Built for the analyst staring at an IP at 2 a.m. asking "what is this thing actually doing on the internet?"

// Who we built for

Specifically, the people who do this work:

• →CTI analysts — in-house or contractor, doing attribution, reporting, and indicator development.
• →Threat hunters — pivoting from one indicator to the next inside a SIEM, MISP, TheHive, or OpenCTI.
• →Incident responders — reconstructing what an attacker did, not just who they were.
• →Detection engineers — building Sigma / Splunk / KQL / Suricata rules from real attacker behavior.
• →MSSP / MDR analyst teams — writing client-facing reports that need provenance behind every claim.
• →Security researchers — academic or independent, citing data they can reproduce.

What unifies these roles isn't job title. It's the workflow: you receive an indicator, you need to understand it before you act on it, and the answer matters enough that you don't want a black-box verdict. You want the math, the evidence, and the trail.

// What we don't sell

We are not a "block bad IPs at your edge" product. CrowdSec, Fail2ban, Spamhaus DROP, and your existing WAF already do that — and most of them are free. We don't compete with that layer. If anything, we sit upstream of it.

We don't sell:

• −Managed enforcement — we don't push rules into your firewall.
• −Aggregated lists from 600+ feeds — we run our own sensors.
• −Sanctions or compliance blocking — that's not what our data is for.
• −A black-box risk score — every score has a reason string and a published formula.
• −Volume signaling at the GreyNoise scale — we have months of data, not eight years.

If you came here looking for one of those, the right answer is elsewhere — and we'll happily point you at it. Saying no to the wrong customer is how we say yes to the right one.

// What we do sell

First-party honeypot capture, fused with public OSINT corroboration, with a published confidence formula and a drillable evidence chain. Six concrete commitments — each links to its deep-dive page on this site.

// What we are honest about

We are small. The numbers below come straight out of the production database when you load this page; if they look different an hour from now, that's the aggregation cycle running.

Anyone choosing a feed by raw IP count picks CrowdSec, not us, and they are right to. What we have is depth (we observe what attackers do, not just that they connected), transparency (the methodology is published, not a black box), and a price point that doesn't gate working analysts out of the room.

That's the trade. We will not catch the operator who is fragmented across hundreds of sensors. We will not be the feed your boss saw at RSA. We will be the feed your team can read end-to-end, reproduce from public sources, and cite with confidence in client-facing work.

// For teams and managed providers

If you run an MSSP, MDR, or managed-SOC practice, and your analysts write client-facing reports, IntrusionLabs is built to be a primary input to that work.

• →White-label terms. Redistribute IL data inside your client-facing deliverables without attribution back to IL.
• →Bulk-friendly rate limits. 10k requests/hour per key, 1,000 IPs per bulk call.
• →STIX 2.1 / TAXII 2.1. Multiple collections, custom filters, native consumption by the TIPs your team already runs.
• →Bulk export & audit logs. CSV / JSON / STIX dumps; access logs for your own compliance.
• →Dedicated support. Named contact, business-hours SLA. One contract covers your analyst team and the clients they serve.

Three sub-tiers (Starter / Standard / Enterprise) sized by the number of client companies and analysts. Sales-assisted; evaluation periods available. Talk to us.