Threat Intelligence
Threat Feeds
Free, machine-readable indicators auto-extracted from our threat reporting. Plain-text blocklists for your firewall or DNS, plus CSV and JSON for your own tooling. Every feed regenerates automatically when we publish a new report, so the link stays the same and the data stays current.
3303 live indicators · 234 reports · updated on every report
Values are live and functional. They are auto-extracted and can include false positives, so test against your environment before you block.
Blocklists (plain text)
One indicator per line. Wire these straight into a firewall, DNS sink, Pi-hole, or SIEM.
Malicious and suspicious domains. Point DNS filtering, a web proxy, or Pi-hole at it.
https://bulwarkblack.com/feeds/domains.txtIPv4 addresses and CIDR ranges. Drop or alert on them at the firewall.
https://bulwarkblack.com/feeds/ips.txtFull malicious URLs for web proxy and gateway blocklists.
https://bulwarkblack.com/feeds/urls.txtMD5, SHA-1, SHA-256, SHA-512 and import hashes. Hunt across your endpoints.
https://bulwarkblack.com/feeds/hashes.txtStructured exports
Every indicator with its type, how many reports it appears in, first and last seen, and an example report.
https://bulwarkblack.com/feeds/indicators.csvThe same data as JSON, including the full list of reports each indicator came from.
https://bulwarkblack.com/feeds/indicators.jsonLook up a single indicator
Paste a domain, IP, hash, or CVE to check whether we have seen it and which reports it came from. Matched instantly against all 3303 indicators, right in your browser.
Prefer the API? Same data, one indicator at a time:
curl "https://bulwarkblack.com/api/ioc/lookup?value=1.2.3.4"
How to use them
Pull a feed
curl https://bulwarkblack.com/feeds/domains.txt
Refresh hourly (cron)
0 * * * * curl -s \ https://bulwarkblack.com/feeds/ips.txt \ -o /etc/blocklists/bulwark-ips.txt
Pi-hole / DNS sink
Add https://bulwarkblack.com/feeds/domains.txt as an adlist, then update gravity.