Skip to content
Latest
Jscrambler npm Compromise Shows Build Pipelines Need Runtime ControlsGhost Phishing Shows Why Email Security Must Follow the BrowserPakistani Police Intrusions Show Why Public-Sector Data Systems Are Strategic TargetsBad Epoll Shows Linux Kernel LPEs Belong in the Patch Priority QueueFake Payment SDKs Show Why Dependency Risk Is Credential RiskCritical UniFi Flaws Put Network Control Planes Back in the Patch QueueVidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak ControlsADFS Signing Keys Show Why Federation Servers Are Tier-Zero Identity InfrastructureUAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay InfrastructureFortiBleed Shows Firewall Credentials Are Ransomware FuelNetNut and Popa Takedown Shows Residential Proxies Are Now Attack InfrastructureVect and TeamPCP Show Supply-Chain Credentials Are Ransomware FuelOusaban Shows Banking Trojans Are Learning to Hide From SandboxesNUT upsmon Command Injection Shows UPS Monitoring Belongs in the Patch Queue

Threat Intelligence

Threat Feeds

Free, machine-readable indicators auto-extracted from our threat reporting. Plain-text blocklists for your firewall or DNS, plus CSV and JSON for your own tooling. Every feed regenerates automatically when we publish a new report, so the link stays the same and the data stays current.

3303 live indicators · 234 reports · updated on every report

Values are live and functional. They are auto-extracted and can include false positives, so test against your environment before you block.

Blocklists (plain text)

One indicator per line. Wire these straight into a firewall, DNS sink, Pi-hole, or SIEM.

Domains 932

Malicious and suspicious domains. Point DNS filtering, a web proxy, or Pi-hole at it.

https://bulwarkblack.com/feeds/domains.txt

IPv4 addresses and CIDR ranges. Drop or alert on them at the firewall.

https://bulwarkblack.com/feeds/ips.txt
URLs 363

Full malicious URLs for web proxy and gateway blocklists.

https://bulwarkblack.com/feeds/urls.txt

MD5, SHA-1, SHA-256, SHA-512 and import hashes. Hunt across your endpoints.

https://bulwarkblack.com/feeds/hashes.txt

Structured exports

indicators.csv

Every indicator with its type, how many reports it appears in, first and last seen, and an example report.

https://bulwarkblack.com/feeds/indicators.csv
indicators.json

The same data as JSON, including the full list of reports each indicator came from.

https://bulwarkblack.com/feeds/indicators.json

Look up a single indicator

Paste a domain, IP, hash, or CVE to check whether we have seen it and which reports it came from. Matched instantly against all 3303 indicators, right in your browser.

Prefer the API? Same data, one indicator at a time:

curl "https://bulwarkblack.com/api/ioc/lookup?value=1.2.3.4"

How to use them

Pull a feed

curl https://bulwarkblack.com/feeds/domains.txt

Refresh hourly (cron)

0 * * * * curl -s \
  https://bulwarkblack.com/feeds/ips.txt \
  -o /etc/blocklists/bulwark-ips.txt

Pi-hole / DNS sink

Add https://bulwarkblack.com/feeds/domains.txt as an adlist, then update gravity.