Browse docs

Features

Stop Active Attackers Before They Reach Internal Systems

Why Cybora makes active scanners, botnet targets, command-and-control infrastructure, and other known threat targets usable directly in firewall policies.

Last updated: June 26, 2026

On this page

Cybora is designed to reduce known active threat infrastructure early at the perimeter. This can include IPv4 addresses, domains, or URLs associated with mass scanning, botnet communication, phishing, malware delivery, exploit attempts, or other malicious activity.

The decisive point is operational enforcement. An indicator is not interesting to Cybora merely because it appears in an analysis. It must also make sense for use in a firewall, DNS, web, or security policy.

Why the perimeter matters

Many attacks do not begin with a sophisticated exploit, but with repeated scanning, credential attacks, probe requests, botnet connections, or access to known malicious infrastructure. This activity burdens logs, creates recurring reviews, and often hits the same exposed services over longer periods.

When a firewall reduces such known sources or targets at the edge, internal systems and downstream controls have less unwanted traffic to process. This does not replace IPS, EDR, DNS security, or SIEM architecture, but it adds a pre-filtering layer.

In many environments, a threat feed works well as an upstream reputation layer: known active infrastructure is dropped or marked early, before more expensive checks such as IPS, WAF, proxy analysis, or SIEM correlation take over. The exact placement depends on the firewall platform, ruleset, and desired logging.

A controlled rollout is sensible at the start: retrieve the feed, verify list population, reference the policy, observe logging, and only then expand production use. Cybora is not a replacement for signature, behavior, or endpoint protection, but an additional filter for known infrastructure.

Which signals are relevant

Cybora primarily considers signals that are practical for a firewall policy:

  • repeated scanning against exposed services
  • infrastructure associated with botnets or command-and-control
  • phishing and malware delivery targets
  • suspicious sources for automated attack attempts
  • recurring patterns across multiple independent observation points

Not every hint automatically enters the feed. A single observation can be a starting point, but production enforcement requires additional evidence, freshness, and an assessment of possible collateral damage.

What is deliberately not promised

No threat feed can detect all attacks or guarantee that every malicious connection will be blocked. Cybora is intended to reduce known active infrastructure and recurring noise at the edge. New, targeted, or not-yet-observed attacks still need defense in depth, logging, and clean firewall policies.

For rollout, start in a controlled way: retrieve the feed, verify the import, enable logging, and observe policy effect. Technical validation is documented in Validation and Troubleshooting.