top of page
Jigsaw Security Enterprise Threat Intelligence Terms of Service

All customers accessing Jigsaw Security Threat Intelligence platforms, analytics or products agree to the following terms of service.

Last Updated: 15 Feb 2016

General Terms of Use


By accessing this system you agree that the information in this system is for your INTERNAL USE ONLY.


Subscribers receive access to highly sensitive data and are advised that any unauthorized release of this information to any third parties without the express written permission of Jigsaw Security Enterprise Incorporated will be grounds for removal from the system without refund. You agree to only use this information for your named corporate or Government entity only unless your contract specifies otherwise.



Levels of Service


Standard and Complimentary Access

- Access to the platform for ISACS and the General Public is open source data and data shared between others that have chosen to share data with the public. There is no charge for access at this level.


Paid Subscription

- Access to the platform for protecting corporate or Government networks. Requires paid subscription and includes Jigsaw proprietary data, partner data as well as open source data.


Enterprise Paid Subscription Jigsaw MSSP Service

- Access to the platform for protecting corporate or Government networks. Requires paid subscription and includes Jigsaw proprietary data, partner data as well as open source data. Includes access to all Jigsaw data as well as HIDS desktop client for Windows, Windows Auditing Software for DISA, ITSG, DCID 6/9, Dod 5105 and other highly secured environments. Customers also have access to our classified data transfer utility Data Lock and Alpha Ingestion Automation framework if under an MSSP contract. In addition this level of service provides annual audit and compliance report and access to restricted data. Government clients are also authorized for all services under this as part of their standard subscription.



Customers may NOT sell or otherwise publish the information in this system without written permission of Jigsaw Security. A reseller agreement must be in place for commercial vendors wishing to republish or use our data in their products or services.



Maintenance and Downtime:


You agree that Jigsaw Security Enterprise Inc may perform maintenance on the service from 10PM EST until Midnight EST as our normal maintenance windows. Additional maintenance may be conducted with prior notification that will be done through the "ALERTFEEDS" mailing list.


TLP Releasability:


You agree to follow the rules of the Traffic Light Protocol.


NOTE Concerning TLP:EX:CHR In addition to the standard TLP levels above this system utilizes an additional TLP rating EX:CHR. This classification is so we can comply with our European users of the system and is known as that Chatham House Rule. When this specific CHR tag is mentioned, the attribution (source of information) must not be disclosed. This additional rule is at the discretion of the initial sender who can decide to apply or not apply the CHR tag. In addition of the CHR tag is used the classification should also be set to TLP:RED but if not set to that level it is assumed. Any additional TLP level in a CHR tagged indicator or event is applied only to the organization that published the event. The Traffic Light Protocol (TLP) is a set of designations used to ensure that sensitive information is shared with the correct audience. It employs four colors to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s). Jigsaw Security Enterprise Inc works closely with domestic agencies, international governments, and private-sector organizations to coordinate cyber incident identification and response. TLP provides a simple and intuitive schema for indicating when and how sensitive cybersecurity information can be shared within the global cybersecurity community of practice, encouraging more frequent and effective collaboration between Jigsaw Security and its partners. The default classification for any event without TLP markings is TLP:AMBER


Peering FAQ


I see an event in my system but there are no indicators: This can happen when the event itself is shared but the releasability of indicators has been protected. The provider of the data has chosen to withhold the information temporarily. Once the incident has been investigated the indicators will probably be released and available to view. I can't get sync to work: In this case please email the SOC to get assistance with setting up your feed.


Sharing of Login Information:


Jigsaw Security will monitor logins and may restrict logins when we detect the sharing of login information. Persons sharing login information may be in violation of accessing a computing system in violation of USC 18 and may face criminal or cival charges, legal action or a combination of legal and efforts to recover the cost of providing the service.


Warranty: Generally the information in this system is provided "as-is" without warranty. While the information is generally believed to be correct there is a possibility that information in this system may contain errors or omissions. Because others have the ability to share and collaborate through this system the information is not owned by any individual although Jigsaw Security Enterprise Incorporated is the record holder for this information. By accessing this system you are granted access to proprietary information provided by Jigsaw Security and others. This information is owned by the originating organization and Jigsaw Security does not warrant the accuracy or completeness of the information in this system. Access to this system is provided under the terms of use and your individual contract with Jigsaw Security. Damages are limited to the prorated time in which this system may be unavailable outside of our maintenance windows and are limited to no more than 50% of the amount of fee's paid to access this system. The remaining 50% of the fee's paid are applied to the cost of operation of this system and are non refundable.


Quoting of Text: Information in this system that is copied from another source is required to by quoted. You can see the quote format in the discussions forum. Whenever copying information please post the name of the original source and quote the text so users can identify that you are pasting information for sharing and that the information was not an original text. The information in this system may contain copyrighted material that was not specifically authorized by the copyright owner. Jigsaw believes that by quoting information and providing the source of information or references in the system that this constitutes "fair use" of copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use copyrighted material contained within this system for your own purpose beyond "fair use" you must obtain permission from the copyright owners or contributors.


Use of Information Restrictions


The information in this system has the potential to damage the reputation of companies that incur an infection or that are compromised as well as individuals that have their credentials compromised. For that reason the information in this system is not to be shared with any third parties outside of your organization. Exposing the information in this system publicly is not only in bad taste but may cause financial harm to the affected organizations in which you may be liable for damages should you attempt to extort, harass or blackmail said entities. In the event of any illegal activity please be advised that Jigsaw Security will release log data upon a legal request for such information in accordance with US and International law. Information in this system is collected through automated ingestion methods in some cases. Most information is reviewed whenver possible but with automated updates it is not always humanly possible to review every single record. For this reason you access this information at your own risk.


OSINT Information


This system contains information collected from OSINT sources. We are not responsible for the content of these sources and by accessing this system you understand that Jigsaw Security Enterprise LLC is not liable for any information received from any third parties and may use this information for reference in our platforms. The information is obtained through OSINT sources and remains open source.


Contact Responsibilities - Please Read Important


Users of this system must maintain an active email account and you must be able to receive email from this system as a condition of your agreement. If your email bounces we will disable your account. It is important that we be able to get in touch with subscribers if we detect threats that could harm your organization. This does not mean that you need to be emailed for every event which is known as event notifications. You can unsubscribe from event notifications under Global Actions and then selecting My Profile and then editing your profile. You can uncheck the receive notifications when events are published. This will allow you to continue to access the system but will not email you for every event generated by the system.


About Feeds


Access to certain data feeds in the system is restricted to authorized users. For example for DHS AIS data you must be a US Citizen and you must have a signed agreement with AIS to be a part of this sharing group. Jigsaw Security will verify signed agreements prior to authorizing this data set for subscribers. In addition JIGSAWCOM events are restricted to authorized subscribers that have paid for our commercial intelligence feeds. Jigsaw Security may restrict or otherwise control access to indicators that would compromise active Cyber investigations or in our discretion. Customers wishing to have privileged access ot this system may email our soc ( to sign the appropriate access agreements for full access to our threat intelligence feeds.


It should also be noted that some providers such as ICS-ISAC and FS-ISAC require membership before we can provide data to members.


Attention Live Virus Samples


This system at times may contain live virus samples collected by analyst and through automated means. This content may harm your computer or expose your network to malicious actors. By accessing this information you agree to hold harmless Jigsaw Security form any loss of revenue, loss of reputation or damage to systems. All virus content is zipped and password protected for your protection. By extracting content in binary form you agree that Jigsaw Security is not liable for any damage or destruction caused by such malicious code. Downloading of malware or virus samples is fully at your own risk.


Passwords on Infected Attachments: Passwords for infected files are set to "infected". By extracting you assume all risk associated with any resulting infections. If you need assistance with malware deconstruction please contact the SOC at 1-800-447-2150 x6.


Contact of Record


Jigsaw Security Enterprise Incorporated

Attn: Legal and Records

125 Eagleton Circle Moyock NC 27529


Phone: 800-447-2150 x1


Feed Information


  • Alienvault OTX - Public and Specific Information of Interest

  • Alienvault Blocklist - A list of known bad actors from Alienvault

  • Malc0de Blocklist - A list of known bad actors

  • Malware Domain List - A list of known bad actors

  • Maxmind Proxy Fraud - Proxy servers used by fraud actors

  • HITRUST - HITRUST Threat Sharing Community - Members Only

  • Malware DNS - Malicious Files and Hash Sets

  • Malware via HTTP - Malicious Files served on Webservers

  • Malware via IRC - Malicious Files served on IRC or C2 use of IRC Servers

  • Open Blacklist - An Open Source Blacklist of Threats

  • Message Board Spam Sources - Known Spammers

  • Malware Blogs - Analyst data ingested through our OSINT-X monitoring

  • Known Proxy Servers - A reference to identify proxy servers

  • Known Open Proxy Servers - A reference to identify proxy servers with no access controls used by hackers

  • Proxy Spy List - Proxy Servers used by hackers to steal information

  • Confirmed Proxy Servers - Proxy Servers used by hackers to steal information

  • Ransomware Sources - A known list of ransomware sources

  • Proxy Server Abuse Monitoring - A known list of malicious proxy servers

  • Web Proxy Server Abuse Monitoring - A known list of malicious proxy servers

  • Shunlist - Bad actors and sites from

  • SSL Known Proxies - A list of encrypted open proxy servers

  • Threatcrowd C2 Servers - Malicious actors callback addresses from Threatcrowd

  • Active TOR Exit Nodes - List of fast changing TOR exit nodes

  • Trusted Security Bad Reputation - Trusted Security Internet Reputation

  • Malware Hosting URL List - URL List of Known Bad Malware

  • Mailservers Virus List - Mailservers sending large amounts of viruses via Email

  • SIP Protocol Attacks - Attacks on VOIP Networks and SIP

  • SSH Protocol Attacks - Attacks on SSH Servers and Vulnerabilities

  • BotScout Attackers - A list of known botnet attackers

  • ICS-ISAC - Collaboration with ICS ISAC and feeds of related IoT Attackers

  • Compromised Host - Compromised Infrastructure List

  • Brute Force Blocker - List of attackers and compromised systems observed attacking protected networks and clients

  • CI Army Bad Reputation - Actors observed by CI Army

  • CTA Cryptowall Feed - *Legacy* Low Volume Historical Tracker

  • DShield Top 1000 Attackers - ISC Observed Attackers List

  • Emerging Threats Feeds - Various Data sources provided by Emerging Threats

  • Wordpress Malicious Activity - Observed Attackers on Wordpress Software

  • ImproWare Antispam Blocklist - Known Email Spammers

  • ImproWare Antiworm Blocklist - Known Virus Worms and Autopopulating Samples

  • Malware Traffic Analysis - Information from

  • Jigsaw OSINTx Feed - Jigsaw Security OSINT data used to determine cyber threats

  • RSS Security Feeds - Jigsaw Security OSINT data extractions from RSS Feeds

  • Twitter Honeypot Collaborators - Near realtime honeypot data from Twitter feeds of trusted partners and members of the Jigsaw Honeypot Network

  • Jigsaw Analytics Platform - 480 Sources of Data brought into our Jigsaw Platform for analyst - Intelligence Products

  • Jigsaw SIGINT - Collection, enrichment and keyword analysis of open communications

  • IRC Chat Monitoring - Monitoring the most frequently used IRC chat rooms frequented by hackers

  • ThreatConnect - Data shared with Jigsaw through the ThreatConnect platform

  • ThreatCrowd - Threat Intelligence provided by ThreatCrowd (Enrichment)

  • VirusTotal - Threat Intelligence provided by VirusTotal (Enrichment)

  • Paste Site Targeted Collection - Collection of Paste data of Jigsaw Customers and Partners - Analyst notifications of threats

  • Jigsaw Credential Monitor - A list of passwords noted as compromised by Jigsaw Analytics products

  • CVE Vulnerabilities - Vulnerabilities tracked by MITRE Corporation


Enhanced Data Sets


  • Nothink Malware Domains

  • Falconcrest IPBL

  • Spamhaus Extended Drop List

  • HMA Proxy IPs

  • ICS SANS Suspicious Domains - Low Fidelity

  • Malekal Malware Domains

  • TOR Exit Addresses

  • H3X Asprox Tracker

  • OpenPhish

  • SLC Security Attack List - Affiliate of Jigsaw Security

  • Packetmail iprep CARISIRT

  • Xecure Lab

  • Open Phish Feed

  • Ransomware IP's

  • Clean MX Phishing URLs

  • Cruzit Server Blocklist

  • Arbor Atlas

  • YoYo Ad Servers

  • Shadowserver Command and Control Host

  • ICS SANS Data Feeds

  • ATLAS SSH Brute Force

  • Infiltrated Blacklist

  • Berkeley Security Agressive IPs

  • VMX SSH Brute Forcers

  • VX Vault MD5 Hashes

  • Malicious Data Feed

  • CyberCrime

  • Malware Patrol

  • FireHOL Blocklist

  • Bambenek Consulting Command and Control Master List

  • CI Army

  • Joe Wein Domain Blacklist

  • KJ Malware URLs

  • Project Honeypot

  • Modern Honeypot Network - Private Feeds and Public Feeds

  • NoThink Malware HTTP


Commercial Data in Platform

  • Crowdstrike - Data available only to Crowdstrike Subscribers

  • Dell SecureWorks - Data available only to SecureWorks Subscribers

  • Alienvault - Data available only to Alienvault Subscribers

  • Anomali Threatstream - Data available only to Threatstream Subscribers



Note on Commercial Data

Some of the data sources available in our system require a commercial account with the vendor. Once end users have the account you must contact your data manager to get your specific API setup in the Jigsaw platform. In addition our data is available through some third party platforms to include Alienvault, Anomali and some third party information exchanges such as the Facebook Threat Exchange and Open Threat Exchange from Alienvault in which we publish some threat intelligence products.



TAXII Server Connections

  • HailaTAXII - Open Source TAXII Server

  • ICS-ISAC - Hosted by Hurricane Electric

  • Threat Actor Lab

  • AIS Feed (In Provisioning)

  • Eclectic IQ TAXII Server(In Provisioning)



Authorized Partners and Resellers

  • TSPI - Northern VA Integration Company

  • Threatstream Anomali - Intel Provider

  • Global Enterprise Systems - Government Integration



How to connect to Jigsaw Threat Intelligence


There are many methods for obtaining and using Jigsaw Threat Intelligence products. If you have purchased a Jigsaw Analytic Platform license threat intelligence is pushed from the Jigsaw Threat Intelligence server (this server) directly into your platform. As logs, packet data and information are ingested into the platform the Matchstick analytics match your log files to Jigsaw Threat Intelligence highlighting compromised, infected or malware running in your network automatically.

Jigsaw Analytic Platform - Requires License and Subscription for Use

- Threat Intelligence is Matched to your Network

MISP Server

- Install a MISP Server or buy an appliance from Jigsaw. Then you can connect to your CEP, XML, JSON, CSV, Snort, Suricata, Bro, Firewall, IDS, Antivirus and other devices using our Threat Intelligence to detect problems.

TAXII Server

- If you run a TAXII server you can connect to the Jigsaw TAXII server to obtain data. We recommend using STAXX from Anomali (one of our preferred partners) or Soltra Edge to consume our Threat Intelligence via TAXII. In addition some security products use TAXII so you can connect those devices directly to our TAXII server or we can deploy a TAXII server on your network.



Economic Espionage Act of 1996 Terms and Conditions: In accordance with the Economic Espionage Act of 1996 you agree to the terms to include 18 USC Section 1831, 18 USC Section 1832 and also Federal Computer Security Violations as provided by 18 USC Section 1030. Because this system stores passwords collected via OSINT mechanisms you are restricted from accessing and disclosing this information in regards to this section of Federal law as well as any State and Local laws that may apply in your jurisdiction. By accessing this system you agree to all terms and conditions of access and that this TOS may be updated at anytime in the future.

bottom of page