Threat Intelligence Platform

Disrupt cyber attacks at reconnaissance and mass exploitation stages. Advanced fingerprinting, automated blocklists, and real-time threat feeds.

Latest product updates & research

View all articles

ELLIO threat intelligence dashboard showing IP 93.123.109.205 from Amsterdam marked as malicious, with MITRE ATT&CK tactics, CVE vulnerabilities, and various exploit detectors including Setup.php, Jenkins, and SQL injection
#Network Fingerprints#Scanning#IP Blocking
Threat/Vulnerability News

Analyze everything or move straight to network-level blocking?

One IP. Four days. Nearly 900 user agents. Over 3,000 probes. Sometimes a single IP address tells you everything you need to know about how industrialized internet scanning has become.

ELLIO Community Team
ELLIO Community Team·
Infographic showing February 2026 credential-stuffing attack on Palo Alto GlobalProtect: 8,575 unique IPs, 3 attack waves, 48-hour duration. ELLIO branding at bottom.
#CVE#Network Fingerprints
Threat/Vulnerability News

Coordinated Credential-Stuffing Campaign Targets Palo Alto GlobalProtect Portals

A coordinated credential-stuffing campaign hit GlobalProtect VPN portals with 8,575 IPs in 48 hours. Three attack waves, 78 targeted usernames, one password. Our team breaks down the timeline, infrastructure, fingerprints, and what defenders can do.

ELLIO Threat Research Lab
ELLIO Threat Research Lab·
Line chart showing SSH brute force attack trends from Jan 12 - Feb 11, 2026, tracking unique attacking IPs per credential for usernames "root" (blue), "admin" (yellow), and "n8n" (red). Shows "n8n" surpassing "admin" as second most targeted.
Threat/Vulnerability News

"n8n" is the new "admin."

On February 10, 2026, our deception network recorded "n8n" overtaking "admin" as the #2 most brute-forced SSH username. The campaign scaled from a handful of probing IPs to hundreds of unique sources in under a week, with attackers rapidly iterating through password variants.

Vlad Iliushin
Vlad Iliushin·

Stories from ELLIO

View all updates

Vlad Iliushin, ELLIO Founder and AMTSO President presenting at cybersecurity conference with "Cyber Research Conference 2025" displayed on blue projection screen behind podium
#Leadership
News

ELLIO Founder Vlad Iliushin Hands AMTSO Leadership to Stefan Dumitrascu

ELLIO today announced that its founder, Vlad Iliushin, has completed his term as President of AMTSO (Anti-Malware Testing Standards Organization) and handed over the role to Stefan Dumitrascu, Founder and CEO of Artifact Security.

ELLIO PR Team
ELLIO PR Team·
Vlad Iliushin as a speaker talking about mass exploitation and recon on the stage at BSides Nashville 2025
#BSides#Community#Network Fingerprints
Events

BSides 2025: Our Top Picks and Insights

In 2025, the ELLIO team traveled across the US and Europe to attend BSides events. Here’s a look at our favorite BSides moments of the year.

ELLIO Community Team
ELLIO Community Team·
Hero image
#Community#Network Fingerprints#Firewall Protection
News

ELLIO Debuts New Open-Source Recon Shield

At Black Hat 2025, ELLIO is launching a new open-source tool: the TCP Fingerprint Firewall. This Recon Shield, built on high-performance eBPF technology, uses advanced MuonFP-based fingerprints to detect and block malicious scanners in real time.

ELLIO Community Team
ELLIO Community Team·

What We Build

Learn more about each product on ellio.tech

192.0.2.88China Telecom🇨🇳
malicious7 tags
CVE-2023-49070CVE-2025-0108SAP NetWeaver
JA4Hge11nn030000_fe444ad14866_000000000000
MuonFP29200:2:1460:7
PAN GlobalProtect
Recon vs Exploitation -- Jan 30 - Mar 5
Scanner IPsExploit IPs
Feb 23: 6,620 scanner / 2,194 exploit IPs
203.0.113.22249.3 Networking LLC🇺🇸
promiscuous22 tags
WordPress DetectorDocker API Scanner.env scannerGit ArtifactLaravel
JA4t13d131100_f57a46bbacb6_ab7e3b40a677
MuonFP64240:2-1-3-1-1-4:1460:8
Cisco ASA/FTD WebVPN
Recon vs Exploitation -- Jan 30 - Mar 5
Scanner IPsExploit IPs
Feb 13: 1,012 scanner / Feb 24: 73 exploit IPs
203.0.113.13GTT Backbone🇺🇸
maliciousrDNS: none
CVE-2024-3400Cisco ASA WebVPNPAN GlobalProtect
JA4t12i280800_0df5e5c63df4_686390af6b8e
MuonFP42340:2-1-1-4-1-3:1460:10
198.51.100.160Rostelecom🇷🇺
malicious
CVE-2024-4577Mozi BotnetWebshell Upload
JA4t13d1714h2_8bc2a1f9e4d3_f1a07b2c8e95
MuonFP4096:2:1460:6
React2Shell
Exploitation IPs -- Jan 30 - Mar 5
Exploit IPs
Feb 24: 309 IPs / Feb 13: 212 IPs
198.51.100.191Google Cloud Platform🇺🇸
brute-force
Attempts25,038
Usernames1 (root)
Passwords25,038 unique

ELLIO Threat Intelligence

Access clean, high-fidelity threat data focused on mass exploitation and reconnaissance, turning raw signals into context-rich insights your security stack can act on instantly - from SIEM, SOAR, TIP to firewalls.

Learn more

ELLIO Blocklist Automation

Manage all your blocklists and IP rules from a central place. Define what’s allowed and what’s blocked – broadly or with fine granularity. Apply rules automatically across all your firewalls.

Learn more

ELLIO IP Blocklists

Dynamic, context-driven threat lists. Updated automatically every 5 minutes or as needed.

Learn more
192.0.2.14Shodan:443blocked
198.51.100.73Censys:22blocked
203.0.113.41Xpanse:80allowed
203.0.113.22Driftnet:8443blocked
192.0.2.88BinaryEdge:443blocked
198.51.100.201Shodan:8080blocked
203.0.113.119Censys:22blocked
192.0.2.55Xpanse:443allowed
198.51.100.9Stretchoid:443blocked
203.0.113.87Shodan:22blocked
192.0.2.156Censys:8080blocked
198.51.100.44Xpanse:443allowed
192.0.2.14Shodan:443blocked
198.51.100.73Censys:22blocked
203.0.113.41Xpanse:80allowed
203.0.113.22Driftnet:8443blocked
192.0.2.88BinaryEdge:443blocked
198.51.100.201Shodan:8080blocked
203.0.113.119Censys:22blocked
192.0.2.55Xpanse:443allowed
198.51.100.9Stretchoid:443blocked
203.0.113.87Shodan:22blocked
192.0.2.156Censys:8080blocked
198.51.100.44Xpanse:443allowed

ELLIO Recon IP Lists

Continuously updated lists of scanner IPs. Define exactly which scanners to block or always allow.

Learn more
{"ip":"18.231.254.122","ptr":["ec2-18-231-254-122.sa-east-1.compute.amazonaws.com"]}
{"ip":"23.0.2.46","ptr":["a23-0-2-46.deploy.static.akamaitechnologies.com"]}
{"ip":"34.132.109.190","ptr":["190.109.132.34.bc.googleusercontent.com"]}
{"ip":"174.48.226.166","ptr":["c-174-48-226-166.hsd1.fl.comcast.net"]}
{"ip":"141.54.160.10","ptr":["ktw.stuko.uni-weimar.de"]}
{"ip":"194.31.248.182","ptr":["gw-248.kasta.ua"]}
{"ip":"138.137.190.198","ptr":["dha-190-198.health.mil"]}
{"ip":"162.42.158.34","ptr":["nat.kolbe.com","kolbe-r2-s0-0.cybertrails.com"]}
{"ip":"99.48.218.194","ptr":["adsl-99-48-218-194.dsl.lsan03.sbcglobal.net"]}
{"ip":"171.76.96.74","ptr":["abts-kk-dynamic-74.117.76.171.airtelbroadband.in"]}

ELLIO rDNS Dataset

Complete IPv4 reverse DNS. ~1.25 billion clean PTR records, updated daily.

Learn more
Connection from 192.0.2.141024:2:1460:ReconBLOCKED
Connection from 203.0.113.88t13d1714h2_5b57614c22b0_ca3c9f312770FirefoxALLOWED
Connection from 198.51.100.33t13i5910h1_a33745022dd6_1f22a2ca17c4AI ReconnaissanceBLOCKED
Connection from 203.0.113.20164240:2-4-8-1-3:1379:7LegitimateALLOWED
Connection from 192.0.2.7729200:2:1460:ScannerBLOCKED
Connection from 198.51.100.119t13d1714h2_8bc2a1f9e4d3_f1a07b2c8e95ChromeALLOWED

ELLIO Fingerprint Firewall

Unifies network fingerprints, user-provided signatures, and traditional IP blocklists into a single, actionable defense layer.

Reach out