A friend of mine reviewed intrusionlabs.com last week.
She is a working CTI analyst, ex-USAF cyber, currently doing classified threat work. The kind of practitioner this site keeps gesturing at without ever quite addressing. I asked her for a read.
Her response was four words long, and I have been thinking about it for a week:
This is very good data. Who is your customer?
That is the right question, and the fact that she had to ask it told me what was wrong before she said anything else.
The honest answer was three answers
When I sat down to write a clean reply to her, I realized I had three.
Answer one: small businesses who want a less noisy blocklist than AbuseIPDB or the free DShield feed. Cheap, automated, fire-and-forget.
Answer two: the very large CrowdSec installed base, sysadmins running pre-built bouncers on Cloudflare, Nginx, Fail2ban, looking for "a slightly better feed."
Answer three: working CTI analysts and threat hunters who today cobble together AbuseIPDB plus VirusTotal plus AlienVault OTX plus manual Googling, because GreyNoise is $833/mo and Recorded Future is $100k+/yr.
Three different buyers. Three different value propositions. Three different sales motions. All three sitting on the same homepage at the same time, written into different pages by different planning documents from different months. None of them disproved, all three carried forward, all three watering each other down.
She did not need to read those planning documents to feel it. The site was speaking three different languages and she could hear all three. "Who is your customer?" was her polite way of saying "I cannot tell, and that means you cannot tell either."
What the data had already decided
When I went back through what we had actually shipped, the answer to her question was sitting there in the catalog. We had not written it down; we had built it.
- A drillable evidence chain. Campaign → member actor → session → raw cowrie/opencanary event JSON, four clicks deep, every level reproducible.
- A confidence formula with the weights published on a methodology page. Six signals, hand-tuned, fully transparent. If you disagree with how we weight cross-sensor visibility against external corroboration, the math is on the methodology page.
- Source-attributed corroboration. Every external feed signal we use is free or CC0: Spamhaus DROP, Tor exit nodes, DShield, CINS Army, BlocklistDE, abuse.ch's Feodo Tracker. No paid feeds passed through silently. Every record carries the source name, version, first-corroborated and last-confirmed timestamps.
- Fingerprint pivots. Click any HASSH SSH-client fingerprint, see every other actor running it. The first one I ever clicked returned 4,154 IPs, one operator hiding behind ASN diversity. Credential, JA4, and file-hash pivots are next.
- An honest four-axis classifier with the precedence rules published. Intent × category, every actor's classification reproducible from auditable signals, benign scanners tagged-and-capped but never hidden. The reason string behind every verdict is stored on the actor where you can read it.
- A pipeline whose freshness is publicly queryable.
/api/v1/health/reports timeseries DB connectivity, cache, enrichment freshness, campaign-detection freshness. Machine-readable, no auth, no marketing.
Look at that list and try to imagine a small-business sysadmin reading it. They will not. None of those features are operationally meaningful to a buyer who just wants their firewall to drop bad IPs.
Now imagine my friend reading it. She lives there. That is who we built for.
The site had quietly become a CTI practitioner's tool while the marketing copy was still writing for someone else. She felt the gap immediately because she was the resident audience and the site was talking past her.
What we are, said out loud
So here is the elevator pitch she asked us for, with no more hedging.
IntrusionLabs is built for working CTI analysts, threat hunters, incident responders, detection engineers, MSSP analysts writing client-facing reports, and security researchers. People who stare at an IP in a ticket and ask what is this thing actually doing on the internet?
We are not a "block bad IPs at your edge" product. CrowdSec, Fail2ban, Spamhaus DROP, and your existing WAF already do that, and most of them are free. We are not competing with that layer. If anything, we are upstream of it.
What we sell is first-party honeypot capture, fused with public OSINT corroboration, with a published confidence formula and a drillable evidence chain. Concretely:
- A pivot you can chase. HASSH today; credentials, JA4, and file-hash pivots in flight. Given an artifact, find every actor carrying it. Then find every campaign clustered from it. /features/operator-discovery/
- An evidence chain you can drill. Campaign down to raw event JSON, in four clicks. You do not have to take our word for anything. /features/provenance/
- A confidence formula you can disagree with. Six signals, weights published, math fully transparent. If you do not like our weighting, rescore in your own pipeline. /features/confidence/
- A four-axis classification you can audit. Intent × category. Every classification reproducible. Benign scanners tagged, capped, and excluded from clustering, but never hidden from you. /features/scanner-classification/
- An "AND" position. First-party honeypot capture and public OSINT corroboration and confidence-scored fusion of the two. /features/fusion/
- Sources we do not gatekeep. The same set of free / CC0 feeds you can verify yourself.
What we are honest about
I am running this from three honeypot sensors. Seattle, Newark, and Singapore (NA West, NA East, APAC) on two providers. About 14,000 tracked threat actors. About 3,000 active campaigns. Months of data, not years.
I do not have GreyNoise's volume. I do not have Recorded Future's analyst stack. Anyone choosing a feed by raw IP count picks CrowdSec, not us, and they are right to. What we have is depth (we observe what attackers do, not just that they connected), transparency (the methodology is published, not a black box), and a price point that does not gate working analysts out of the room.
That is the trade we have made. We will not catch the operator who is fragmented across hundreds of sensors. We will not be the feed your boss has heard of at RSA. We will be the feed your team can read end-to-end, reproduce from public sources, and cite with confidence in client-facing work.
The free blocklist still exists, on purpose
A practical note. We publish a free, no-auth, attribution-required IP blocklist at /feeds/v1/ips.txt. Plug it into pfSense, iptables, your edge firewall, whatever fits.
That feed is not a freemium gate into a paid blocklist tier. There is no paid blocklist tier. It is a byproduct of the same pipeline that produces everything else on the site. We publish it because (a) it costs us nothing to keep running, and (b) the practitioner reading this post might evaluate us by feeding it into their stack and clicking through to the actor pages to see how each IP got there. That is exactly the right way to evaluate us, and we want that to be effortless.
If you find it useful, attribute back to intrusionlabs.com. That is the whole license. Standard FireHOL / Spamhaus / abuse.ch pattern.
What changes from here
The marketing surface had been writing for three audiences and converting none of them well. From this week forward it writes for one.
- The homepage hero will speak directly to the CTI practitioner. Other audiences are welcome but not the addressee.
- The pricing page (when it ships) commits to a Free tier, a self-serve Pro tier for working practitioners, and a Team / MSSP tier for analyst teams that need white-label redistribution rights for client-facing reports. No more SMB-shaped tier ladder. No bundled cross-sells with our sister product.
- The integration roadmap focuses on STIX/TAXII, SIEM lookups (Splunk, Elastic, Sentinel, Wazuh), MISP and TheHive integration, an MCP server for AI-assisted analyst workflows, and a future practitioner portal where vetted CTI analysts can author research on the data and earn artifacts toward CISSP / CISM / GIAC continuing education.
The strategic reasoning behind all of this lives in our internal architecture-decision records. Earlier strategy documents that aimed at the SMB sysadmin are preserved as superseded history; this is the working strategy now.
To my friend
You asked the right question. The data was already telling us; we were just slow to listen. If you are reading this, thank you for the read, the directness, and the gift of asking the one question that needed asking.
To everyone else: if your day involves staring at IPs in a ticket and asking what they actually do, try it.
- Live threat feed: https://intrusionlabs.com/threats/
- API: https://intrusionlabs.com/api/v1/threats/ips
- Methodology: https://intrusionlabs.com/intelligence/
- Free IP blocklist: https://intrusionlabs.com/feeds/v1/ips.txt
Subscribe by RSS for the rest of the year's posts.