This is a New Year's resolution post.
I've spent about forty years working in security. "Cybersecurity" wasn't even a word yet when I started. We called it computer security, or systems security, or just "security" if you were in the right room. The current term only really took hold in the last decade or so, somewhere along the path from DITSCAP to DIACAP to the Risk Management Framework that replaced them. The label has changed three or four times across my career; the work hasn't, as much.
I'm starting a public threat intelligence project this year because the kind of CTI feed I wish existed for working analysts doesn't, and I want to spend the next stretch of my career building it rather than waiting for someone else to.
Quick career arc, because the why depends on the where I've been.
The early years
I started in this field when "firewall" was an academic paper, not a product category, and "computer science" was barely a degree program, let alone the dozen specialized tracks it is now. In the late 80s and early 90s I worked with and supported the research of Bill Cheswick and Steven Bellovin at Bell Labs, in the era when their work on circuit-level gateways was turning into the practical foundation of what the rest of the industry would later call firewalls. They were the researchers; my role was on the operational side, making the ideas run on real networks, against real traffic, at the kind of scale that ate naive implementations for breakfast.
Some of the work from those years got written up in a couple of books on early firewall design, in the trade press of the time, and on conference stages. I'm sometimes amused to find that those magazine pieces have outlasted their original publishers' websites by a decade or more.
The middle
From there I spent the late 90s in Boston, standing up enterprise internet infrastructure at one of the largest privately-held investment firms in the United States. The kind of organization that, even thirty years ago, was a named target for nation-state-aligned activity. The conversation about adversary capability (what they could do, what they were going to do) wasn't a slide deck; it was a daily operational concern. That experience reshaped how I thought about cybersecurity, because it broke the comforting assumption that most of the threats most organizations face are opportunistic. Some are. The interesting ones aren't.
After that: technical audit at one of the big-four consulting practices. Then early commercial onion-routing work, a venture-backed anonymity network that was running before Tor was even a research project at the U.S. Naval Research Lab. Then on-the-wire database protocol filtering at a security startup, working at the layer of the network where most monitoring tools never look. The pattern across that decade-and-change: pre-product security work, often inside organizations where "we'll figure it out later" was not an acceptable posture.
The last twenty-three years: the lens this is built through
About twenty-three years ago I moved into long-form U.S. defense advisory work. DoD systems engineering and adversary capability analysis, in domains where the threat was always a serious nation-state actor, not an opportunistic one. Federal accreditation frameworks for systems where being wrong was expensive. Strategic planning for cyber capability development. And ultimately Science & Technology intelligence work: technical threat analysis and nation-state-level future-threat characterization. Assess what adversaries can do today, project what they will be able to do, structure the answer in a way that survives skeptical review.
That discipline is the lens this product is built through, and it's the part that distinguishes IntrusionLabs from everything else in the threat-intel market.
S&T intelligence has a few habits that the commercial threat-intel market mostly doesn't. Chain of custody for every piece of evidence. Source reliability ratings on every input, not "is this feed any good" handwaving but something closer to ICD 206's structured A-through-F framework that says how much weight a given source's claim should carry. Reproducibility as a precondition for trust: any claim you make has to be defensible from the data you cite, by someone other than you, working from the same inputs. Alternative hypotheses considered, named, and dismissed with reasons.
These habits aren't artifacts of secrecy; they come from accountability. In a domain where a confident assessment that turns out wrong has expensive downstream consequences, showing your work is the discipline that protects you from being wrong in the first place.
The CTI feed I want to build is what happens when those habits get applied to commercial threat intelligence. The output isn't "here's a list of bad IPs, trust us"; it's the evidence chain, the methodology, the things we don't know, and the structured argument from data to assessment. If you've spent any time near the formal intelligence-analysis tradition you'll recognize the shape. If you haven't: every claim on this site is supposed to be reproducible from the data, the data is supposed to be inspectable, and you're supposed to be able to disagree with the methodology if you can read it.
Why now
I have spent a long career on the customer side of cybersecurity, on the inside of organizations where the right answer was institutional. I want to build something hands-on again, in the domain I know best, for an audience that has been quietly underserved for two decades.
The CTI market has a gap I have watched widen. Free feeds (AbuseIPDB, plain DShield, the abuse.ch family) are honest about being noisy and lump everything together as "scanner." Aggregators (isMalicious, CTIAware) cross-reference those feeds and ship a tidy API, but they don't generate any original intelligence; they're better plumbing for the same water. Commercial CTI feeds (Recorded Future, Mandiant, CrowdStrike) cost five figures a year minimum and most of them are opaque about how they reach their conclusions. Between $99/mo and $833/mo nothing serious exists for the working analyst.
That gap is where IntrusionLabs lives. Not at enterprise volume; we won't ever beat CrowdSec on raw IP count, and we don't try. But at enterprise depth and enterprise honesty: the kind of methodology, evidence chain, and source attribution that a CTI buyer at a Fortune 500 would expect, applied at a price point that doesn't gate working analysts out of the room.
Who this is for
If your day involves staring at an IP in a ticket and asking what is this thing actually doing on the internet?, IntrusionLabs is built for you.
CTI analysts. Threat hunters. Incident responders. Detection engineers. MSSP analysts writing client-facing reports where every claim has to survive a client question. Security researchers who want to cite something they can verify. The practitioners who today cobble together AbuseIPDB plus VirusTotal plus AlienVault OTX plus manual Googling because GreyNoise is $833/mo and Recorded Future is $100k.
What we are not building: a managed-blocking SaaS for SMB sysadmins, or another aggregator of public feeds, or a black-box risk score. CrowdSec, Fail2ban, and Spamhaus DROP already serve that buyer well, mostly for free. We don't compete there.
If you want the longer version of who we built for and why, we wrote that down: Who is our customer?, including the conversation with a CTI-analyst friend that forced us to articulate it clearly.
What "enterprise honesty" actually means
A few specifics, because the marketing word doesn't mean much without them.
Every confidence score is reproducible. We publish the formula on the methodology page. Six weighted signals, hand-tuned weights, no black boxes. If you disagree with how we weight cross-sensor visibility against external corroboration, the math is fully transparent so you can rescore in your own pipeline. (How we score, in detail.)
Every external corroboration carries a source. Spamhaus DROP, Tor exit nodes, DShield, CINS Army, BlocklistDE, abuse.ch's Feodo Tracker, our own honeypot sensors. Every record on every actor tracks which feed flagged it, when, and how recently. We do not enrich silently with paid feeds and pass through opaque scores; everything we use is free or CC0, the same set our customers can themselves verify. That is a deliberate constraint. If you can't reproduce our work from public sources, we haven't done our job.
Every campaign carries a stated rationale. The cluster page tells you why we grouped these IPs together (geographic dispersion, shared SSH client fingerprint, target overlap, scanner-organization match), not just that we did. A defender can read the rationale and decide whether the heuristic matches their threat model. That is a different posture than a black-box classifier handing you a verdict.
The chain is drillable, end to end. Campaign → member actor → individual session → raw cowrie or opencanary event JSON. Four clicks deep. If you don't trust our call, click through and decide for yourself. That posture is the whole thing. (Walk the chain.)
Modern pivots, not just IP reputation. HASSH SSH-client fingerprinting (one fingerprint surfaced a 4,154-IP botnet on its first run); JA4 for TLS clients next; credential-set fingerprints, file-hash pivots, MITRE ATT&CK tagging on every actor and campaign, STIX 2.1 / TAXII 2.1 export. The substrate for pivoting from one indicator to the next inside the SIEM, TIP, or playbook your team already runs.
We are honest about what we do not see. We have three sensors today, in NA West, NA East, and APAC. We do not have global coverage; we do not have GreyNoise's volume; we do not have Recorded Future's analyst stack. The detector catches coordinated, distributed, single-operator clusters; it is blind to fragmented operators and to operations below our thresholds. The catalog of features and limits lists both. Anyone who tells you their CTI feed is complete is selling you something.
Data, information, knowledge
Most threat-intel products stop at the bottom of the DIKW pyramid. Free feeds publish data. Aggregators repackage it as information. We're trying to climb one step further: structured analytic claims with named sources, named confidence, named alternative hypotheses, drillable to the raw event that produced them. Knowledge that other practitioners can use, audit, disagree with, and cite.
Wisdom is what you accumulate by being right more often than you're wrong over many years. We don't have years yet. The discipline that gets you there starts on day one with how you handle the data, and that's the part of S&T tradecraft I think actually transfers to the commercial CTI market.
What's coming this year
The first finding post is already up: the HASSH operator-discovery write-up on the 4,154-IP botnet the new pivot caught on its first run. There are several more in the queue:
- A look at what 102 distinct SSH client fingerprints across our sensor data tells us about the attacker tooling ecosystem
- The story of catching ourselves treating Censys as a threat, and what fixing that did to the feed (related: how the four-axis classifier got finished)
- What our threat feed misses, written down in detail, because the limits matter as much as the captures
- Why I do not trust any single threat feed, including my own, and what confidence scoring with published weights changes about that conversation
Plus the longer-arc work: a JA4 TLS pivot for HTTPS traffic, a credential-set fingerprint pivot, a file-hash pivot for malware payloads dropped on Cowrie sessions. STIX 2.1 bundles and TAXII 2.1 server endpoints so MISP, OpenCTI, and TheHive users can pull our data into their TIPs natively. SIEM integrations for Splunk, Elastic, Sentinel, and Wazuh.
And eventually a practitioner portal for vetted CTI analysts who want to do real threat-hunting on the data, accumulating documented experience and earning artifacts that count toward CISSP / CISM / GIAC continuing education. That is a longer project. But it's on the roadmap, because the supply-side flywheel (better analysts producing better curation producing a sharper feed) is the kind of moat that money alone does not buy.
Try it
The data and the API are free and public. No signup, no API key, no commercial-use restriction.
- Browse the live threat feed: https://intrusionlabs.com/threats/
- Read the methodology: https://intrusionlabs.com/intelligence/
- Hit the API: https://intrusionlabs.com/api/v1/threats/ips
- Or the campaign feed: https://intrusionlabs.com/api/v1/clusters/hassh/top
- Plain-text IP blocklist (free with attribution): https://intrusionlabs.com/feeds/v1/ips.txt
If any of this is interesting, subscribe by RSS. More as the year goes on.