Valuable context for raw data: Correlate internal events such as web proxy logs, DNS queries, email traffic, or firewall events against known and active malicious indicators. Add crucial context, like the role of an indicator, to act proportionally, efficiently, and avoid incorrect remediation actions.
Solutions
Data
Email & Network
Cyber Threat Intelligence
Resources
About
Threat
Intelligence
Enrichment
Increase detection rates and enrich alerting context with malware signals that will help you uncover and address attack behaviour faster.
Enhance your
proactive
defense
Get access to data that you won’t find from another single source to seamlessly integrate into your hunting workflows and enhance understanding of internal telemetry. Quickly determine the operational relevance of malware indicators of compromise (IOCs) by reducing noisy signals with clear, enriched IOCs.
With globally tracked signals from the largest, independently crowdsourced malware data to the industry with abuse.ch, increase data diversity, coverage and visibility. Efficiently detect threats that evaded traditional defense using this high-confidence, real-time data source.
Broad view of malware: Including distribution, samples, observed payloads, related IoCs, active C2s, signals from malware detonated in our customized sandbox, a vast repository of YARA rules to expose more, and historic DNS connections for more insight and trend identification.
High-confidence: Access real-time IP information being used to host active botnet C2s, enriched with malware family tagging. This data has high confidence levels (also used at the network perimeter) with C2 status re-evaluated several times a day to identify active botnet controllers only.
Data Solutions
Threat Intelligence Enrichment
Whether you’re after malicious URLs, samples, IOCs linked to live threats, active botnet C2 servers, or the whole lot, you have full control to access the data that you need, and nothing more, via our enrichment APIs or real-time feeds.
Data access
Integrations
Data access
Data access
Integrations
abuse.ch API
High-impact data, dedicated to malware indicators, from a globally diverse, knowledge-rich community. Access enterprise-grade intelligence, with reliability and scale, to enrich, hunt and track with clarity and confidence.
Available Formats
JSON
abuse.ch Real-Time Feeds
Real-time stream of enriched indicators to enhance threat detection, triage, hunting, and enrichment workflows. Gain immediate access to fresh IOCs and dataset changes to proactively identify threats before they cause damage.
Available Formats
JSON
Intelligence API
Integrate context-rich metadata relating to IP and domain reputation to enhance existing data feeds, or consume as an independent data source. Gain additional intelligence to monitor, assess and remediate as required.
Available Formats
JSON
Passive DNS API
A simple API supporting a variety of query types to discover historical, and up-to-the-moment, DNS infrastructure connections from Spamhaus’ Passive DNS database with up to one year of historical data.
Available Formats
JSON
Passive DNS Real-Time Feed
A firehose of Passive DNS data, get updates as soon as they are generated with minimal or no delay. This provides immediate access for up-to-date information on DNS infrastructure connections.
Available Formats
JSON
Maltego Integration
With Maltego, streamline complex analysis by utilizing the Spamhaus-abuse.ch Alliance’s expansive malware, IP and domain reputation intelligence. Quickly understand whether entities should be considered high risk, why, and whether it is still perpetuating malicious behavior to confidently define and prioritise next steps.
Our Virtual CISO customers have really appreciated the extra insights and details relating to why we’re blocking a specific resource or activity.
Dr. Darren Williams
Founder and CEO, BlackFog, Anti Data Exfiltration and Ransomware Prevention
Featured Report
Botnet Threat Update January to June 2025
1 min read | July 14, 2025
Botnet activity increased by 26% this reporting period; the first increase we've observed for over 18 months. Five new malware families entered the Top 20, and disappointing increases for a number of global networks hosting the most active botnet C&Cs. Read the full report.
Featured Content
See all resources
Need Help?
Get in touch
Spamhaus is committed to protecting and respecting your privacy. We’ll only use your personal information to respond to your enquiry, manage any accounts you may set-up, and to provide the products and services you request from us. From time to time, we would like to contact you about our products and services, as well as other security related content that may be of interest to you. If you consent to us contacting you for this purpose, please tick the box below.
You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.
By clicking submit below, you consent to allow Spamhaus to store and process the personal information submitted above to provide you the content requested.
I agree to receive other communications from Spamhaus.