Live threat capture, worldwide

Cyber Threat
Intel Feed

A network of IPS sensors around the world feeds CTIF a steady stream of attacking addresses. We work out where each one comes from, who runs it, whether it hides behind Tor, and which MITRE ATT&CK techniques it maps to, then deliver all of that to the tools your team already uses.

5sensor regions
MITRE ATT&CKauto-mapped
STIX 2.1native export
The Threat Landscape

Right now, something is scanning your network.

Brute force attempts, port scans, credential stuffing and exploit probes run every hour of every day, from everywhere, against everyone. By the time an address turns up on a public blocklist, it has usually been hitting networks for hours. The teams that stay ahead are the ones watching the whole internet, with context, as it happens.

Volume
0

attacks hit the average company every day

Frequency
0s

between one attack and the next

Breaches
0+

websites are hacked every day

Vector
0%

of malware arrives over the network

Based on widely cited industry figures.

SSH brute force · 185.220.101.4 · RU → IRCredential stuffing · 45.83.64.12 · NL → USPort scan · 193.42.33.9 · CN → DETor exit relay · 171.25.193.78 · anon → FRRDP brute force · 92.118.39.21 · RU → UKWeb exploit attempt · 103.97.176.5 · VN → SGSpam relay · 196.196.150.2 · ZA → AEBotnet C2 beacon · 45.137.21.9 · anon → USSSH brute force · 185.220.101.4 · RU → IRCredential stuffing · 45.83.64.12 · NL → USPort scan · 193.42.33.9 · CN → DETor exit relay · 171.25.193.78 · anon → FRRDP brute force · 92.118.39.21 · RU → UKWeb exploit attempt · 103.97.176.5 · VN → SGSpam relay · 196.196.150.2 · ZA → AEBotnet C2 beacon · 45.137.21.9 · anon → US
Introducing CTIF

We do the analysis
so your analysts don’t have to.

From the second a sensor spots an address to the second it appears in your dashboard, CTIF handles everything in between. It collects the indicator, looks up what is known about it, and works out how much it should worry you. There are no manual steps and nothing left for your team to stitch together.

01
Capture

Real-time Global Capture

Sensors spread across several regions watch live attack traffic and report each address the instant they see it, not hours later when it reaches a public list.

capturing · 5 regions
02
Enrich

Automatic Enrichment

Every address is checked against geolocation, ASN and ISP, reverse DNS, RDAP and WHOIS, Tor exit status, and the MITRE ATT&CK framework.

GeoIPASNrDNSTorMITRE
03
Score

Hostility Scoring

Every indicator carries a hostility score from 0 to 100, so your team can sort by real risk instead of working through flat, unranked alerts.

hostility92
04
Soon

More Services

New services beyond the core feed, from a Splunk add-on to broader threat coverage, always being added.

in development
Global Coverage

Sensors on the routes that matter.

Attacks come from everywhere, so our sensors sit everywhere that counts. The network is already live across several regions and still growing, and every node feeds the same enrichment pipeline the moment it captures something.

EuropeAvailable
Coverage100%
Middle EastAvailable
Coverage100%
North America (USA)In progress
Coverage65%
AsiaIn progress
Coverage55%
AfricaIn progress
Coverage40%
The Pipeline

What happens between a sensor and your dashboard.

Every address we report travels the same short path before it reaches you. Follow it from the first packet a sensor sees to the moment your tools can query it.

Stage 01

Capture

Sensors across the world spot hostile behaviour and flag the source address the instant they see it.

IPS sensorsTor list
Stage 02

Enrich

Geolocation, ASN and ISP, reverse DNS, RDAP and WHOIS, Tor and CDN status, then a map to MITRE ATT&CK.

GeoIPASN / RDAPMITRE ATT&CK
Stage 03

Score and store

Each indicator gets a hostility score from 0 to 100, then it is stored with its sighting count, first and last seen, and the reasons it was flagged.

hostility scoresightingsreasons
Stage 04

Deliver

Pull the feed however suits you: a rate limited REST API and STIX 2.1 bundles, every indicator carrying its hostility score. A Splunk add-on is on the way.

REST APISTIX 2.1hostility score
A Real Example

Follow one attack through the pipeline.

At 03:14 UTC a sensor in our Middle East region picks up a burst of failed SSH logins, all coming from one address hammering port 22. Here is what CTIF makes of it in the next second.

enrich · 185.220.101.4
$resolve geolocationMoscow, Russia (RU)
$lookup ASN / RDAPAS208294 · Tor relay operator
$reverse DNStor-exit-4.relay.tor
$check Tor exit listknown exit node
$correlate sensor events47 sightings · port 22
$map MITRE ATT&CKT1110 Brute Force
$ enrichment complete in 0.82s
Middle East sensor·03:14:07 UTC·event #48213
IOC/IPv4
185.220.101.4
Active ThreatTor Exit Node
92hostility
Country
Russia · RU
City
Moscow
ASN
AS208294
Reverse DNS
tor-exit-4.relay.tor
First seen
03:14 UTC
Sightings
47
Threat tags
tor_exit_nodessh_bruteforceblocklisted
MITRE ATT&CK
TA0006Credential Access
T1110Brute Force
T1021.004Remote Services: SSH
Recommended action

Block at the perimeter and flag any successful SSH or RDP login from this ASN for review.

delivered viaREST APISTIX 2.1Dashboard
SOC Integration

Plug it into your SOC tools.

Today CTIF ships a rate limited REST API that drops into the SOC tools you already run, with every indicator carrying its hostility score, geolocation and ATT&CK mapping. A Splunk add-on for automatic enrichment is on the way.

A REST API today

Pull enriched, scored indicators into the tools you already run over a simple, authenticated REST API.

Hostility scoring

Every indicator carries a hostility score from 0 to 100, so your team triages by real risk instead of raw volume.

Splunk add-on, soon

An add-on that enriches your events automatically inside Splunk is on the way.

REST APISTIX 2.1Splunk add-on · soon
›_Splunk · CTIF add-on
preview
index=network
| `non_special_ip(src_ip)`
| `ctif_lookup(src_ip)`
| search context_score>60
| table ip country attack_tactic context_score
| sort -context_score
ipcountryattack_tacticcontext_score
185.220.101.4RUCredential Access92
45.83.64.12NLInitial Access78
92.118.39.21RUCredential Access88
193.42.33.9CNDiscovery64
103.97.176.5VNInitial Access71
On the Roadmap

We keep adding new services.

CTIF is built to grow. We are steadily broadening what the feed covers, adding new services and threat sources so it keeps pace with what your team actually faces.

More services on the way

We are steadily broadening what CTIF covers.

Coming soon

Spam & relay abuse

Open relays and bulk senders that abuse mail infrastructure.

Splunk integration

An add-on that enriches your events automatically, right inside Splunk.

Broader coverage

New threat sources and services, added as the feed keeps growing.

01
Global IP threat feed
Live
02
More services
Coming soon
03
Broader coverage
Planned
Pricing

Priced by how much you query.

Plans scale with how many requests your team makes each day. Every tier ships the full feed and enrichment; higher tiers add API access and deeper support.

Base

For focused teams adding global context through the dashboard.

$120/yr
800 requests / day
  • Real-time global feed
  • Full IP enrichment
  • MITRE ATT&CK mapping
  • Hostility scoring
  • Dashboard access
  • Email support
Get started
Most popular

SMB

For growing security teams running active detection.

$1,990/yr
2,000 requests / day
  • Everything in Base
  • REST API + STIX 2.1
  • Extended sighting history
  • Priority support
Get started

SOC

For MSSPs and 24/7 SOCs operating at scale.

$2,790/yr
10,000 requests / day
  • Everything in SMB
  • Highest request volume
  • Dedicated support channel
  • Onboarding assistance
Get started

Start on any plan and upgrade whenever your team needs more. No need to commit to a higher tier up front. Billed monthly or annually (two months free on annual) and exclude VAT. Need a blocklist for your edge devices or a private instance? See more ways to deploy.

Service guarantee: if the feed ever goes down or fails to meet its commitment, we either extend your subscription to make up for the disruption or refund the unused balance of your plan. Your choice.

More ways to deploy

Beyond the feed, two more options.

Not every team consumes intelligence the same way. Push it into your network gear, or get a private, fully managed instance dedicated to your team.

For network equipment

Blocklist Feed

A curated blocklist you drop straight into your edge devices, firewalls, IPS and gateways. It stops common, known-bad traffic before it ever reaches your network.

  • Ready for edge firewalls, IPS and gateways
  • Blocks known threats upstream, before they act
  • Less noise for your analysts and operations team
  • Updated continuously from the live feed
Talk to usCustom pricing
Dedicated & managed

Private Instance

A dedicated CTIF instance we spin up and run in your region, just for you. Fully managed by us, single-tenant, and isolated to your team, without the burden of hosting it yourself.

  • Deployed and operated in your region
  • Single-tenant, isolated to your team only
  • Fully managed, no infrastructure to run
  • Custom request volume and dedicated keys
Talk to usCustom pricing
The attacks are already happening

Give your SOC a
head start.

Bring global, enriched and scored threat intelligence into your tools, and get ahead of the traffic that is already probing your network.

Five sensor regions, MITRE ATT&CK mapping, a REST API and STIX 2.1 export.