top of page

Why is Jigsaw Threat Intelligence Different?

Jigsaw Threat Intelligence is different because we combine open source, commercial data, honey-pot intelligence, forensics after action data with data from over 400 customers spread out across the globe. Instead of just having the eyes of your internal team on your data streams you benefit from having intelligence active and monitoring for threats that have been observed in other customers environment. In addition a voting system allows you to mark intelligence as not relevant for your sector or organization to be able to curate data provided by Jigsaw Security.

Anybody can provide threat intelligence but what we see when we compare our feeds to others:

  • Our competition does not clean their feed - We see off-line host in their feed - If they are off line they are no longer a threat

  • Our competitors have old data - The threat actor has already moved on to new infrastructure but our competitors haven't found them yet so data in their feed is not accurate

  • Posting incorrect information that was publicly shared - We curate our feed to ensure accuracy

  • Missing data - In many cases our competition may have the IP addresses but not the associated domain names

  • Not connecting Intel to the Threat Actors - We track the intelligence by malware or campaign families (tagging)

So what makes us different?

We make harmful Internet sites harmless by blocking malicious content... All with inexpensive sensors and DNS appliances

How we disrupt threats - Firstwatch Sensor

The Jigsaw DISRUPT line of products is used on networks to ensure that malware cannot get a foothold in your network. By redirecting traffic from known bad destinations to good destinations we are able to prevent the initial infection and alert IT staff that an end user needs remedial training or their computer cleaned of malicious content that would have otherwise gone undetected. Our DISRUPT proxy and DISRUPT DNS line of products prevent commonly observed malware from infecting systems so your teams can concentrate on targeted malware aimed squarely at your organization. By disrupting threats you can concentrate on high priority security events and let software monitor and eliminate threatening items that take up valuable analyst time. These sensors either replace or work with your DNS servers.


The DISRUPT DNS server keeps you safe by blocking request to the C2 domains and servers used to carry out attacks. A simple change of DNS protects all systems in a network in minutes and will unmask any malware already hiding in your network environment by reporting on the activities of network device communications.


The DISRUPT Proxy works differently by sending resets on a network when specific content is observed or when a payload is observed attempting to download. Using our repository of threats it no longer matters where a threat is hosted or the domain as we detect the patterns in network traffic and send a reset breaking the connection to prevent the infection.

Using Threat Intel

When a customer subscribes to our Managed Security Services you are able to use Jigsaw Developed DISRUPT products or Jigsaw hosted systems to protect your network saving time and money. There is no need to install anything on your local network all that you need to do is point your DNS request at our publicly hosted servers effectively protecting you from specific DNS request. If you then decide you want IP and packet content level protection you can install the DISRUPT proxy in your network to actively stop content as well as malicious domains. Our managed Security Operations Center can then alert you to confirmed threats without wasting valuable time and resources looking for threats that may not exist.

Jigsaw Intelligence Feed - All feeds are NOT created equal...

Jigsaw Security Enterprise provides a threat intelligence capability through our Security Operations Center located in Moyock, North Carolina. Our SOC provides continuous, near real-time cyber security indicators and protections services to clients in various threat intelligence formats. This service allows our customers to utilize our threat intelligence product regardless of what systems they have deployed to protect their networks. In addition for customers that have no security monitoring in place we can provide public facing DNS servers loaded with our RPZ feed to protect entire offices with a simple change of your DNS servers. The following feeds are available in our threat intelligence product. We validate and confirm the information in feeds before publication and remove old data when the host are not longer a threat. We also leverage big data to curate our feeds to ensure the best possible products without relying on any third parties. That's what makes us different.

NOTE: Government and Law Enforcement receive intelligence free of charge as part of our industry to Government initiative.

Consuming our Threat Intelligence Data:

  • MISP Push Feed - We push data to your existing MISP instance

  • TAXII Server - You poll our Taxii server for Jigsaw and third party data

  • CSV Download - Download update files in CSV Format for use in your own products and services

  • Cloud Based Research Portal - Acces our cloud based search for indicator and threat intelligence data

  • Jigsaw Enterprise Platform - Use our data on your network to find threats in an automated process with customized dashboards

  • Use our feeds with your existing products (additional charge for raw feed access)

OSINT Feeds (Open Source Data):
  • Alienvault OTX - Public and Specific Information of Interest

  • Alienvault Blocklist - A list of known bad actors from Alienvault

  • Malc0de Blocklist - A list of known bad actors

  • Malware Domain List - A list of known bad actors

  • Maxmind Proxy Fraud - Proxy servers used by fraud actors

  • HITRUST - HITRUST Threat Sharing Community - Members Only - Jigsaw Contributor

  • Malware DNS - Malicious Files and Hash Sets

  • Malware via HTTP - Malicious Files served on Webservers

  • Malware via IRC - Malicious Files served on IRC or C2 use of IRC Servers

  • Open Blacklist - An Open Source Blacklist of Threats

  • Message Board Spam Sources - Known Spammers

  • Malware Blogs - Analyst data ingested through our OSINT-X monitoring

  • Known Proxy Servers - A reference to identify proxy servers Known

  • Open Proxy Servers - A reference to identify proxy servers with no access controls used by hackers

  • Proxy Spy List - Proxy Servers used by hackers to steal information

  • Confirmed Proxy Servers - Proxy Servers used by hackers to steal information

  • Ransomware Sources - A known list of ransomware sources

  • Proxy Server Abuse Monitoring - A known list of malicious proxy servers

  • Web Proxy Server Abuse Monitoring - A known list of malicious proxy servers

  • Shunlist - Bad actors and sites from

  • SSL Known Proxies - A list of encrypted open proxy servers

  • Threatcrowd C2 Servers - Malicious actors callback addresses from Threatcrowd

  • Active TOR Exit Nodes - List of fast changing TOR exit nodes

  • Trusted Security Bad Reputation - Trusted Security Internet Reputation

  • Malware Hosting URL List - URL List of Known Bad Malware Mailservers

  • Virus List - Mailservers sending large amounts of viruses via Email

  • SIP Protocol Attacks - Attacks on VOIP Networks and SIP

  • SSH Protocol Attacks - Attacks on SSH Servers and Vulnerabilities

  • BotScout Attackers - A list of known botnet attackers

  • ICS-ISAC - Collaboration with ICS ISAC and feeds of related IoT Attackers

  • Compromised Host - Compromised Infrastructure List

  • Brute Force Blocker - List of attackers and compromised systems observed attacking protected networks and clients

  • CI Army Bad Reputation - Actors observed by CI Army

  • CTA Cryptowall Feed - *Legacy* Low Volume Historical Tracker

  • DShield Top 1000 Attackers - ISC Observed Attackers List

  • Emerging Threats Feeds - Various Data sources provided by Emerging Threats

  • Wordpress Malicious Activity - Observed Attackers on Wordpress Software

  • ImproWare Antispam Blocklist - Known Email Spammers

  • ImproWare Antiworm Blocklist - Known Virus Worms and Autopopulating Samples

  • Malware Traffic Analysis - Information from

  • Jigsaw OSINTx Feed - Jigsaw Security OSINT data used to determine cyber threats

  • RSS Security Feeds - Jigsaw Security OSINT data extractions from RSS Feeds

  • Twitter Honeypot Collaborators - Near realtime honeypot data from Twitter feeds of trusted partners and members of our network

  • Jigsaw Analytics Platform - 480 Sources of Data brought into our Jigsaw Platform for analyst - Intelligence Products

  • Jigsaw SIGINT - Collection, enrichment and keyword analysis of open communications

  • IRC Chat Monitoring - Monitoring the most frequently used IRC chat rooms frequented by hackers

  • ThreatConnect - Data shared with Jigsaw through the ThreatConnect platform

  • ThreatCrowd - Threat Intelligence provided by ThreatCrowd (Enrichment)

  • VirusTotal - Threat Intelligence provided by VirusTotal (Enrichment)

  • Paste Site Targeted Collection - Collection of Paste data of Jigsaw Customers and Partners - Analyst notifications of threats

  • Jigsaw Credential Monitor - A list of passwords noted as compromised by Jigsaw Analytics products

  • CVE Vulnerabilities - Vulnerabilities tracked by MITRE Corporation

Enhanced Data Sets (Open Source and Proprietary, Subscription Required):
  • Nothink Malware Domains

  • Falconcrest IPBL

  • Spamhaus Extended Drop List

  • HMA Proxy IPs

  • ICS SANS Suspicious Domains - Low Fidelity

  • Malekal Malware Domains

  • TOR Exit Addresses

  • H3X Asprox Tracker

  • OpenPhish

  • SLC Security Attack List - Affiliate of Jigsaw Security

  • Packetmail iprep CARISIRT

  • Xecure Lab Open Phish Feed

  • Ransomware IP's

  • Clean MX Phishing URLs

  • Cruzit Server Blocklist

  • Arbor Atlas

  • YoYo Ad Servers

  • Shadowserver Command and Control Host

  • ICS SANS Data Feeds

  • ATLAS SSH Brute Force Infiltrated Blacklist

  • Berkeley Security Agressive IPs

  • VMX SSH Brute Forcers

  • VX Vault MD5 Hashes

  • Malicious Data Feed

  • CyberCrime Malware Patrol

  • FireHOL Blocklist

  • Bambenek Consulting Command and Control Master List

  • CI Army

  • Joe Wein Domain Blacklist

  • KJ Malware URLs

  • Project Honeypot

  • Modern Honeypot Network - Private Feeds and Public Feeds - Jigsaw Operated a very large MHN infrastructure

  • NoThink Malware HTTP

  • Jigsaw Commercial Threat Intelligence Products

Commercial Data available through Jigsaw Security (Customer must have subscription):

  • Crowdstrike - Data available only to Crowdstrike Subscribers

  • Dell SecureWorks - Data available only to SecureWorks Subscribers

  • Alienvault - Data available only to Alienvault Subscribers

  • Anomali Threatstream - Data available only to Threatstream Subscribers

  • Jigsaw Commercial IOC Feed - Provides high level feed for use in our Analytic Platform for matching IOC's to logs, packet data, etc.

NOTE: Additional feeds are added from time to time and redundant feeds are parsed to remove duplicate data.

Customers of these commercial services can receive feeds through the Jigsaw Security Enterprise Threat Intelligence Delivery Service. You must be a subscriber of these services and must provide your API key in our platform for delivery.

bottom of page