Source Registry
Registry of every data source used for IntrusionLabs threat assessments — sensors, GeoIP databases, OSINT feeds, and scoring algorithms — with ICD 206 reliability ratings.
Every data point on a threat actor — geolocation, ASN, cloud provider, VPN status, confidence score — is attributed to a specific source with version and timestamp. This registry lists every source that contributes to our assessments, rated on the Admiralty/NATO reliability scale (A–F).
Actor assessments derive from 2 sensor nodes running Cowrie Honeypot Sensors and OpenCanary Honeypot Sensors, enriched with MaxMind GeoLite2 ASN (GeoLite2-ASN 2026-04-21), MaxMind GeoLite2 City (GeoLite2-City 2026-04-21), RouteViews BGP RIB (pyasn), Reverse DNS (PTR) Lookup, corroborated against 8 active external feeds, scored by 3 algorithmic models.
| Source | Type | Reliability | Version | Known Limitations |
|---|---|---|---|---|
|
Campaign Detection Pipeline
IntrusionLabs
|
algorithm | C | — | Subnet/ASN grouping only. No behavioral similarity. 7d window. |
|
Threat Confidence Scorer
IntrusionLabs
|
algorithm | B | — | Weighted 6-signal model. Recency decays over 7d. Events saturate at 1000. |
|
Session Behavioral Classifier
IntrusionLabs
|
algorithm | B | — | Rule-based, most-specific-first. No multi-stage session handling. |
|
MaxMind GeoLite2 ASN
MaxMind, Inc.
|
database | A |
GeoLite2-ASN 2026-04-21
14 hours ago
|
ASN assignment accurate; org name may lag transfers. |
|
MaxMind GeoLite2 City
MaxMind, Inc.
|
database | B |
GeoLite2-City 2026-04-21
14 hours ago
|
Free tier ~67% city-level accuracy globally. Higher for US/EU. accuracy_radius varies. |
|
RouteViews BGP RIB (pyasn)
University of Oregon / RouteViews
|
database | A | — | Snapshot of global routing table. Stale if not updated. No anycast handling. |
|
Reverse DNS (PTR) Lookup
Network operator DNS
|
database | C | — | PTR records are operator-controlled. May be absent, stale, or misleading. |
|
Blocklist.de All IPs
blocklist.de
|
feed | B | — | — |
|
CINS Army Bad Reputation IP List
Sentinel IPS / CINS
|
feed | B | — | — |
|
DShield Top Attackers (SANS ISC)
SANS Internet Storm Center
|
feed | B | — | — |
|
Feodo Tracker Botnet C2 IP Blocklist
abuse.ch
|
feed | B | — | — |
|
Spamhaus ASN Don't Route Or Peer List
The Spamhaus Project
|
feed | B | — | — |
|
Spamhaus Don't Route Or Peer List
The Spamhaus Project
|
feed | B | — | — |
|
Tor Exit Relay Addresses
The Tor Project
|
feed | B | — | — |
|
X4BNet VPN/Proxy IP List
X4BNet
|
feed | B | — | — |
|
Cowrie Honeypot Sensors
IntrusionLabs / Opaque Research
|
sensor | B | — | Low-interaction; attackers may detect emulation. Dst port normalized 2222->22. |
|
OpenCanary Honeypot Sensors
IntrusionLabs / Opaque Research
|
sensor | B | — | Lower event volume than cowrie. Reports service probes, not full session interaction. |
|
Cloud Provider ASN Map
IntrusionLabs
|
static | B | — | 8 ASNs hardcoded. Incomplete coverage. No sub-ASN granularity. |
What this means for analysts:
Each enrichment on a threat actor record carries an inline citation identifying
the source slug, database version, and timestamp. This allows any assessment to
be traced back to the exact data that produced it — satisfying source attribution
requirements for intelligence reporting.