Threat Intelligence
Know who is attacking you.
Not just that it's happening.
Flowtriq automatically enriches every incident with threat intelligence. Bad IP feeds, geo-IP lookups, reputation scores, and IOC correlation give you the full picture of who is behind each attack, where they are, and whether they have been seen before.
Known Bad IP Feeds
Every attack IP checked against 40+ blocklists in real time.
The moment an incident opens, Flowtriq checks every source IP against a continuously updated library of known bad IP feeds. These include public blocklists, abuse databases, botnet trackers, and commercial threat feeds.
If an attacking IP appears on any feed, that context is added to the incident automatically. You see which lists flagged it, when it was first reported, and what kind of activity it has been associated with.
Feeds are synced every 15 minutes so your data is always current. No manual imports, no stale lists.
| Feed sources | 40+ public and commercial |
| Update frequency | Every 15 minutes |
| IPs tracked | 12M+ known bad addresses |
| Categories | Botnet, scanner, proxy, tor exit |
| Enrichment latency | < 2 seconds per incident |
| Custom feeds | Upload your own via API |
185.220.101.34 MATCH
Feeds: AbuseIPDB, Spamhaus DROP, ET Botnet
Category: Botnet C2 · First seen: 2025-11-02
Reputation: 4/100
45.134.26.91 MATCH
Feeds: Emerging Threats, Blocklist.de
Category: Scanner · First seen: 2026-01-18
Reputation: 11/100
Result: 312 of 847 IPs matched known feeds
_
IOC Correlation
Connect live attacks to known indicators of compromise.
Flowtriq cross-references every incident against your IOC library. Source IPs, traffic patterns, and protocol signatures are matched against indicators from your own investigations, industry ISACs, and community shared intelligence.
When there is a match, Flowtriq links the current attack to previous incidents and known campaigns. This turns isolated events into a connected narrative, helping you understand whether you are dealing with a new threat or a recurring adversary.
IOC matching runs in parallel with detection. By the time you read the alert, the correlation is already done.
IOC Match: UDP amplification pattern
Signature: memcached reflection (port 11211)
Linked to: Campaign #CTI-2026-0041
Prior incidents: 3 (Jan 8, Jan 22, Feb 14)
IOC Match: Known botnet subnet
Source: 185.220.101.0/24 (Mirai variant)
Confidence: HIGH
2 IOC matches linked to incident
_
Geo-IP Enrichment
See where your attacks are coming from, down to the city.
Every source IP in an incident is resolved to its geographic location. Country, region, city, and ASN are all captured and displayed on the incident map. This lets you spot geographic patterns instantly.
If 80% of your attack traffic is coming from a specific country or a handful of hosting providers, you will see it immediately. This context helps you make informed decisions about upstream filtering and helps your ISP act faster when you share the data.
Geo-IP data is also used in reputation scoring, so IPs from high-risk regions are weighted accordingly.
| Resolution | Country, region, city, ASN |
| Database | MaxMind GeoLite2 (updated weekly) |
| Coverage | IPv4 and IPv6 |
| Visualization | Incident map in dashboard |
| Top-N breakdowns | By country, ASN, city |
Top Source Countries
CN China 312 IPs (36.8%)
RU Russia 198 IPs (23.4%)
BR Brazil 87 IPs (10.3%)
VN Vietnam 64 IPs (7.6%)
IN India 51 IPs (6.0%)
Top ASNs
AS4134 ChinaNet 189 IPs
AS12389 Rostelecom 94 IPs
AS28573 Claro Brazil 61 IPs
847 IPs resolved · 100% coverage
_
Enrichment Pipeline
How every incident gets enriched automatically
T+0.00s: Incident opens
The FTAgent detects a threshold crossing and opens an incident. Source IPs from the initial traffic sample are extracted and sent to the enrichment pipeline.
T+0.3s: Feed lookup
All source IPs are checked against 40+ threat feeds in parallel. Matches are tagged with feed name, category, and first-seen date.
T+0.5s: Geo-IP resolution
Country, region, city, and ASN are resolved for every source IP. Geographic distribution is calculated and the incident map is populated.
T+0.8s: Reputation scoring
Each source IP receives a reputation score from 0 (worst) to 100 (clean). The score combines feed matches, geo-risk, historical behavior, and age of the IP's activity.
T+1.2s: IOC correlation
Traffic patterns and source IPs are matched against known indicators of compromise. Linked campaigns and prior incidents are attached to the enrichment report.
T+1.8s: Enrichment complete
The full threat context is attached to the incident. Your alert now includes not just what happened, but who did it, where they are, and whether they have done it before.
Why It Matters
Alerts without context waste your time
Alerts without threat intel
- You know traffic spiked, but not who is behind it
- Manual IP lookups take minutes per address
- No way to tell if this is a new threat or a repeat offender
- Geographic patterns are invisible
- Incident reports lack actionable detail
Alerts enriched by Flowtriq
- Every source IP checked against 40+ feeds automatically
- Geo-IP and ASN data shows where attacks originate
- Reputation scores highlight the worst offenders instantly
- IOC correlation links attacks to known campaigns
- Incident reports are ready to share with your ISP or team
Reputation Scoring
A single score that tells you how dangerous a source IP is.
Flowtriq assigns a reputation score from 0 to 100 to every source IP involved in an incident. A score of 0 means the IP is well-known across multiple threat feeds and has a long history of malicious activity. A score of 100 means it has never appeared on any feed.
The score is calculated from four factors: feed matches (how many lists flag it), geographic risk (based on the IP's ASN and country), historical behavior (how often it has appeared in past incidents), and age (how long it has been active in threat data).
You can sort and filter source IPs by reputation in any incident view, making it easy to focus on the most dangerous sources first.
Score IP Feeds Country ASN
2 185.220.101.34 6 DE AS205100
4 45.134.26.91 5 RU AS12389
7 103.75.118.22 4 CN AS4134
11 193.42.33.107 4 NL AS208046
38 91.202.4.76 2 UA AS35320
52 177.54.128.19 1 BR AS28573
89 8.8.4.4 0 US AS15169
312 IPs below score 30 · 535 IPs above
_
Community Sharing
Stronger together. Share threat data with the Flowtriq community.
When you opt into community sharing, anonymized threat indicators from your incidents are contributed to the Flowtriq collective feed. In return, you benefit from indicators discovered by every other participating organization.
This creates a network effect: the more organizations that participate, the faster new threats are identified. An IP that attacks one Flowtriq customer is flagged across the entire community within minutes.
Sharing is opt-in and fully anonymized. No customer names, hostnames, or internal details are ever included. You control exactly what is shared via the Console settings.
| Participation | Opt-in (disabled by default) |
| Data shared | Anonymized IPs, ports, patterns |
| Propagation time | < 5 minutes to all participants |
| Privacy | No customer metadata included |
| Format | STIX 2.1 compatible |
New indicators received: 1,247
Contributing orgs: 389
Latest additions:
+ 185.220.101.0/24 Botnet C2 3m ago
+ 45.134.26.0/24 Scanner 7m ago
+ 103.75.118.0/24 DDoS src 12m ago
+ 193.42.33.0/24 Amplifier 18m ago
Your org: sharing enabled · 84 indicators contributed
_
IP Reputation Database
Cross-network intelligence. See if an IP has attacked anyone else.
Flowtriq maintains a global IP reputation database built from real attack data across the entire network. When an IP attacks any Flowtriq-protected server, it is recorded. The next time that IP appears in any incident, you see its full history: how many attacks it has launched, how many networks it has targeted, what attack types it favors, and its risk score.
This is not a static blocklist. The database is continuously updated from live incident data. Risk scores are calculated from attack frequency, volume, cross-network visibility, and recency. IPs that have not been seen in 90 days are automatically pruned.
Privacy is built in. Only aggregated counts are stored. No customer names, server IPs, or infrastructure details are ever associated with reputation records. You see "this IP has attacked 17 networks" without knowing which networks.
| Data source | Real attacks across all Flowtriq customers |
| Update frequency | Every 15 minutes |
| Risk scoring | 0-100 based on frequency, volume, breadth |
| Retention | 90-day rolling window |
| Privacy | Fully anonymized, no customer metadata |
| API access | Single IP lookup, bulk lookup, top offenders |
Risk Score: 92/100 (HIGH)
Attack Count: 47 attacks observed
Networks Hit: 12 distinct networks
Attack Type: UDP Flood (primary)
Peak Volume: 4.2M PPS
ASN: AS205100 (DE)
First Seen: 2025-11-02
Last Seen: 2026-03-11 (2d ago)
VERDICT: Known repeat offender
_
FAQ
Common questions about threat intelligence
Which threat feeds does Flowtriq use?
Flowtriq ingests over 40 feeds including AbuseIPDB, Spamhaus DROP/EDROP, Emerging Threats, Blocklist.de, CINS Army, DShield, and several commercial sources. You can also upload your own custom feeds via the API in any standard format.
Does threat enrichment slow down alerting?
No. Enrichment runs in parallel with the alert pipeline. Your alert fires within the first second, and the threat context is attached to the incident as it completes (typically under 2 seconds). You never wait for enrichment before being notified.
Is community threat sharing safe for my organization?
Yes. Community sharing is opt-in and fully anonymized. Only threat indicators (IPs, ports, patterns) are shared. No customer names, server hostnames, internal IPs, or metadata are ever included. You can review exactly what will be shared before enabling the feature.
Can I export threat data for my own analysis?
Absolutely. All enrichment data is available via the API in JSON format and is also exportable as STIX 2.1 bundles. This makes it easy to feed Flowtriq data into your existing SIEM, SOAR, or threat intelligence platform.
How accurate are the reputation scores?
Reputation scores are based on multiple independent signals, so a single false positive on one feed will not drastically lower a score. IPs need consistent, cross-referenced evidence of malicious activity to receive a low score. You can always drill into the underlying data to see exactly why an IP was scored the way it was.
Related Features