Threat intelligence with receipts.
Most IP reputation services hand you a verdict and ask you to trust it. We hand you the verdict, the evidence, the methodology, and the math — because security professionals shouldn't have to take anyone's word for it.
We found a 666-IP botnet last week. No one else can.
When attackers spread their infrastructure across rented IPs in 73 countries to defeat subnet and ASN clustering, traditional threat intel platforms see noise. We capture the SSH client fingerprint at session level and cluster on that — collapsing the disguise instantly. The botnet shows up as one campaign, not 671 unrelated incidents.
What we saw, what they saw, weighted by who saw it.
Censys and Shodan scan but don't run honeypots. AbuseIPDB and CrowdSec aggregate community reports but never see attack behavior firsthand. GreyNoise classifies its own traffic but doesn't fuse with public OSINT. We do all three: first-party honeypot capture, plus seven external feeds, plus a published confidence formula that weights the two sources together.
See the methodologyWatch attackers work, don't just read the verdict.
Every campaign drills down to its member actors. Every actor drills down to individual sessions. Every session shows the raw cowrie or opencanary event JSON — the credentials they tried, the commands they ran, the files they tried to drop. One click between layers. No "trust us" required.
See the live threat feedCensys isn't a threat. We tell you when we suppress them.
Most reputation services either treat legitimate scanners as attackers (contaminating their data) or silently filter them (hiding what they removed). We do neither: every benign scanner is tagged, capped at 0.1 confidence, excluded from threat campaigns — and still visible in the data so you can audit the call.
Six signals. Published weights. No black boxes.
Our confidence score is a weighted sum of six signals: cross-sensor corroboration, kill-chain depth, event volume, recency, protocol breadth, and external corroboration. The weights are published. The formula is reproducible. If you disagree with how we weight cross-sensor visibility against external feeds, you have everything you need to rescore in your own pipeline.
Read the methodologySubnet, ASN-temporal, target-pattern, scanner-organization, and HASSH detectors run together — each catches what the others miss.
Default to recent (7d), opt out to all-time. Stale data never inflates "active right now"; history is never thrown away.
Our own freshness is published at /api/v1/health/. Check before you trust.
Cowrie + opencanary on rented VPS in Singapore and Seattle. When we say an IP attacked us, we mean us.
Every cluster carries a sentence explaining why these IPs were grouped — not a black-box verdict.
Seven OSINT corroboration sources, all free or CC0 — same constraints our customers operate under. We don't pay for premium feeds you can't access; if we add commercial sources later, they'll be opt-in.
We don't have CrowdSec's volume — we have 1,688 actors active this week, not millions. Our pitch is depth, transparency, and pivot-ability, not raw coverage. We have two sensors today (Singapore + Seattle); we're adding more. Our confidence weights are hand-tuned, not learned — but the math is open so you can rescore if you disagree.
If you're picking a feed by IP-list size alone, we're not your tool. If you're a CTI practitioner who wants to understand what a verdict means before you act on it — keep reading.