Threat Intelligence Data Coverage

Overview

Port Six aggregates threat intelligence from diverse sources worldwide, providing comprehensive coverage across all observable types. Our platform continuously ingests, normalizes, and enriches data to deliver high-fidelity threat intelligence.

Observable Type Coverage

IP Addresses (IPv4 & IPv6)

• Active malicious IPs: 2.5M+ tracked continuously
• Daily additions: ~5,000 new malicious IPs
• GeoIP enrichment: 100% coverage (all IPs)
• ASN enrichment: 99.8% coverage
• Cloud provider detection: 100% coverage for AWS, GCP, Azure, Cloudflare
• Anonymization detection: TOR nodes, VPNs, proxies, datacenter hosting

IP Threat Categories Covered

• C2 infrastructure (Cobalt Strike, Metasploit, custom malware)
• Botnet participants (Mirai, Emotet, Qakbot)
• Brute force attackers (SSH, RDP, web logins)
• Network scanners (Shodan, Masscan, reconnaissance)
• DDoS infrastructure
• Spam/email abuse

Domain Names

• Active malicious domains: 1.8M+ tracked
• Daily additions: ~3,000 new domains
• WHOIS enrichment: 92% coverage
• DNS record enrichment: 95% coverage
• SSL certificate data: 88% coverage

Domain Threat Categories Covered

• Phishing infrastructure (credential theft, brand impersonation)
• Malware distribution servers
• C2 domains (DGA, hardcoded C2)
• Spam/scam operations
• Typosquatting domains
• Parked malicious domains

URLs

• Active malicious URLs: 800K+ tracked
• Daily additions: ~2,000 new URLs
• Content analysis: 75% coverage (HTML analysis, screenshots)
• Redirect chain tracking: 80% coverage

URL Threat Categories Covered

• Phishing pages (Office 365, banking, crypto)
• Exploit kits (RIG, Magnitude, Fallout)
• Malware download locations
• Scam pages
• SEO poisoning

File Hashes (MD5, SHA1, SHA256)

• Active malicious hashes: 5M+ tracked
• Daily additions: ~8,000 new samples
• Threat intel tags: Malware family, behavior classification
• Source attribution: Feed and source tracking

Malware Family Coverage

We track 100+ malware families including:

• RATs: AsyncRAT, njRAT, QuasarRAT, DarkComet, NanoCore
• Trojans: Emotet, TrickBot, Qakbot, IcedID, BazarLoader
• Ransomware: LockBit, BlackCat, REvil, Conti, Ryuk
• Infostealers: RedLine, Raccoon, Vidar, AgentTesla, FormBook
• Botnets: Mirai, Mozi, Gafgyt, Bashlite
• Cryptominers: XMRig, CCMiner
• Offensive tools: Cobalt Strike, Metasploit, Sliver, Brute Ratel

Behavioral Tag Coverage

All observables are tagged with structured behavioral classifications:

Behavior Tags

• behavior:c2 - 450K+ observables
• behavior:phishing - 380K+ observables
• behavior:malware-distribution - 220K+ observables
• behavior:scanning - 180K+ observables
• behavior:brute-force - 140K+ observables
• behavior:ddos - 95K+ observables
• behavior:spam - 120K+ observables
• behavior:botnet - 160K+ observables

Malware Family Tags

• malware_family:cobalt-strike - 12K+ observables
• malware_family:emotet - 8K+ observables
• malware_family:mirai - 45K+ observables
• malware_family:asyncrat - 3K+ observables
• malware_family:xmrig - 7K+ observables

Infrastructure Tags

• infrastructure:tor-exit - 2,500+ nodes tracked
• infrastructure:cloud-aws - 85K+ malicious AWS IPs
• infrastructure:cloud-gcp - 12K+ malicious GCP IPs
• infrastructure:cloud-azure - 18K+ malicious Azure IPs
• infrastructure:vpn - 45K+ VPN endpoints

MITRE ATT&CK Coverage

• Techniques tracked: 200+ (of 600+ total)
• Tactics covered: All 14 tactics
• Groups tracked: 50+ APT and cybercrime groups
• Software tracked: 100+ malware families and tools

Most Observed Techniques

• T1071.001 - Application Layer Protocol: Web Protocols (C2)
• T1566.001 - Phishing: Spearphishing Attachment
• T1566.002 - Phishing: Spearphishing Link
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1105 - Ingress Tool Transfer
• T1190 - Exploit Public-Facing Application

CVE Coverage

• Total CVEs: 240,000+ tracked
• With exploit code: 12,000+ CVEs
• Exploited in wild: 2,400+ CVEs
• Daily updates: New CVEs added within 24 hours of NVD publication
• MITRE ATT&CK mappings: 8,500+ CVEs mapped to techniques

Critical CVE Focus Areas

• Remote code execution (RCE)
• Authentication bypass
• SQL injection
• Cross-site scripting (XSS)
• Privilege escalation
• Information disclosure

Threat Actor Coverage

• APT groups: 50+ tracked (including APT28, APT29, Lazarus Group, APT41)
• Cybercrime groups: 30+ tracked (including ransomware operators, banking trojans)
• Hacktivists: 10+ groups tracked

Attribution Data Includes

• Infrastructure ownership
• Malware family associations
• Campaign timelines
• Target industries and geographies
• TTPs and MITRE ATT&CK mappings

Geographic Coverage

• Countries covered: 200+ countries
• GeoIP accuracy: 95%+ at country level, 80%+ at city level
• ASN coverage: 70,000+ ASNs tracked globally

Top Threat Origination Countries

• Russia - 18% of malicious IPs
• China - 14% of malicious IPs
• United States - 12% of malicious IPs (compromised infrastructure)
• Germany - 8% of malicious IPs (bulletproof hosting)
• Netherlands - 7% of malicious IPs (VPS hosting)

Data Freshness

• Update frequency: Continuous (real-time)
• Average time to ingestion: 15 minutes from source publication
• Deduplication: Automated across all sources
• False positive rate: <0.5% (verified through sightings)
• Confidence scoring: All observables include confidence (0.0-1.0)

Lifecycle Management

• Active observables: Seen in last 90 days from any source
• Dormant: No sightings for 90+ days (marked as dormant, retained)
• Historical: Full history retained indefinitely for investigation
• Resurrection detection: Dormant infrastructure reactivation alerts

Enrichment Coverage Summary

Quality Assurance

• Deduplication: Automated hash-based deduplication across sources
• Normalization: All data normalized to consistent schema
• Validation: Automated validation of IP/domain/hash formats
• Confidence scoring: Multi-source correlation increases confidence
• False positive mitigation: Automated checks against benign infrastructure
• Sighting verification: Real-world sightings increase confidence