Threat Intelligence Platform

Disrupt cyber attacks at reconnaissance and mass exploitation stages. Advanced fingerprinting, automated blocklists, and real-time threat feeds.

LoginSign Up Free

No credit card required

Latest product updates & research

View all articles

ELLIO RECON IP Lists dashboard showing scanner IP counts from various security tools including Censys (600,784), Cortex Xpanse (4,611), BinaryEdge (2,279), and others with trend visualizations
#Scanning#IP Blocking
Product Updates

ELLIO expands with 10 new recon and scanner IP feeds

ELLIO Threat Intelligence & Blocklist Automation has been updated with 10 new scanner and recon IP address feeds. This improves detection and control of scanning activity at the network perimeter, enabling more accurate allow and block rules without manual IP range management.

ELLIO Product Team
ELLIO Product Team·
ELLIO threat intelligence dashboard showing IP 178.16.53.51 flagged as malicious Mirai botnet from Amsterdam, with timeline of exploit attempts and port scanning activity detected between March 22-24, 2026.
#Scanning
Threat/Vulnerability News

[watchdog]: Inside a Mirai variant with six-layer persistence

An open directory is serving a Mirai variant across 14 CPU architectures - all updated yesterday. It kills competitors by SHA256 hash, persists through six layers, and hides as a kernel thread. Here's what's inside.

ELLIO Threat Research Lab
ELLIO Threat Research Lab·
Screenshot of ELLIO threat intelligence interface showing malicious Docker API exploits from IPs 45.156.87.4 and 187.86.243.141, with security indicators and threat classification tags
#CVE#Scanning
Threat/Vulnerability News

What Gets Deployed via Exposed Docker APIs

Over 1,000 unique IPs scan for exposed Docker APIs every day. A fraction go further. We captured every container creation payload and classified them by monetization strategy.

ELLIO Threat Research Lab
ELLIO Threat Research Lab·

Stories from ELLIO

View all updates

The image shows a group of people gazing at the night sky, where the Milky Way is visible.
#Threat Intelligence
Insight

Threat Intelligence Platforms by Use Case: 2026 Guide

Not all CTI platforms are built for the same purpose. Differences in data sourcing, architecture, and enrichment capabilities mean the “best” platform is defined by its fit for operational use cases, such as reducing SIEM noise, supporting threat hunting, or detecting fraud.

Jana Tom
Jana Tom·
Radio telescope dish pointing toward starry night sky with visible Milky Way galaxy, representing network monitoring and threat detection technology
#Threat Intelligence#Reconnaissance#Noise
Insight

Internet Background Noise: The Hidden Cost Layer in Security Operations

The same layer that drives cost also carries early attack signals. With visibility into reconnaissance, teams separate signal from noise and stop attacks before they become operationally burdensome and costly.

Jana Tom
Jana Tom·
Vlad Iliushin, ELLIO Founder and AMTSO President presenting at cybersecurity conference with "Cyber Research Conference 2025" displayed on blue projection screen behind podium
#Leadership
News

ELLIO Founder Vlad Iliushin Hands AMTSO Leadership to Stefan Dumitrascu

ELLIO today announced that its founder, Vlad Iliushin, has completed his term as President of AMTSO (Anti-Malware Testing Standards Organization) and handed over the role to Stefan Dumitrascu, Founder and CEO of Artifact Security.

ELLIO PR Team
ELLIO PR Team·

What We Build

Learn more about each product on ellio.tech

192.0.2.88China Telecom🇨🇳
malicious7 tags
CVE-2023-49070CVE-2025-0108SAP NetWeaver
JA4Hge11nn030000_fe444ad14866_000000000000
MuonFP29200:2:1460:7
PAN GlobalProtect
Recon vs Exploitation -- Jan 30 - Mar 5
Scanner IPsExploit IPs
Feb 23: 6,620 scanner / 2,194 exploit IPs
203.0.113.22249.3 Networking LLC🇺🇸
promiscuous22 tags
WordPress DetectorDocker API Scanner.env scannerGit ArtifactLaravel
JA4t13d131100_f57a46bbacb6_ab7e3b40a677
MuonFP64240:2-1-3-1-1-4:1460:8
Cisco ASA/FTD WebVPN
Recon vs Exploitation -- Jan 30 - Mar 5
Scanner IPsExploit IPs
Feb 13: 1,012 scanner / Feb 24: 73 exploit IPs
203.0.113.13GTT Backbone🇺🇸
maliciousrDNS: none
CVE-2024-3400Cisco ASA WebVPNPAN GlobalProtect
JA4t12i280800_0df5e5c63df4_686390af6b8e
MuonFP42340:2-1-1-4-1-3:1460:10
198.51.100.160Rostelecom🇷🇺
malicious
CVE-2024-4577Mozi BotnetWebshell Upload
JA4t13d1714h2_8bc2a1f9e4d3_f1a07b2c8e95
MuonFP4096:2:1460:6
React2Shell
Exploitation IPs -- Jan 30 - Mar 5
Exploit IPs
Feb 24: 309 IPs / Feb 13: 212 IPs
198.51.100.191Google Cloud Platform🇺🇸
brute-force
Attempts25,038
Usernames1 (root)
Passwords25,038 unique

ELLIO Threat Intelligence

Access clean, high-fidelity threat data focused on mass exploitation and reconnaissance, turning raw signals into context-rich insights your security stack can act on instantly - from SIEM, SOAR, TIP to firewalls.

Learn more

ELLIO Blocklist Automation

Manage all your blocklists and IP rules from a central place. Define what’s allowed and what’s blocked – broadly or with fine granularity. Apply rules automatically across all your firewalls.

Learn more

ELLIO IP Blocklists

Dynamic, context-driven threat lists. Updated automatically every 5 minutes or as needed.

Learn more
192.0.2.14Shodan:443blocked
198.51.100.73Censys:22blocked
203.0.113.41Xpanse:80allowed
203.0.113.22Driftnet:8443blocked
192.0.2.88BinaryEdge:443blocked
198.51.100.201Shodan:8080blocked
203.0.113.119Censys:22blocked
192.0.2.55Xpanse:443allowed
198.51.100.9Stretchoid:443blocked
203.0.113.87Shodan:22blocked
192.0.2.156Censys:8080blocked
198.51.100.44Xpanse:443allowed
192.0.2.14Shodan:443blocked
198.51.100.73Censys:22blocked
203.0.113.41Xpanse:80allowed
203.0.113.22Driftnet:8443blocked
192.0.2.88BinaryEdge:443blocked
198.51.100.201Shodan:8080blocked
203.0.113.119Censys:22blocked
192.0.2.55Xpanse:443allowed
198.51.100.9Stretchoid:443blocked
203.0.113.87Shodan:22blocked
192.0.2.156Censys:8080blocked
198.51.100.44Xpanse:443allowed

ELLIO Recon IP Lists

Continuously updated lists of scanner IPs. Define exactly which scanners to block or always allow.

Learn more
{"ip":"18.231.254.122","ptr":["ec2-18-231-254-122.sa-east-1.compute.amazonaws.com"]}
{"ip":"23.0.2.46","ptr":["a23-0-2-46.deploy.static.akamaitechnologies.com"]}
{"ip":"34.132.109.190","ptr":["190.109.132.34.bc.googleusercontent.com"]}
{"ip":"174.48.226.166","ptr":["c-174-48-226-166.hsd1.fl.comcast.net"]}
{"ip":"141.54.160.10","ptr":["ktw.stuko.uni-weimar.de"]}
{"ip":"194.31.248.182","ptr":["gw-248.kasta.ua"]}
{"ip":"138.137.190.198","ptr":["dha-190-198.health.mil"]}
{"ip":"162.42.158.34","ptr":["nat.kolbe.com","kolbe-r2-s0-0.cybertrails.com"]}
{"ip":"99.48.218.194","ptr":["adsl-99-48-218-194.dsl.lsan03.sbcglobal.net"]}
{"ip":"171.76.96.74","ptr":["abts-kk-dynamic-74.117.76.171.airtelbroadband.in"]}

ELLIO rDNS Dataset

Complete IPv4 reverse DNS. ~1.25 billion clean PTR records, updated daily.

Learn more
Connection from 192.0.2.141024:2:1460:ReconBLOCKED
Connection from 203.0.113.88t13d1714h2_5b57614c22b0_ca3c9f312770FirefoxALLOWED
Connection from 198.51.100.33t13i5910h1_a33745022dd6_1f22a2ca17c4AI ReconnaissanceBLOCKED
Connection from 203.0.113.20164240:2-4-8-1-3:1379:7LegitimateALLOWED
Connection from 192.0.2.7729200:2:1460:ScannerBLOCKED
Connection from 198.51.100.119t13d1714h2_8bc2a1f9e4d3_f1a07b2c8e95ChromeALLOWED

ELLIO Fingerprint Firewall

Unifies network fingerprints, user-provided signatures, and traditional IP blocklists into a single, actionable defense layer.

Reach out