Browse docs

Features

Curated Threat Feeds Instead of Risky Raw Lists

How Cybora derives a firewall-ready threat feed from OSINT, commercial feeds, sensors, and real signals.

Last updated: June 26, 2026

On this page

A good firewall feed is not simply the largest possible list. Raw data contains duplicates, stale entries, conflicting sources, unclear categories, and signals that are too risky for production blocking. Cybora curates these signals before delivering them as a feed.

Curation is the actual value of the service. It reduces the work an admin would otherwise have to do manually: compare sources, normalize entries, remove stale data, check risky targets, and turn the result into a format the firewall can actually consume.

The curation chain

Cybora follows a simple technical chain:

Source -> observed behavior -> independent evidence -> confidence -> collateral damage -> aging -> feed delivery

This chain is deliberately stronger than a single reputation hit. An indicator becomes more valuable when it is fresh, repeatedly observed, tied to clear behavior, and does not create obvious risk for legitimate business infrastructure.

Behavior context is decisive. An IP is not merely “bad” because it appears in a list. What matters is whether it stands out through scanning, exploit attempts, botnet communication, phishing, malware delivery, or repeated credential attacks. More about this is documented in Behavior-based Signals.

Why raw lists are problematic

Public lists can be very useful, but they are rarely optimized directly for production firewall policies. Common problems include:

  • stale IPs or domains that are now used legitimately
  • mixed indicator types in one file
  • missing information about signal freshness
  • too little context for shared hosting, CDNs, or cloud providers
  • lists larger than the capacity of certain firewall models

Cybora does not accept such sources blindly. They are treated as input signals, not as finished blocklists.

Which sources are included

Cybora continues to use public OSINT lists and commercial threat-intelligence feeds as important input signals. They are complemented by proprietary honeypot and sensor data, real firewall signals from participating production environments, and carefully evaluated identity signals such as repeated failed cloud logins across multiple independent environments.

Each source has strengths and limits. OSINT can be broad and fast, but stale or low-context. Commercial feeds add coverage, but are also not automatically firewall-ready. Honeypots see early internet noise, real firewalls show production perimeter reality, and identity signals can indicate password spraying or credential stuffing.

Cybora therefore treats these sources as signals, not final decisions. They become valuable through normalization, deduplication, correlation, freshness assessment, and the check whether an indicator can be used in a production firewall policy with acceptable risk.

What stays public and what stays internal

The public principle matters: Cybora combines multiple signal types, checks them for relevance, and delivers only firewall-ready indicators. Concrete weights, thresholds, source priorities, and individual partner details remain internal. This keeps the process understandable without exposing the actual curation logic.

The technical output format is documented in Feed URL Format and License Key.