Threat Intelligence Platform

Disrupt cyber attacks at reconnaissance and mass exploitation stages. Advanced fingerprinting, automated blocklists, and real-time threat feeds.

LoginSign Up Free

No credit card required

Latest product updates & research

View all articles

Digital network visualization with glowing blue and red connections overlaid with text "Sanctioned, Seized, Still Scanning - Inside a Russian Bulletproof Hosting Network Targeting the EU"
#CVE#Scanning
Threat/Vulnerability News

Sanctioned, Seized, Still Scanning: Inside a Russian Bulletproof Hosting Network Targeting the EU

On 18 May 2026, Dutch investigators seized more than 800 servers and broke up a hosting operation that prosecutors say powered Russian cyberattacks across the EU. We had spent the previous year watching the same network from the other side. After the seizure, the scanning did not stop.

ELLIO Threat Research Lab
ELLIO Threat Research Lab·
ELLIO new integrations announcement featuring Microsoft Sentinel and MISP Threat Sharing logos on blue gradient background
#Integrations
Product Updates

New Integrations for Microsoft Sentinel and MISP

ELLIO is expanding its threat intelligence ecosystem with two new integrations designed for SOC, detection engineering, and threat intelligence workflows: Microsoft Sentinel via TAXII 2.1 and a native MISP integration.

ELLIO Product Team
ELLIO Product Team·
ELLIO RECON IP Lists dashboard showing scanner IP counts from various security tools including Censys (600,784), Cortex Xpanse (4,611), BinaryEdge (2,279), and others with trend visualizations
#Scanning#IP Blocking
Product Updates

ELLIO expands with 10 new recon and scanner IP feeds

ELLIO Threat Intelligence & Blocklist Automation has been updated with 10 new scanner and recon IP address feeds. This improves detection and control of scanning activity at the network perimeter, enabling more accurate allow and block rules without manual IP range management.

ELLIO Product Team
ELLIO Product Team·

Stories from ELLIO

View all updates

Blue cosmic space background with Microsoft Sentinel logo, representing cybersecurity protection and SIEM solution
#Threat Intelligence#Reconnaissance
Insight

Why Microsoft Sentinel Feels Noisy: It’s Not Volume, It’s Recon Blindness

Alert fatigue in Microsoft Sentinel is not caused by alert volume alone. It is a context and correlation problem. Read how reconnaissance-aware threat intelligence helps separate internet scanning noise from active exploitation activity to improve signal quality and reduce false-positive incidents.

Jana Tom
Jana Tom·
The image shows a group of people gazing at the night sky, where the Milky Way is visible.
#Threat Intelligence
Insight

Threat Intelligence Platforms by Use Case: 2026 Guide

Not all CTI platforms are built for the same purpose. Differences in data sourcing, architecture, and enrichment capabilities mean the “best” platform is defined by its fit for operational use cases, such as reducing SIEM noise, supporting threat hunting, or detecting fraud.

Jana Tom
Jana Tom·
Radio telescope dish pointing toward starry night sky with visible Milky Way galaxy, representing network monitoring and threat detection technology
#Threat Intelligence#Reconnaissance#Noise
Insight

Internet Background Noise: The Hidden Cost Layer in Security Operations

The same layer that drives cost also carries early attack signals. With visibility into reconnaissance, teams separate signal from noise and stop attacks before they become operationally burdensome and costly.

Jana Tom
Jana Tom·

What We Build

Learn more about each product on ellio.tech

192.0.2.88China Telecom🇨🇳
malicious7 tags
CVE-2023-49070CVE-2025-0108SAP NetWeaver
JA4Hge11nn030000_fe444ad14866_000000000000
MuonFP29200:2:1460:7
PAN GlobalProtect
Recon vs Exploitation -- Jan 30 - Mar 5
Scanner IPsExploit IPs
Feb 23: 6,620 scanner / 2,194 exploit IPs
203.0.113.22249.3 Networking LLC🇺🇸
promiscuous22 tags
WordPress DetectorDocker API Scanner.env scannerGit ArtifactLaravel
JA4t13d131100_f57a46bbacb6_ab7e3b40a677
MuonFP64240:2-1-3-1-1-4:1460:8
Cisco ASA/FTD WebVPN
Recon vs Exploitation -- Jan 30 - Mar 5
Scanner IPsExploit IPs
Feb 13: 1,012 scanner / Feb 24: 73 exploit IPs
203.0.113.13GTT Backbone🇺🇸
maliciousrDNS: none
CVE-2024-3400Cisco ASA WebVPNPAN GlobalProtect
JA4t12i280800_0df5e5c63df4_686390af6b8e
MuonFP42340:2-1-1-4-1-3:1460:10
198.51.100.160Rostelecom🇷🇺
malicious
CVE-2024-4577Mozi BotnetWebshell Upload
JA4t13d1714h2_8bc2a1f9e4d3_f1a07b2c8e95
MuonFP4096:2:1460:6
React2Shell
Exploitation IPs -- Jan 30 - Mar 5
Exploit IPs
Feb 24: 309 IPs / Feb 13: 212 IPs
198.51.100.191Google Cloud Platform🇺🇸
brute-force
Attempts25,038
Usernames1 (root)
Passwords25,038 unique

ELLIO Threat Intelligence

Access clean, high-fidelity threat data focused on mass exploitation and reconnaissance, turning raw signals into context-rich insights your security stack can act on instantly - from SIEM, SOAR, TIP to firewalls.

Learn more

ELLIO Blocklist Automation

Manage all your blocklists and IP rules from a central place. Define what’s allowed and what’s blocked – broadly or with fine granularity. Apply rules automatically across all your firewalls.

Learn more

ELLIO IP Blocklists

Dynamic, context-driven threat lists. Updated automatically every 5 minutes or as needed.

Learn more
192.0.2.14Shodan:443blocked
198.51.100.73Censys:22blocked
203.0.113.41Xpanse:80allowed
203.0.113.22Driftnet:8443blocked
192.0.2.88BinaryEdge:443blocked
198.51.100.201Shodan:8080blocked
203.0.113.119Censys:22blocked
192.0.2.55Xpanse:443allowed
198.51.100.9Stretchoid:443blocked
203.0.113.87Shodan:22blocked
192.0.2.156Censys:8080blocked
198.51.100.44Xpanse:443allowed
192.0.2.14Shodan:443blocked
198.51.100.73Censys:22blocked
203.0.113.41Xpanse:80allowed
203.0.113.22Driftnet:8443blocked
192.0.2.88BinaryEdge:443blocked
198.51.100.201Shodan:8080blocked
203.0.113.119Censys:22blocked
192.0.2.55Xpanse:443allowed
198.51.100.9Stretchoid:443blocked
203.0.113.87Shodan:22blocked
192.0.2.156Censys:8080blocked
198.51.100.44Xpanse:443allowed

ELLIO Recon IP Lists

Continuously updated lists of scanner IPs. Define exactly which scanners to block or always allow.

Learn more
{"ip":"18.231.254.122","ptr":["ec2-18-231-254-122.sa-east-1.compute.amazonaws.com"]}
{"ip":"23.0.2.46","ptr":["a23-0-2-46.deploy.static.akamaitechnologies.com"]}
{"ip":"34.132.109.190","ptr":["190.109.132.34.bc.googleusercontent.com"]}
{"ip":"174.48.226.166","ptr":["c-174-48-226-166.hsd1.fl.comcast.net"]}
{"ip":"141.54.160.10","ptr":["ktw.stuko.uni-weimar.de"]}
{"ip":"194.31.248.182","ptr":["gw-248.kasta.ua"]}
{"ip":"138.137.190.198","ptr":["dha-190-198.health.mil"]}
{"ip":"162.42.158.34","ptr":["nat.kolbe.com","kolbe-r2-s0-0.cybertrails.com"]}
{"ip":"99.48.218.194","ptr":["adsl-99-48-218-194.dsl.lsan03.sbcglobal.net"]}
{"ip":"171.76.96.74","ptr":["abts-kk-dynamic-74.117.76.171.airtelbroadband.in"]}

ELLIO rDNS Dataset

Complete IPv4 reverse DNS. ~1.25 billion clean PTR records, updated daily.

Learn more
Connection from 192.0.2.141024:2:1460:ReconBLOCKED
Connection from 203.0.113.88t13d1714h2_5b57614c22b0_ca3c9f312770FirefoxALLOWED
Connection from 198.51.100.33t13i5910h1_a33745022dd6_1f22a2ca17c4AI ReconnaissanceBLOCKED
Connection from 203.0.113.20164240:2-4-8-1-3:1379:7LegitimateALLOWED
Connection from 192.0.2.7729200:2:1460:ScannerBLOCKED
Connection from 198.51.100.119t13d1714h2_8bc2a1f9e4d3_f1a07b2c8e95ChromeALLOWED

ELLIO Fingerprint Firewall

Unifies network fingerprints, user-provided signatures, and traditional IP blocklists into a single, actionable defense layer.

Reach out