Zedmos
ENDE
Get Started
ZEDMOS CTI

Cyber Threat Intelligence — built for the inline data plane

An architecture that fuses curated feeds, offline GeoASN enrichment, and tier-aware distribution into the same engine that already runs your firewall.

GeoASNoffline lookupiptoasn dumpFEED SOURCESURLhausThreatFoxOpenPhishOTXSpamhausINGEST PIPELINEfetchparseFP filterupsertENRICH + TIERGeoIPASNconsensustierDISTRIBUTESTIXTAXIIplainSuricataPi-holeFIREWALL
LIVE STATS

Real-time numbers from the CTI hub

Sourced directly from the public /v1/public/stats and /v1/public/dashboard endpoints, refreshed every 30 seconds.

offline· sourced from /v1/public/stats + /v1/public/dashboard
Total IOCs (catalog scope)
across all tiers · catalog scope (verified+trusted ship by default)
Malicious domains
unique, sorted, deduped
Malicious IPs / CIDRs
v4 ranges, hijack netblocks
Active feeds
— last-fetch OK
FP review queue
candidates flagged as false-positive
Allowlist
Tranco + Umbrella + cloud CIDRs (AWS/GCP/CF/GH) + seed
Cloud-IP FPs caught
IPs auto-suppressed as in-cloud-range — live
Known-good smoke
every 6h sweep
Verified IOCs (multi-source)
— verified · multi-source corroborated
Catalog liveness · domains
— alive · — NXDOMAIN — out of — checked
Liveness coverage
— domains awaiting first probe · — total
Live-rate (verified-tier)
— verified+trusted samples · — sinkholed
Live-rate (community-tier)
— community-tier samples · — sinkholed
Total signal (live + sinkholed)
% of audited IOCs that resolve as either live or known-sinkhole — proves catalogue isn't noise
Trusted IOCs (T1 single-source)
USOM, CERT.pl, Spamhaus DROP, Feodo low-FP
Default firewall ship
verified + trusted indicators · ships to every firewall by default
Community scope (opt-in)
— of total scope · operator opt-in via community-domains.txt
Discovery candidates
— pending review · — total bot-found candidates
Cross-validation pass-rate
—/— sampled · last run —
Distribution snapshots
per-category materialized files
Bytes served (cached)
total payload across categories
MITRE ATT&CK
STIX objects (enterprise + mobile + ICS)
TAXII 2.1 collections
live STIX 2.1 endpoints
Sightings 24h (anonymized)
0 firewalls reporting · — all-time hits
Output formats
plain · Suricata · Pi-hole · OPNsense · MikroTik · RPZ · STIX · TAXII · MISP
Full stats and history on www.zedmos.net →

Operator console, historical time-series, per-feed health, category breakdown.

What is the Zedmos CTI Hub?

The CTI Hub is the threat-intelligence backbone behind every Zedmos deployment. It continuously pulls curated feeds, runs a multi-layer false-positive filter, enriches every IPv4/IPv6 indicator with offline GeoIP + ASN data, and ships only the corroborated, datacenter-aware verified set to your firewalls — same data plane, same console, same policy engine.

How it works

Sources

Operational, governmental and community feeds. Each feed is rate-limited to its own quota; the operator sets the refresh interval per feed from the admin panel.

Ingest pipeline

Streamed fetch with retry/backoff. Format-specific parser (plain, hosts, CSV, JSON, MISP, ThreatFox, OTX). Per-item dedup, then a multi-layer FP filter: public-DNS allowlist · Tranco/Umbrella · cloud-provider CIDR bisect (overlapping ranges merged) · bogon detection.

GeoASN enrichment

Every IP indicator is looked up against an offline iptoasn dump at ingest time. Country, ASN and AS-name are written to the IOC document — no per-IP HTTP, no quota risk.

Tier classification

Multi-source consensus drives promotion: distinct feeds OR active enrichment confirmation OR honeypot ground-truth → verified tier. Datacenter-aware exception: IPs hosted in major cloud ASNs (AWS/GCP/Azure/Cloudflare/Akamai/Alibaba/Fastly/Oracle) stay community-tier unless explicitly approved — prevents Microsoft 365 / Google Workspace breakage at customer firewalls.

Distribution

On every ingest cycle the snapshot materializer rebuilds the distribution files: STIX bundles, TAXII collections, plain-text URL/IP lists, Pi-hole, Suricata, MikroTik, OPNsense URL-tables, MISP feeds. Signed pull or push delta over webhooks.

Inline lookup

The Zedmos engine consults the catalog during the classify+evaluate pipeline stages on every packet. Domain, IP, JA3/JA4, SHA256 — bisect lookup, decision back into the same flow context.

Why this matters

Lower false-positive rate

Periodic drift sweep removes IOCs that match newly-added allowlist anchors. Datacenter-aware tiering protects legitimate cloud SaaS. Manual public-DNS allowlist blocks the most common feed-quality leaks.

Offline GeoASN at line rate

Public ip-api rate-limits make per-IP lookups impossible at production volume. The offline dump gives constant-time lookups and no quota risk; periodic refresh keeps drift low.

Multi-tier shipping

Default snapshots include only the corroborated tier. Operators can opt into the community tier per category. Hard gate: bogon and cloud-range IPs never reach the default snapshot, regardless of feed.

Inline, not bolt-on

CTI lookup runs in the engine fast path next to NGFW/IDS/SD-WAN classification — single decision, single audit trail. No external proxy, no extra hop.

Operator transparency

Every snapshot is built from a fresh aggregation; cross-validation samples confirm tier criteria. A public verification endpoint exposes the metric history.

Industry-standard formats

STIX, TAXII, MISP feed, Pi-hole, Suricata, MikroTik — out of the box. Plug into any existing SOC tooling without translation.