SYSTEM_STATUS: ACTIVE

THREAT_LEVEL: GLOBAL CRITICAL

Block Attacks
Before They Knock.

Your firewall is blind without the right data. We aggregate signals from 1,000+ managed firewalls and 30+ global honeypots. No manual curation. No false positives. Pure, curated intelligence.

DEPLOY FEED VIEW DATA SPECS
1,000+
Managed Firewalls
30+
Global Honeypots
190k+
Daily Indicators
0.0%
False Positive Target

Swarm Intelligence
against the noise.

Traditional controls (like Fail2Ban) break against modern botnets. Attackers rotate thousands of IPs for a single login attempt—noise locally, obvious in aggregate.

The ThreatCore answer: when IP 1.1.1.1 hits a firewall in Asia, your firewalls in Europe know in milliseconds. We correlate logs from 1,000+ sources. Invisible locally, obvious across the network.

  • > Premium vendor feeds (paid)
  • > Global honeypot telemetry (owned sensors)
  • > Real-time anomaly detection

Access Plans

SELECT_PROTECTION_LEVEL

BASIC

$0/Year

Solid baseline. Community lists for small environments.

UPDATES 24h
COVERAGE ~30k IPs
TYPE IPv4
DOWNLOAD

STANDARD

$179/Year

Fewer false positives through curation. More coverage.

UPDATES 6h
COVERAGE ~45k IPs
SUPPORT Email
Purchase
RECOMMENDED

PREMIUM

$349/Year

Professional protection. Includes domains & URLs. Hourly updates.

UPDATES 1h
COVERAGE ~120k IPs
EXTRAS Domains & URLs
SOURCES Honeypots + Paid
Start Subscription

ULTIMATE

$1999/Year

Real-time updates for critical infrastructure.

UPDATES 15 min
COVERAGE Max (~190k)
PRIORITY Real-time
Get Ultimate
ARE YOU A RESELLER / MSP? PARTNER ACCESS REQUEST ->

Updated: 03 Sep 2025

Sophos Firewall Threat Feeds

ThreatFeedsX delivers continuously curated IoCs (IP, domain, URL) straight into Sophos Firewall. Community, commercial, honeypot, and anonymized customer telemetry are blended and cleaned so your firewall blocks malware, botnet C2, and phishing before it reaches your network.

Why Threat Feeds?

  • > Proactive protection: block known bad actors before damage occurs.
  • > Flexibility: mix feeds that fit your security and compliance needs.
  • > Automation: the firewall updates and blocks without manual list edits.

Requirements & Compatibility

For Sophos Firewall you need the Xstream Protection Bundle to enable third-party threat feeds in Active Threat Response. Without it, external feeds cannot be processed (mandatory).

Also works with

Fortinet FortiGate (External Block List), Palo Alto Networks (External Dynamic List), Check Point, OPNsense, and other platforms that support external blocklists.

Feed lineup & refresh rates

Designed for Sophos v21+ Active Threat Response

Four tiers so you can start simple and scale: from free community-grade to near-real-time, fully curated intelligence with domains and URLs.

Basic — 0 CHF/yr, 24h updates, ~30k IPv4.

Standard — 179 CHF/yr, 6h updates, ~45k IPv4, support, 100% discount for Sophos Firewall subscription customers.

Premium — 349 CHF/yr, 1h updates, ~120k IPv4 plus domains/URLs, support, 14% discount for Sophos Firewall subscription customers.

Ultimate — 1999 CHF/yr, 15 min updates, ~180k IPv4 plus domains/URLs, support, 10% discount for Sophos Firewall subscription customers.

Discounts apply to customers with an active Sophos Firewall subscription. Upgrade paths let you move from Basic to higher tiers without reconfiguration.

ThreatFeedsX Firewall Network

Hundreds of customer firewalls and global honeypots feed anonymized signals into our cloud. Distributed brute-force campaigns are caught by correlation: if an IP fails logins across many sites, it is flagged and blocked everywhere within minutes. The result is less noise and fewer missed attacks.

Sophos setup in minutes

  1. Open Protect → Active threat response → Third-party threat feeds → Add.
  2. Name the feed (e.g., threatfeedsx-basic-ipv4) and add a short description.
  3. Choose indicator type (IPv4, domain, URL) and action Block.
  4. Paste the External URL from the ThreatFeedsX feed list.
  5. Set polling interval (24h Basic, 6h Standard, 1h Premium, 15m Ultimate).
  6. Authentication: none needed unless specified.
  7. Test connection, save, and the firewall auto-imports IoCs.

Also supported on Fortinet, Palo Alto, Check Point, and OPNsense via their external list features.

FAQ

More signal, less noise

What is a threat feed?

Continuously updated IoCs (IP, domains, URLs) that the firewall imports to block known bad traffic automatically.

How is this different from rules or IPS?

Rules and IPS react to patterns in live traffic. Threat feeds are reputation-first: they block known offenders at the edge before patterns emerge. Both are complementary.

Which license is needed for Sophos?

Xstream Protection is required to enable third-party feeds inside Sophos Active Threat Response.

Which firewalls are supported?

Sophos, Fortinet, Palo Alto, Check Point, OPNsense, and any platform that accepts external blocklists or external dynamic lists.

Since when are the feeds in production?

Operational since late 2024 with continuous refinements from real deployments.

How big is the ThreatFeedsX sensor network?

Hundreds of managed firewalls plus globally distributed honeypots on five continents feed telemetry that we curate into the lists.

Security, Privacy & Compliance

What we collect, how we process, and where we host ThreatFeedsX data.

Privacy-first design

We ingest indicators only (IPs/domains/URLs). No user traffic, credentials, or PII are collected.

Data handling

  • TLS in transit, access-controlled storage, retention tuned for threat intel only.
  • Sources: curated OSINT, commercial feeds, honeypots, anonymized firewall telemetry (opt-in).
  • Quality focus: multi-source correlation and whitelisting to reduce false positives.

Imprint & contact

ThreatCore FZCO · Dubai Silicon Oasis, DDP · Building A2, Unit 101 · Dubai, UAE · partner@threatcore.io

TECHNICAL SPECIFICATIONS

Integration Support +

Optimized for Sophos Firewall (Xstream Protection Bundle required for third-party feeds), Fortinet FortiGate (External Block List), Palo Alto Networks (EDL), OPNsense, and Check Point.

Data Curation Logic +

We stop false positives through 3-layer validation. 1) Ingest 20+ sources (open + paid). 2) Cross-check with telemetry from 30+ honeypots & 1,000+ firewalls. 3) Whitelist trusted ASNs (Google, Microsoft, AWS, Cloudflare).