Sensor Network & Methodology

A high-level overview of how ipinsights.io collects, validates and scores threat intelligence — written for security professionals who want to assess data quality.

Overview

ipinsights.io derives its primary intelligence from a privately operated network of 73 honeypots, tarpits and deception devices. Every IP that interacts with a sensor is recorded, enriched with geolocation, ISP and Autonomous System data, and then cross-referenced against 22+ open-source threat intelligence feeds before a composite threat score is calculated.

The sections below describe each layer of this pipeline at a level of detail intended to help security professionals evaluate the reliability of the data without revealing operational specifics that could be used to evade detection.

Sensor Types

The 73 sensors fall into three broad categories. Each category captures a different phase of attacker behaviour, giving the platform a more complete picture of malicious activity.

Honeypots

Low- and medium-interaction services that emulate real applications to attract and log exploitation attempts, credential stuffing and vulnerability scanning.

Tarpits

Services that deliberately slow down connections to waste attacker resources, while passively identifying automated scanners and brute-force tools.

Deception Devices

Decoy endpoints and fake services designed to detect lateral movement, reconnaissance and enumeration activity that other sensor types may miss.

Geographic Distribution

Sensors are deployed across multiple geographic regions and hosted on a variety of cloud and colocation providers. This diversity ensures that threat data is not biased toward a single country, network or provider.

Multi-Region Coverage

Sensors span Europe, North America and Asia-Pacific, capturing regionally-targeted campaigns as well as globally distributed scans.

Diverse ASN Footprint

Sensors sit on different Autonomous Systems to avoid detection by attackers who fingerprint hosting ranges and skip known honeypot networks.

Exact locations and IP ranges are not disclosed to prevent evasion by threat actors.

Emulated Protocols

Sensors emulate a range of commonly targeted protocols. This breadth allows the platform to observe attacks across the most frequently exploited services on the internet.

SSH & Telnet

Capture brute-force login attempts, credential stuffing and post-authentication commands.

HTTP / HTTPS

Detect web vulnerability scanning, path traversal, injection attempts and exploit-kit probes.

SMTP

Identify spam relays, open-relay probes and email-based attack infrastructure.

Database Services

Emulate MySQL, PostgreSQL, Redis and similar services to trap automated database scanners.

SMB / FTP

Observe file-sharing exploits, ransomware propagation and worm-like scanning behaviour.

IoT / ICS Protocols

Emulate Modbus, S7comm, and common IoT interfaces targeted by botnets and nation-state actors.

Blocklist Cross-Referencing

Raw sensor hits alone are not enough to produce a reliable threat score. Every IP observed by the sensor network is cross-referenced against 22+ external threat intelligence feeds to validate findings and reduce false positives.

The cross-referencing process works as follows:

  1. Ingestion — Blocklists are fetched and updated automatically every four hours from well-known open-source feeds (e.g. AbuseIPDB, Spamhaus, Emerging Threats, DShield and others).
  2. Normalisation — Each feed is parsed into a consistent format, de-duplicated and tagged with its source and category (spam, brute-force, malware, scanner, etc.).
  3. Correlation — Sensor-observed IPs are matched against all active blocklists. An IP appearing on multiple independent feeds increases the composite threat score.
  4. Enrichment — Matched IPs are enriched with geolocation, ISP, ASN and reverse-DNS data to provide full context for analysts.
  5. Scoring — A weighted threat score is calculated based on the number of sensor hits, the number and reputation of matching blocklists, recency of activity and diversity of targeted protocols.

Downloadable blocklists generated from this pipeline are available on the Blocklist Downloads page.

Threat Scoring Model

The composite threat score assigned to each IP takes multiple signals into account:

Feed Consensus

More independent sources listing an IP increases confidence that it is genuinely malicious.

Recency

Recent activity is weighted more heavily than older sightings, so the score reflects current risk.

Protocol Diversity

An IP attacking multiple protocols signals a more capable or persistent threat actor.

Sensor Coverage

Being seen by sensors across multiple regions and ASNs elevates the score beyond single-point observations.

Data Freshness & Retention

Threat data is continuously ingested from sensors in near real-time. External blocklists are refreshed every four hours via automated jobs. Stale entries are aged out and removed so that the platform reflects the current threat landscape rather than historical noise.

For more information about the project or to provide feedback on data quality, visit the About or Support page.