Threat intelligence you can audit end-to-end.

SSH fingerprint clustering catches distributed operators that subnet and ASN grouping can't.

Attackers spread infrastructure across rented IPs in dozens of countries specifically to defeat subnet and ASN clustering, the technique most reputation services rely on. IntrusionLabs captures the SSH client fingerprint (HASSH) at session level and clusters on that instead, so a distributed campaign surfaces as one operator rather than hundreds of unrelated incidents.

An operator can defeat one clustering method. We run five at once.

Subnet, ASN-temporal, target-pattern, HASSH fingerprint, and scanner-organization detectors run together on every aggregation cycle. Each is tuned to a different dimension of coordination, so operators that evade one detector surface in another. HASSH clustering is the marquee example, it's one of the five, not the whole game.

First-party capture and OSINT corroboration, weighted into one score.

Censys and Shodan scan but don't run honeypots. AbuseIPDB and CrowdSec aggregate community reports but never see attack behavior firsthand. GreyNoise classifies its own traffic but doesn't fuse with public OSINT. IntrusionLabs does all three: first-party honeypot capture, plus seven external feeds, plus a published confidence formula that weights the two sources together.

Most threat feeds give you a flat list. We give you the graph.

A flat blocklist answers "is this IP bad?" An analyst's next question is always "what else looks like this?" Start from any IP, ASN, /24 subnet, HASSH fingerprint, or campaign and pivot to every related actor in one click. The 4,154-IP botnet write-up is a case study in exactly this UX.

Every verdict drills to the raw honeypot event.

Reputation feeds hand you a score. IntrusionLabs hands you the session transcript, the credentials tried, the commands run, the files dropped. Every campaign drills to its member actors, every actor to individual sessions, and every session to raw cowrie or opencanary event JSON. One click between layers.

Malicious, suspicious, benign, unknown. Every axis earns its label.

Most reputation services collapse intent to a single score or silently drop scanners from their exports. IntrusionLabs publishes the whole grid. Behavioral signals already on the actor (malware drops, credential harvesting, proxy abuse, Tor exit, corroboration) feed a reconciler that promotes intent every aggregation cycle, benign stays sticky, the rest earn their way up.

Six signals. Published weights. No black boxes.

The confidence score is a weighted sum of six signals: cross-sensor corroboration, kill-chain depth, event volume, recency, protocol breadth, and external corroboration. The weights are published. The formula is reproducible. If you disagree with how we weight cross-sensor visibility against external feeds, you have everything you need to rescore in your own pipeline.

Every threat feed has outages. We publish ours.

Most threat feeds won't tell you when they went stale, they just keep serving yesterday's verdicts. IntrusionLabs publishes ingestion lag, aggregation lag, per-collector heartbeats, enrichment staleness, and campaign-detection freshness at a public endpoint. Point your monitoring at it; gate on it. All ten subsystems, all severity thresholds, all on the page.

We don't have CrowdSec's volume, we have 3,236 actors active this week, not millions. Our pitch is depth, transparency, and pivot-ability, not raw coverage. Our sensor footprint is small and growing; live status at /api/v1/health/. Our confidence weights are hand-tuned, not learned, but the math is open so you can rescore if you disagree.

If you're picking a feed by IP-list size alone, we're not your tool. If you're a CTI practitioner who wants to understand what a verdict means before you act on it, keep reading.