The AND position

Most reputation services either run their own sensors or aggregate external reports. We do both, then weight the combination into a single score. Every corroboration carries its source, first-seen, and last-confirmed — so a customer can audit what came from where.

TL;DR

We run our own cowrie and opencanary honeypots. We also pull 8 free/CC0 OSINT feeds and check every actor against them on every aggregation cycle. Right now 5,262 actors carry at least one external corroboration and 895 carry two or more. The external signal is one of six weighted inputs into the confidence score — not a veto, not an override, a weighted input. Sources are published per actor.

// What we see right now

Active feeds

producing corroborations

Corroborations

61,436

across all active feeds

Corroborated actors

5,262

36.0% of 14,614 tracked

Multi-source

895

≥ 2 independent feeds

// Why the AND matters

Three shapes of reputation service exist in the market, and each is blind in a different way:

Scanning services (Censys, Shodan) see what's exposed but don't run honeypots, so they don't see who's attacking.
Aggregation services (CrowdSec, AbuseIPDB) see community reports but have no first-party capture — chain-of-custody is the open question.
First-party honeypot networks see real attacks but miss anything their sensors don't catch — sensor coverage is finite.

The AND position is: we saw them attack our sensors, and independent feeds corroborate that we're not the only ones seeing them. That's a stronger claim than either alone. A single-sensor observation with no corroboration stays at a low confidence until time and repeat visits build the signal. A single-sensor observation backed by three independent feeds immediately clears the bar for "real" — because we're not relying on our own volume, we're relying on the fact that several other people also saw them.

// Per-feed contribution

How much each feed contributes to the total corroboration pool. Not every feed has the same volume — some are narrow (Tor exits), some are broad (DShield). We pull them all and let the corroboration count do the deduping.

Feed	Corroborations
Blocklist.de	22,762
CINS Army	15,000
VPN Detection (X4BNet)	10,741
DShield Top Attackers	10,000
Spamhaus DROP	1,584
Tor Exit Nodes	1,344
Feodo Tracker	5

All feeds free or CC0. No paid subscriptions — see our source list for reliability ratings and license notes.

// The lift in practice

These actors would have been dismissed as single-sensor noise if we were relying on first-party signal alone — each has five or fewer events on our sensors. External corroboration is the reason they carry a meaningful label at all.

Actor	1P events	Sources	Intent	Country
65.49.1.88	5	3	suspicious	US
167.94.146.58	3	3	suspicious	US
64.62.156.48	1	3	suspicious	US
101.206.107.245	4	3	suspicious	CN
65.49.1.177	4	3	suspicious	US
107.155.48.46	3	3	suspicious	US
193.176.31.147	2	3	suspicious	NL
222.89.169.98	2	3	suspicious	CN

Click any actor to see which specific feeds corroborated them and when.

// How the weighting works

External corroboration is one of six weighted inputs to the actor's confidence score, not a veto:

≥ 3 independent feeds → full external signal (1.0)
2 independent feeds → 0.7
1 feed → 0.4
0 feeds → 0.0

The external signal is weighted at 0.12 of the final score, alongside five first-party signals (cross-sensor visibility, interaction depth, event volume, recency, protocol breadth). See the full confidence formula for the weights on the other inputs.

The deliberate design choice: external corroboration lifts confidence, it doesn't replace first-party observation. An actor that scanned us once and is on three blocklists still doesn't hit the same confidence as an actor we've watched run a shell on three of our sensors. Both carry real signal; they carry different weights.

// What we don't do

No paid feeds. Every source is free or CC0. That's deliberate: an analyst with our published source list can pull the same data we pull, run the same lookup, and verify our calls. Paid feeds would make our enrichment unverifiable to anyone without the same paid subscription. If we add commercial sources later, they'll be labeled separately so the free baseline stays intact.
No per-IP API calls. We pull each feed in bulk on a schedule. That avoids rate limits, keeps us off provider deny-lists, and means our check_ip() path is a local DB lookup, not a network round-trip.
No silent enrichment. Every external match is stored as a first-class ExternalCorroboration record with source, indicator, first-seen, and last-confirmed. The list of sources corroborating a given actor is visible in the public API response at corroborated_by.
No source-weighting. Every feed counts equally. We don't trust Spamhaus DROP more than DShield — both are cited, both are independently auditable, and the weighted sum of count is what drives the score. Upstream source reliability ratings are published separately for analyst context.

// How to use it

See corroboration on any actor

GET /api/v1/actor/<ip>

Response includes corroboration_count and the full corroborated_by list of feed names.

Filter threat feed by corroboration

GET /api/v1/threats/ips?min_confidence=0.5

The confidence cutoff implicitly weights toward multi-source actors since corroboration is in the formula.

Browse the source list

The full roster of feeds, their licenses, and the ICD 206 reliability ratings: /intelligence/sources.

Read the formula

External corroboration is one of six signals weighted into the confidence score: /features/confidence/.

// See also

/features/confidence/ — the six-signal weighted score this corroboration feeds into
/features/provenance/ — how every verdict drills to the raw event behind it
/intelligence/sources — roster of feeds, licenses, and reliability ratings
/api/docs — OpenAPI reference for every endpoint