Documentation
Cybora Docs
Technical documentation for configuring, operating, and troubleshooting Cybora threat intelligence feeds.
Cybora Docs collect the implementation details that administrators need after choosing a firewall integration. Use these guides to understand feed formats, polling behavior, firewall-specific setup, and operational workflows.
Getting Started
Introduction
Learn what Cybora provides, how firewall threat feeds work, and how to roll out Cybora safely in production environments.
Feed URL format
Build a Cybora feed URL with the required license key and indicator type parameters.
Polling intervals
Choose a safe firewall refresh interval for Cybora feeds and avoid unnecessary polling or rate-limit issues.
concepts
Firewalls
Fortinet FortiGate
Set up Cybora threat feeds on Fortinet FortiGate with External Connectors, dynamic objects, and policies that block malicious IPs and domains.
Palo Alto Networks
Register Cybora as a Palo Alto Networks External Dynamic List to refresh threat indicators automatically and enforce policy without manual commits.
Cisco Secure Firewall
Connect Cybora threat feeds to Cisco Secure Firewall through Security Intelligence feeds in FMC and apply them in access control policies.
Check Point
Integrate Cybora with Check Point using External IoC feeds in SmartConsole so gateways can fetch observables and enforce Threat Prevention.
Sophos Firewall
Add Cybora threat feeds to Sophos Firewall with Active Threat Response and third-party threat feeds for automated indicator blocking.
SonicWall
Integrate Cybora with SonicWall using Dynamic External Address Groups and Objects to apply external IP or FQDN threat feeds in policy.
OPNsense
Configure Cybora threat feeds in OPNsense as URL Table Aliases and use them in firewall rules to block malicious IP infrastructure.
pfSense
Use Cybora threat feeds in pfSense with URL Table aliases, then apply the imported IP indicators directly in firewall rules.
Features
Signal Quality
Production Signals
Why production signals from real perimeters provide a different quality than pure datacenter sensor data, and how Cybora classifies such signals conservatively.
Behavior-based Signals
Why Cybora evaluates indicators not only by reputation, but also by observed behavior and operational enforceability.
Signal Correlation
How Cybora combines multiple observation points to turn individual hints into more reliable feed decisions.
Curated Threat Feeds
How Cybora derives a firewall-ready threat feed from OSINT, commercial feeds, sensors, and real signals.
Sensor Signals
How Cybora uses honeypots and sensors as early observation points without blindly copying datacenter noise into production feeds.
Identity Signals
How repeated failed cloud logins can be used as a cautious additional signal, and why NAT, VPNs, and shared IPs require special care.
Policy Confidence
Stop Active Attackers
Why Cybora makes active scanners, botnet targets, command-and-control infrastructure, and other known threat targets usable directly in firewall policies.
Policy Confidence
Why Cybora evaluates indicators not only by risk, but also by policy confidence, enforceability, and possible collateral damage.
Lower False Positives
How Cybora treats legitimate infrastructure cautiously and why lower collateral damage is critical for firewall feeds.
Signal Freshness
Why Cybora continuously reassesses indicators and lets stale evidence age in a controlled way.
Firewall Integration
Agentless Integration
Why Cybora uses existing external-list, alias, and threat-feed functions instead of placing a new system inside the network.
Feed Format
Why Cybora uses a firewall-native feed format and why one indicator per line is a real advantage in firewall operations.
Separate Feed Types
How Cybora separates IPv4, domain, and URL feeds, and why each type belongs in the matching firewall function.
Automatic Updates
How firewalls retrieve Cybora feeds regularly, and why polling intervals must fit the plan, platform, and operational goal.
Less Noise
How Cybora reduces recurring known attack noise and gives admins more focus for unresolved events.
Operations & Control
Any Firewall Vendor
Why Cybora as an HTTPS feed is not tied to a single firewall ecosystem, and how admins choose the right native path.
MSP-ready Keys
Why one key per firewall edge or HA cluster simplifies operations, support, tenant separation, and rotation.
Secure Feed URLs
How Cybora secures feed access with HTTPS and license keys, and what admins should consider after leaks or device changes.
Validation and Troubleshooting
Validate a Cybora feed deployment and resolve typical download, parsing, and policy problems.