Sophos Firewall
Add third‑party threat feeds in Active Threat Response.
Firewall-First Threat Intel
Filter out the noise.
Drop attackers at the edge.
Cybora delivers continuously updated, curated threat feeds directly to your firewall. Automatically block malicious infrastructure, botnets, and scanners before they even touch your internal network.
IPv4, Domain & URL
HTTPS Delivery
Setup in 5 mins
Natively integrates with leading firewalls
Stop manual IP blocking
Don't fight an unwinnable battle against rotating IPs.
Stop the siege at the edge. By feeding curated threat intelligence directly into your firewall, you drop known attacker infrastructure at Layer 3. The noise vanishes instantly.
Block distributed attacks proactively.
Local rate-limits and IPS rules are easily bypassed by botnets rotating thousands of IPs. Cybora identifies and drops these coordinated attackers at the edge before they can even test your defenses.
Native firewall integration.
Achieve a massive security upgrade without the project overhead. Cybora feeds plug directly into the native external blocklist features of modern firewalls.
Automated, continuous synchronization.
Attackers rotate their infrastructure daily. Depending on your plan, Cybora syncs new indicators to your firewall automatically—as frequently as every 15 minutes.
Curated from global swarm intelligence.
We don't just pass on raw open-source lists. Cybora aggregates OSINT, commercial feeds, global honeypots, and real firewall telemetry—filtering out false positives to deliver only verified active threats.
A format every firewall understands.
No heavy JSON parsing or complex API integrations. Just a secure HTTPS endpoint returning a flat TXT file—one indicator per line. Perfect for native External Dynamic Lists (EDL).
1. The Endpoint URL
Append your unique license key and specify the indicator type you want your firewall to pull (ipv4, domain, or url).
https://api.cybora.io/feed?key=$KEY&type=ipv4
https://api.cybora.io/feed?key=$KEY&type=domain
https://api.cybora.io/feed?key=$KEY&type=url
2. The TXT Output
# Cybora Threat Intel Feed - IPv4
# Last updated: 2026-02-23T10:00:00Z
103.45.67.89
185.12.34.56
45.89.102.11
198.51.100.22
91.200.12.44
203.0.113.50
192.0.2.145
198.51.100.8
203.0.113.99
# Last updated: 2026-02-23T10:00:00Z
103.45.67.89
185.12.34.56
45.89.102.11
198.51.100.22
91.200.12.44
203.0.113.50
192.0.2.145
198.51.100.8
203.0.113.99
Deploy in under 5 minutes.
Stop treating threat intelligence like a massive IT project. Get your key, configure your firewall, and let your perimeter defend itself automatically.
1
Choose a plan
Pick Standard (IPv4) or upgrade to Premium/Ultimate for full domain and URL coverage.
2
Checkout
Secure self-serve purchase. Annual auto-renewing subscription.
3
Get your key
Instantly receive your unique license key. 1 key protects 1 firewall edge/device.
4
Paste URL
Add the URL into your firewall settings. It fetches the blocklist on your chosen schedule.
Built for precision, not just volume.
Why not just use free open-source lists? Because threat intelligence requires constant curation. Free lists are often outdated, untested, or extremely noisy. In a firewall context, noise is expensive: false positives create support tickets, and admins quickly stop trusting the feed.
Cybora focuses on one job: delivering a curated, firewall-friendly feed you can deploy and trust without babysitting.
What "Quality" means here
-
Multi-source aggregation
We blend OSINT, commercial feeds, and global honeypots to ensure broad coverage.
-
Curated for relevance
Aggressive deduplication and false-positive filtering specifically for firewall deployment.
-
Support included
Paid plans include dedicated technical support to help investigate and whitelist blocked traffic.
ACCESS PLANS
SELECT PROTECTION LEVEL
Basic Protection
STANDARD
$179/yr
Solid baseline. Fewer false positives through curation. Solid IPv4 coverage.
Updates
6h
Coverage
~45k IPs
Type
IPv4 Feed
Support
Standard
Advanced Protection
PREMIUM
$349/yr
Professional protection. Includes domains & URLs. Hourly updates.
Updates
1h
Coverage
~120k IPs
Extras
Domains & URLs
Support
Priority
Mission-Critical Protection
ULTIMATE
$1999/yr
15-minute updates for critical infrastructure & high-risk perimeters.
Updates
15 min
Coverage
Max (~180k)
Extras
Domains & URLs
Priority
Very high
Fair use
1 key = 1 device. Rate limits depend on plan to prevent abuse.
Renewals
Annual subscription that renews automatically unless cancelled.
Flexible Plans
Volume discounts and longer commitments (beyond 12 months) are available on request. Same base pricing applies regardless of company size.
Setup guides
Step-by-step instructions showing exactly where to paste the feed URL in your specific hardware.
Fortinet FortiGate
Configure external threat feeds and apply policies.
Palo Alto Networks
Register External Dynamic Lists (EDL) and enforce.
Cisco Secure Firewall
Import URL feeds and apply to access control.
Check Point
Configure external feeds and tune enforcement.
OPNsense
Fetch remote blocklists and apply in firewall rules.
Key & Abuse Protection
License keys are plan-scoped and protected with fair-use rate limits. One key is strictly intended for one firewall edge.
Operations & Status
Delivery is served over HTTPS and designed for predictable, automated polling 24/7/365.
View System Status →Security & Privacy
We don't collect your network traffic. Review our strict security and privacy pages for current data handling practices.
No-Risk Trial
Test compatibility with the Free Basic Feed.
We don't offer refunds, because we want you to be 100% sure Cybora works with your specific hardware setup before you spend a dime. Use our Basic feed to validate the URL delivery and TXT format.
Basic (Free) Limitations
- Indicator Type: IPv4 only
- Update Frequency: 24 hours
- Coverage: ~30k IPs
- Technical Support: None
When to upgrade: If you want to block malicious Domains + URLs, need hourly updates, or require support for investigating blocks, upgrade to Premium.
Frequently asked questions
Is it really 1 key = 1 firewall/device?
Yes. One license key is intended for one firewall device (or one logical HA cluster acting as a single edge). If you manage multiple sites or clients (MSP), you need one key per device. This keeps pricing predictable and prevents API abuse.
Will this feed block legitimate traffic?
While we aggressively curate our lists and maintain strict whitelists to minimize false positives, it is a reality of threat intelligence that an IP might be blocked incorrectly. Paid plans include dedicated support to help review blocks and fast-track removal of inaccurate indicators.
Does it auto-renew annually?
Yes. Subscriptions renew yearly unless cancelled. Checkout and billing is securely handled via our merchant of record, Lemon Squeezy.
What polling interval should I set?
Use your firewall's recommended interval. Depending on your plan, our data updates every 6h (Standard), 1h (Premium), or 15m (Ultimate). You should align your firewall's polling schedule roughly with your plan's update frequency.
What happens if my key is leaked?
You can request a key rotation at any time via support. We heavily monitor usage; if a key exceeds normal polling limits across multiple origin IPs, our abuse protections will temporarily throttle it. Keep your keys out of public documentation.
Do you offer refunds?
Not currently. Because you can completely validate compatibility and formatting for free using our Basic feed, all paid subscriptions are final.
Make your firewall quieter today.
Self‑serve purchase. Setup in minutes. Works flawlessly with any firewall that supports URL-based external threat feeds.