 5.5MB | 36MB | 1,499,909 |
Output format
...
deny 1.0.0.0/32;
deny 1.0.1.21/32;
...
9. Malicious IPv4/IPv6 ranges in CIDR notation data feeds
A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration.
- Filename format: tidf.%DATE%.daily.malicious-cidrs.[v4|v6].[csv|jsonl]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| malicious-cidrs.v4.csv.gz | 9.5MB | 64MB | 1,853,752 |
| malicious-cidrs.v4.jsonl.gz | 11MB | 133MB | 1,853,752 |
| malicious-cidrs.v6.csv.gz | 11MB | 83MB | 2,000,874 |
| malicious-cidrs.v6.jsonl.gz | 12MB | 158MB | 2,000,874 |
Output format
CSV output format
cidr,threatType,firstSeen,lastSeen
1.0.0.0/32,attack,1678412656
1.0.1.21/32,attack,1678360646
...
JSONL output format
...
{"cidr":"1.0.0.0/32","firstSeen":"1678112656","lastSeen":"1678412656","threatType":"attack"}
{"cidr":"1.0.1.21/32","firstSeen":"1678112656","lastSeen":"1678360646","threatType":"attack"}
...
Output parameters
| cidr | IoC: IPv4 and IPv6 ranges in CIDR notation. IPv6 feed also contains IPv4 ranges represented in the IPv6 notation; |
| threatType | The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic. |
| firstSeen | UNIX timestamp when the activity was detected first time. |
| lastSeen | UNIX timestamp when the activity was detected last time. |