Threat Intel
Signed indicator manifests (IPs, domains, hashes) pushed every 5 minutes. Use them in WAF, microseg, EDR or your own SIEM.
What it is
Threat Intel produces signed manifests of known-bad indicators (IPs, domains, JA3, file hashes, ASN, certificate fingerprints). Subscribe via API, webhook or feed; verify the Ed25519 signature; consume in the WAF, in your microseg policies, or in your own SIEM/EDR.
When to use it
- Feed your SIEM with curated bad-actor intel.
- Drop traffic from known-malicious infrastructure in the WAF.
- Trigger an alert when a host phones home to a known C2.
Quickstart
asc shield threat-intel feeds list
asc shield threat-intel pull --feed malware-c2 --since -15mclient.shield.threat_intel.pull(feed='malware-c2', since='-15m')await client.shield.threatIntel.pull({ feed: 'malware-c2', since: '-15m' });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Update cadence | 5 min | — | |
| Feeds | malware-c2, phishing, scanners, residential-vpn, leaked-tokens, … | — | |
| Signature | Ed25519 manifest | — | Public key published |
Pricing
See pricing. Pay-as-you-go, billed monthly via Stripe.
API surface
GET /v1/shield/threat-intel/feeds/{feed}
Required scope(s): shield:read. See Scopes.
Security
All access is authenticated and scoped. See Auth & scopes and Network controls.