First-Hand Intelligence from Real Attacks
Unlike aggregated threat feeds, ArmoPot generates original intelligence from live attacker behavior captured across 2,000+ sensors worldwide. Every IOC comes with full context — not just an IP address, but the attack session, TTPs, tools, and confidence score behind it.
Intelligence Your Other Feeds Don't Have
Most threat intelligence feeds recycle the same open-source data. ArmoPot generates original, first-party intelligence from attacks we observe directly.
First-Party Collection
Every IOC is extracted from actual attack sessions on our sensors — not scraped from public lists, forums, or third-party reports. You get intelligence before it hits public feeds.
Full Attack Context
Each indicator includes the complete attack context: source geo, protocol used, attacker tools, MITRE ATT&CK TTPs, session duration, sophistication score, and related artifacts.
Confidence Scoring
Multi-factor confidence scoring (0-95%) based on event severity, detected tools, attack type, and hit frequency. Filter your feeds by confidence level to match your risk appetite.
Real-Time Delivery
IOCs are extracted and available within seconds of the attack event. Real-time streaming via API, server-sent events, or TAXII polling — not daily batches.
Global Perspective
2,000+ sensors in 150+ countries give you visibility into threats targeting every region and sector — from mass botnets to targeted reconnaissance campaigns.
Continuous Enrichment
IOCs are continuously re-evaluated as new data arrives. Hit counts, last-seen timestamps, and confidence scores update automatically as the same attacker is observed again.
Indicators of Compromise
Multiple indicator types extracted automatically from every attack session.
IP Addresses
Attacker source IPs enriched with GeoIP (country, city, coordinates), ASN, ISP, and hosting provider data. Private IPs automatically filtered.
File Hashes
SHA-256, SHA-1, and MD5 hashes of every captured artifact — malware droppers, scripts, payloads, and tools uploaded by attackers.
URLs
Malicious URLs extracted from HTTP requests, wget/curl commands, and payload download attempts. Full path with query parameters.
Domains
C2 domains, staging servers, and exfiltration endpoints observed in attacker commands and DNS queries.
IOC Enrichment Pipeline
Every IOC flows through: Extraction (regex + heuristic) → Deduplication (UPSERT) → GeoIP Enrichment (MaxMind) → TTP Correlation (MITRE ATT&CK) → Tool Attribution (60+ signatures) → Confidence Scoring (multi-factor) → Delivery (API / STIX / SIEM / EDL)
Native STIX 2.1 & TAXII 2.1
ArmoPot generates standards-compliant STIX 2.1 bundles and serves them through a fully compliant TAXII 2.1 server — enabling seamless integration with any Threat Intelligence Platform.
- STIX 2.1 Objects: Indicators, Sightings, ObservedData, AttackPatterns, Relationships, Identity, Malware
- TAXII 2.1 Endpoints: Discovery, API Root, Collections, Objects with full pagination
- Two Feed Collections: IOC Feed (Indicators) and Sightings Feed (ObservedData)
- Automated Generation: IOCs automatically mapped to STIX Indicators with STIX patterns
- MITRE ATT&CK Linkage: AttackPattern objects linked to techniques and tactics
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a1b2c3d4...",
"created": "2026-06-07T14:23:00Z",
"name": "Malicious IP - SSH Brute Force",
"pattern": "[ipv4-addr:value = '185.220.x.x']",
"pattern_type": "stix",
"valid_from": "2026-06-07T14:23:00Z",
"confidence": 87,
"labels": ["malicious-activity"],
"external_references": [{
"source_name": "mitre-attack",
"external_id": "T1110.001"
}]
}
Full TTP Mapping & Heatmaps
Every captured attack is automatically classified against the MITRE ATT&CK Enterprise and ICS frameworks. See exactly which techniques adversaries are using against services like yours.
- Automatic Classification: Events mapped to ATT&CK techniques and tactics in real-time
- Interactive Heatmap: Kill chain column layout showing technique frequency across all captured attacks
- Top-20 TTP Ranking: Most frequently observed techniques with hit counts and trend data
- ICS ATT&CK Support: Industrial control system techniques for OT/SCADA environments
- STIX Integration: ATT&CK techniques exported as STIX 2.1 AttackPattern objects
Get Intelligence Where You Need It
Multiple delivery mechanisms to fit your workflow — from REST API to automated firewall feeds.
REST API
Programmatic access to IOCs, events, sessions, and threat data. JSON responses with pagination, filtering, and sorting. Rate limits scale with your subscription tier.
TAXII 2.1 Server
Standards-compliant TAXII server for automated ingestion by MISP, OpenCTI, ThreatConnect, and any TAXII-compatible TIP. Paginated object retrieval with collection-based feeds.
STIX 2.1 Export
Download STIX bundles with Indicators, Sightings, ObservedData, and AttackPatterns. Full relationship graphs linking IOCs to techniques and campaigns.
SIEM Integration
Direct event forwarding to Splunk (HEC), Elasticsearch (Bulk API), and Syslog (CEF, LEEF, JSON). Non-blocking async delivery with retry and backpressure handling.
Firewall EDL
External Dynamic Lists for Palo Alto Panorama, FortiGate, Check Point, and Cisco Firepower. Auto-updated IP blocklists with configurable confidence thresholds.
SOAR Webhook
Event-driven webhooks for TheHive, Cortex XSOAR, and generic SOAR platforms. Configurable event type and severity filters to reduce noise.
Start Consuming Real Threat Intelligence
From free community access to full TAXII feeds — choose the tier that matches your security operations maturity.