Threat intelligence from live attacker contact, not recycled feeds.
BlackDome's honeypot network captures attacker TTPs, IOCs, and campaign patterns across 13 protocols and a global edge network. STIX 2.1 and TAXII 2.1 compatible.
Commercial threat feeds recycle the same stale indicators. BlackDome's feed comes from live attacker contact with our honeypot network — every IOC is observed, not aggregated.
What You Get
Everything needed to move from raw attacker activity to production-ready detections.
IOC Streams
IPs, domains, URLs, hashes, and attacker infrastructure extracted from active sessions hitting the BlackDome sensor mesh.
STIX 2.1 Bundles
Normalized export packages with structured indicators and context so analysts can automate enrichment and investigation.
TAXII 2.1 Integration
Wire the feed into your SIEM, TIP, or internal platform without building custom parsers around ad hoc JSON.
How It Works
Built to fit the way threat intel teams already ingest, enrich, and action data.
Honeypots capture
Distributed protocol sensors record live attacker activity across exposed services and deception endpoints.
Indicators are extracted
BlackDome normalizes sessions, extracts indicators, and groups related activity into analyst-consumable threat records.
STIX exported
Indicators are packaged into STIX 2.1 bundles or exposed over TAXII 2.1 for downstream automation.
Your SIEM ingests
Forward the feed into Splunk, Sentinel, QRadar, Elastic, or your own enrichment layer for hunts and detections.
Integrations
Common destinations for the feed in enterprise environments.
Choose Your Delivery Tier
Start with delayed community access, then move into real-time API and TAXII delivery as your SOC workflow matures.
Community
Delayed IOC access for researchers, labs, and early evaluations.
- 100 IOCs/day
- 72-hour delay
- CSV export
- IOC browser
Pro
Real-time API access with STIX export for production enrichment pipelines.
- Unlimited IOCs
- Real-time API access
- STIX 2.1 export
- Campaign reports
- 5K API requests/day
Enterprise
TAXII 2.1, higher limits, and richer intelligence delivery for enterprise teams.
- Everything in Pro
- Real-time TAXII 2.1 feed
- Bulk API access
- Credential intelligence
- 50K API requests/day
OEM
Firehose-grade access for MSSPs, resellers, and embedded intel products.
- Everything in Enterprise
- Firehose data stream
- White-label rights
- Custom integrations
- Unlimited API
Sample API response from the delayed public feed
This payload is generated from real BlackDome IOC records with the public 72-hour delay applied.
{
"objects": [
{
"type": "indicator",
"pattern": "[x-blackdome-ipv4:value = '163.7.8.88']",
"confidence": 70,
"created": "2026-04-09T22:28:04.047960+00:00",
"modified": "2026-04-09T22:28:04.055648+00:00",
"labels": [
"medium",
"attacker",
"bot",
"edge:leeroy-syd-01",
"honeypot_capture"
]
},
{
"type": "indicator",
"pattern": "[x-blackdome-ipv4:value = '43.135.124.152']",
"confidence": 70,
"created": "2026-04-09T14:58:01.849282+00:00",
"modified": "2026-04-09T14:58:01.849282+00:00",
"labels": [
"medium",
"honeypot_capture",
"edge:blkdm-blr-01",
"attacker"
]
},
{
"type": "indicator",
"pattern": "[x-blackdome-ipv4:value = '185.38.148.2']",
"confidence": 70,
"created": "2026-04-06T19:31:42.883205+00:00",
"modified": "2026-04-09T12:44:01.535049+00:00",
"labels": [
"medium",
"attacker",
"edge:blkdm-blr-01",
"edge:blkdm-lon-01",
"honeypot_capture"
]
}
]
}Feed live attacker signal into your SOC
Start with delayed community visibility, then move to real-time delivery, STIX export, and TAXII when your detections need live attacker signal.