Zedmos
ENDE
Get Started
ZEDMOS CTI

Cyber Threat Intelligence — built for the inline data plane

An architecture that fuses curated feeds, offline GeoASN enrichment, and tier-aware distribution into the same engine that already runs your firewall.

GeoASNoffline lookupiptoasn dumpFEED SOURCEScuratedURLhausThreatFoxOpenPhishOTXSpamhausINGEST PIPELINEfetch · parse · filter · upsertfetchparseFP filterupsertENRICH + TIERGeoASN · consensus · promoteGeoIPASNconsensustierDISTRIBUTESTIX · TAXII · plain · SuricataSTIXTAXIIplainSuricataPi-holeFIREWALLinline enforcement

What is the Zedmos CTI Hub?

The CTI Hub is the threat-intelligence backbone behind every Zedmos deployment. It continuously pulls curated feeds, runs a multi-layer false-positive filter, enriches every IPv4/IPv6 indicator with offline GeoIP + ASN data, and ships only the corroborated, datacenter-aware verified set to your firewalls — same data plane, same console, same policy engine.

How it works

Sources

Operational, governmental and community feeds. Each feed is rate-limited to its own quota; the operator sets the refresh interval per feed from the admin panel.

Ingest pipeline

Streamed fetch with retry/backoff. Format-specific parser (plain, hosts, CSV, JSON, MISP, ThreatFox, OTX). Per-item dedup, then a multi-layer FP filter: public-DNS allowlist · Tranco/Umbrella · cloud-provider CIDR bisect (overlapping ranges merged) · bogon detection.

GeoASN enrichment

Every IP indicator is looked up against an offline iptoasn dump at ingest time. Country, ASN and AS-name are written to the IOC document — no per-IP HTTP, no quota risk.

Tier classification

Multi-source consensus drives promotion: distinct feeds OR active enrichment confirmation OR honeypot ground-truth → verified tier. Datacenter-aware exception: IPs hosted in major cloud ASNs (AWS/GCP/Azure/Cloudflare/Akamai/Alibaba/Fastly/Oracle) stay community-tier unless explicitly approved — prevents Microsoft 365 / Google Workspace breakage at customer firewalls.

Distribution

On every ingest cycle the snapshot materializer rebuilds the distribution files: STIX bundles, TAXII collections, plain-text URL/IP lists, Pi-hole, Suricata, MikroTik, OPNsense URL-tables, MISP feeds. Signed pull or push delta over webhooks.

Inline lookup

The Zedmos engine consults the catalog during the classify+evaluate pipeline stages on every packet. Domain, IP, JA3/JA4, SHA256 — bisect lookup, decision back into the same flow context.

Why this matters

Lower false-positive rate

Periodic drift sweep removes IOCs that match newly-added allowlist anchors. Datacenter-aware tiering protects legitimate cloud SaaS. Manual public-DNS allowlist blocks the most common feed-quality leaks.

Offline GeoASN at line rate

Public ip-api rate-limits make per-IP lookups impossible at production volume. The offline dump gives constant-time lookups and no quota risk; periodic refresh keeps drift low.

Multi-tier shipping

Default snapshots include only the corroborated tier. Operators can opt into the community tier per category. Hard gate: bogon and cloud-range IPs never reach the default snapshot, regardless of feed.

Inline, not bolt-on

CTI lookup runs in the engine fast path next to NGFW/IDS/SD-WAN classification — single decision, single audit trail. No external proxy, no extra hop.

Operator transparency

Every snapshot is built from a fresh aggregation; cross-validation samples confirm tier criteria. A public verification endpoint exposes the metric history.

Industry-standard formats

STIX, TAXII, MISP feed, Pi-hole, Suricata, MikroTik — out of the box. Plug into any existing SOC tooling without translation.