Threat Intel
Edge Security Gateway
Home About Docs

About Threat Intel Gateway

A real-time IP threat intelligence filtering system running at the network edge. Every request is analyzed against multiple independent threat intelligence sources with sub-second decision times.

11
Intel Sources
<200
ms Latency
300+
Edge Nodes
0-100
Score Range

🛡 What It Does

Threat Intel Gateway acts as an intelligent security layer between the internet and your web application. It intercepts every incoming HTTP request at the network edge and evaluates the source IP address against multiple threat intelligence databases simultaneously.

Unlike traditional WAFs that rely on signature-based detection, Threat Intel Gateway uses real-time reputation scoring from multiple independent sources to make allow/block decisions. This multi-source approach provides higher accuracy and fewer false positives than any single source alone.

The system operates in a fail-open mode — if any external service is unavailable, traffic is allowed through rather than blocked. Security checks never become a single point of failure for your application.

How It Works

Every request passes through a multi-layer security pipeline before reaching your origin server.

Request Edge Node Allow/Block Lists Honeypot Check Geo/ASN Policy Rate Limiter 11 TI Sources Decision
01
Intercept
Request arrives at the nearest edge node. Client IP is extracted, normalized, and fingerprinted.
02
Analyze
IP is checked against admin lists, honeypot traps, geo/ASN policies, rate limits, and 11 threat intelligence sources in parallel.
03
Decide
Sources are weighted and aggregated into a reputation score (0–100). Traffic is allowed, challenged, or blocked.

🔎 Threat Intelligence Sources

Threat data is aggregated from 11 independent sources, each specializing in different aspects of IP reputation and threat classification. Source identities are anonymized below.

SRC-01
Abuse Reporting
Community-driven IP abuse reports with confidence scoring.
SRC-02
Attack Surface
Open ports, exposed services, and known vulnerabilities.
SRC-03
Noise Classification
Distinguishes targeted attacks from benign mass scanning.
SRC-04
Multi-Engine Analysis
Aggregated results from 70+ security vendors.
SRC-05 / 06
Blackhole Feeds
Community and regional RTBH feeds for actively attacking IPs.
SRC-07
Anonymization Network
Real-time list of active anonymization relay exit nodes.
SRC-08
Botnet C2 Tracking
Command-and-control server tracking for major malware families.
SRC-09
Attack Aggregator
Reports from IDS, fail2ban, and honeypot networks worldwide.
SRC-10 / 11
Sensor Networks
Distributed intrusion detection and spam tracking sensors.

Key Features

🛡
Multi-Source Scoring
Weighted reputation scoring from 11 independent threat intelligence sources with temporal decay.
Edge Processing
All threat decisions at the network edge with no origin round-trip. 300+ global PoPs.
📊
Live Analytics
Real-time event stream, geo maps, timeseries charts, and anomaly detection signals.
🎯
Honeypot Traps
3-tier bait paths that auto-block scanners probing for vulnerabilities.
🌎
Geo & ASN Blocking
Block or allow traffic by country or autonomous system policies.
🕒
Adaptive Rate Limiting
Per-IP rate limiting via Durable Objects with fail-open resilience.
🔌
Recidivist Tracking
Repeat offenders are automatically escalated to higher threat levels.
🔔
Multi-Channel Alerts
Notifications via Slack, Discord, Telegram, and custom webhooks.

💬 Frequently Asked Questions

What is Threat Intel Gateway?
Threat Intel Gateway is a real-time IP threat intelligence filtering system that runs at the network edge. It intercepts every incoming request, checks the source IP against multiple independent threat intelligence sources in parallel, and makes sub-second allow/block decisions based on a weighted reputation score.
How does multi-source IP reputation scoring work?
Each integrated threat intelligence source provides an independent score for a given IP address. These scores are weighted based on source reliability and aggregated into a single reputation score (0–100). IPs are then classified as Clean, Suspicious, Malicious, or Critical based on configurable thresholds.
What happens when an IP is blocked?
When a request from a blocked IP reaches the edge, it receives a 403 Forbidden response with a unique reference ID. The blocked page shows a detailed threat profile including connection metadata, network fingerprint, and per-source scan results.
How fast is the threat assessment?
Threat assessments typically complete in under 200 milliseconds, including parallel queries to all threat sources. Cached results are returned instantly from edge storage, so repeat visitors are evaluated in under 1 millisecond.
What threat intelligence sources does Threat Intel Gateway use?
Threat Intel Gateway aggregates data from 18 independent sources including AbuseIPDB, GreyNoise, VirusTotal, Shodan, RTBH, Tor exit node lists, Feodo botnet tracker, Blocklist.de, CINS Army, StopForumSpam, and more. Each source is weighted by reliability and trust factor.
Does Threat Intel Gateway have a public API?
Yes. The public REST API at /api/v1 provides IP reputation checks, threat feed exports (blocklist, CSV, JSON, CEF, Syslog), and SVG reputation badges. API keys are managed from the admin dashboard with configurable daily rate limits.
Can I integrate Threat Intel Gateway with my SIEM?
Yes. Threat Intel Gateway provides CEF (Common Event Format) and Syslog feed endpoints at /api/v1/feed/cef and /api/v1/feed/syslog for direct SIEM integration. An OpenAPI specification is available for automated integration.
Is Threat Intel Gateway free to use?
Threat Intel Gateway is an open-source edge security platform that runs on Cloudflare Workers. The core threat filtering runs for free on the Cloudflare free plan. Some external API sources may require their own API keys.

Check your IP’s threat assessment in real time, or explore the API.

🛡 Check Your IP 📄 API Documentation