Free Cyber Threat Intelligence Feeds

Real-time IOCs collected from globally distributed honeypots. Updated every hour. 100% free for the cybersecurity community.

Search IOCs Browse Feeds

Quick IOC Lookup

🔍
Malicious IPs
Updated hourly
Malicious Domains
Updated hourly
File Hashes
Updated hourly
Malicious Commands
Updated hourly

IP Address Distribution

Top 10 IP ranges by first octet

Domain TLD Distribution

Top 10 malicious domain TLDs

Available Threat Intelligence Feeds

🌐 IP Addresses

Malicious IP addresses from honeypot attacks

Comprehensive list of IP addresses that have attempted attacks on our honeypot infrastructure. Includes brute-force attempts, scanning, and exploitation attempts.

Browse IPs

🔗 Domains & URLs

Malicious domains and URLs detected

Collection of malicious domains and URLs used for phishing, malware distribution, C2 communication, and other malicious activities observed in our honeypots.

Browse Domains

🔐 File Hashes

Hashes of malicious files

MD5, SHA1, and SHA256 hashes of malware samples collected through our honeypot network. Useful for file reputation checks and malware detection.

Browse Hashes

⚡ Malicious Commands

Attack commands and payloads

Real commands and payloads executed by attackers on our honeypots. Includes shell commands, exploit attempts, and malicious scripts.

Browse Commands

🛡️ Suricata Rules

IDS/IPS rules for threat detection

Suricata rules generated from our threat intelligence. Deploy these rules in your IDS/IPS to detect and block known threats.

View Rules

📊 API Access

Programmatic access to feeds

Integrate our feeds directly into your security tools. All feeds are available via simple HTTP GET requests. No authentication required.

View Documentation

About Our Honeypots

Check-The-Sum operates a global network of honeypots - deliberately vulnerable systems designed to attract and monitor cyber attacks. By analyzing attacker behavior, we collect valuable threat intelligence that benefits the entire cybersecurity community.

What We Collect:

  • Source IP addresses of attackers
  • Malicious domains and URLs accessed
  • File hashes of malware samples
  • Commands and payloads executed
  • Attack patterns and techniques

How to Use This Data:

  • Block malicious IPs at your firewall
  • Add domains to DNS blocklists
  • Check file hashes before execution
  • Analyze attacker TTPs (Tactics, Techniques, and Procedures)
  • Enhance SIEM and security monitoring

Community Contributions

We also share our threat intelligence with leading security platforms:

VirusTotal AbuseIPDB