This is a New Year's resolution post.
I've spent twenty-five years in cybersecurity. I'm starting a small, public threat intelligence project this year because the feed I wish existed for small and mid-market security teams doesn't, and I want to spend the next stretch of my career building it rather than waiting for someone else to.
Quick career arc, because the why depends on the where I've been.
The early years
I started in cybersecurity when "firewall" was an academic paper, not a product category. In the late 80s and early 90s I worked with and supported the research of Bill Cheswick and Steven Bellovin at Bell Labs, in the era when their work on circuit-level gateways was turning into the practical foundation of what the rest of the industry would later call firewalls. They were the researchers; my role was on the operational side — making the ideas run on real networks, against real traffic, at the kind of scale that ate naive implementations for breakfast.
Some of the work from those years got written up in a couple of books on early firewall design, in the trade press of the time, and on conference stages. I'm sometimes amused to find that those magazine pieces have outlasted their original publishers' websites by a decade or more.
The middle
From there I spent the late 90s in Boston, standing up enterprise internet infrastructure at one of the largest privately-held investment firms in the United States. The kind of organization that, even thirty years ago, was a named target for nation-state-aligned activity. The conversation about adversary capability — what they could do, what they were going to do — wasn't a slide deck; it was a daily operational concern. That experience reshaped how I thought about cybersecurity, because it broke the comforting assumption that most of the threats most organizations face are opportunistic. Some are. The interesting ones aren't.
After that: technical audit at one of the big-four consulting practices. Then on-the-wire database protocol filtering at a security startup, working at the layer of the network where most monitoring tools never look. Then early commercial onion-routing work — a venture-backed anonymity network that was running before Tor was even a research project at the U.S. Naval Research Lab. The pattern across that decade-and-change: pre-product cybersecurity, often inside organizations where "we'll figure it out later" was not an acceptable posture.
The last twenty-three years
About twenty-three years ago I moved into long-form U.S. defense advisory work — DoD systems engineering and adversary capability analysis, in domains where the threat was always a serious nation-state actor, not an opportunistic one. Federal accreditation frameworks for systems where being wrong was expensive. Strategic planning for cyber capability development. And ultimately technical threat analysis and nation-state-level future-threat characterization: assess what adversaries can do today, project what they will be able to do, structure the answer in a way that survives skeptical review.
That discipline is the lens this product is built through. The CTI work I want to do here is not "here's a list of bad IPs, trust us." It's "here is the evidence, here is the methodology, here is what we do not know, here is the structured argument from the data to the assessment." If you have spent any time near the formal intelligence-analysis tradition you will recognize the shape of that. If you haven't, the short version is: every claim I make on this site is supposed to be reproducible from the data, and the data is supposed to be inspectable.
Why now
I have spent a long career on the customer side of cybersecurity, on the inside of organizations where the right answer was institutional. I want to build something hands-on again — in the domain I know best, for an audience that has been quietly underserved for two decades.
The CTI market has a gap I have watched widen. Free feeds (AbuseIPDB, plain DShield) are honest about being noisy and lump everything together as "scanner." Commercial CTI feeds (Recorded Future, Mandiant, CrowdStrike) cost five figures a year and are opaque about how they reach their conclusions. The middle does not really exist for the small and mid-market security teams that arguably need it most — the ones running internet-facing services without the budget for a Recorded Future contract and without the staff to build their own analysis pipeline on top of free feeds.
That is the gap IntrusionLabs is building into. Not at enterprise volume — we won't compete with CrowdSec on raw IP count — but at enterprise depth and enterprise honesty: the kind of methodology, evidence chain, and source attribution that a CTI buyer at a Fortune 500 would expect, applied to a feed that fits a fifty-person security team's budget and operational tempo.
What "enterprise honesty" actually means
A few specifics, because the marketing word doesn't mean much without them.
Every confidence score is reproducible. We publish the formula on the methodology page. Six weighted signals, hand-tuned weights, no black boxes. If you disagree with how we weight cross-sensor visibility against external corroboration, the math is fully transparent so you can rescore in your own pipeline.
Every external corroboration carries a source. Spamhaus DROP, Tor exit nodes, DShield, CINS Army, BlocklistDE, abuse.ch's Feodo Tracker, our own honeypot sensors. Every record on every actor tracks which feed flagged it, when, and how recently. We do not enrich silently with paid feeds and pass through opaque scores; everything we use is free or CC0, the same set our customers can themselves verify.
Every campaign carries a stated rationale. The cluster page tells you why we grouped these IPs together — geographic dispersion, shared SSH client fingerprint, target overlap, scanner-organization match — not just that we did. A defender can read the rationale and decide whether the heuristic matches their threat model. That is a different posture than a black-box classifier handing you a verdict.
We are honest about what we do not see. We have two sensors today, in Singapore and Seattle. We do not have global coverage. The detector catches coordinated, distributed, single-operator clusters; it is blind to fragmented operators and to operations below our thresholds. The catalog of features and limits lists both. Anyone who tells you their CTI feed is complete is selling you something.
What's coming this year
The first finding post is already up: the HASSH operator-discovery write-up on the 4,154-IP botnet the new pivot caught on its first run. There are several more in the queue:
- A look at what 102 distinct SSH client fingerprints across our sensor data tells us about the attacker tooling ecosystem
- The story of catching ourselves treating Censys as a threat, and what fixing that did to the feed
- What our threat feed misses, written down in detail, because the limits matter as much as the captures
- Why I do not trust any single threat feed, including my own, and what confidence scoring with published weights changes about that conversation
Plus the longer-arc work: a JA4 TLS pivot for HTTPS traffic, a credential-set fingerprint pivot, a file-hash pivot for malware payloads dropped on Cowrie sessions. Same architecture as HASSH — capture the artifact, expose it as a pivot, auto-detect campaigns from it.
And eventually a practitioner portal for vetted CTI analysts who want to do real threat-hunting on the data — accumulating documented experience and earning artifacts that count toward CISSP / CISM / GIAC accreditation. That is a longer project. But it is on the roadmap, because the supply-side flywheel — better analysts producing better curation producing a sharper feed — is the kind of moat that money alone does not buy.
Try it
The data and the API are free and public. No signup, no API key, no commercial-use restriction.
- Browse the live threat feed: https://intrusionlabs.com/threats/
- Read the methodology: https://intrusionlabs.com/intelligence/
- Hit the API: https://intrusionlabs.com/api/v1/threats/ips
- Or the campaign feed: https://intrusionlabs.com/api/v1/clusters/hassh/top
If any of this is interesting, subscribe by RSS. I will be writing more as the year goes on.
— Joe