Frequently Asked Questions (FAQ)

Got a question? Hopefully, you’ll find the answer here! If not, please contact us using the contact form below, managed by our partner, Spamhaus:

https://www.spamhaus.com/contact-us-abuse-ch/

Why ThreatFox? What impact does the ThreatFox data have? What formats is the ThreatFox data available in? What kind of information should be shared on ThreatFox? Why is there no data export in STIX/TAXII available? Can I use data from ThreatFox commercially? Terms of Services (ToS)

Why ThreatFox?

I love OSINT! There are many smart and talented IT-security researchers, threat analysts, CERT/CSIRT/SOC employees and IT-security enthusiast around. Some of them share parts of their analysis and indicators of compromise (IOCs) publicly, usually on github or social media like Twitter. While this is great, it is a pain at the same time: You need to invest a lot of time into searching for these IOCs and, even worse, automation is in many cases not easily possible (if not impossible).

ThreatFox is a platform where people who would like to share their indicators of compromise (IOCs) with the community can do so. For this purpose, ThreatFox offers a web UI and an API. At the same time, security researchers who would like to use that data to protect their own constituency, users or customers can easily integrate it by taking advantage of the ThreatFox API.

ThreatFox is a free, community driven platform for sharing indicators of compromise with the world!

What impact does the ThreatFox data have?

So far, over 1'299'983 IOCs have been shared with the ThreatFox platform. With this intelligence, as a community, we have:

Answered around 95 million API requests in 30 days, enabling other threat researchers (statistic from October 2024), providing real-time insights for threat hunting and mitigation
Over 500 daily consumers relying on ThreatFox data feeds and exports to support threat intelligence practitioners.
Assisted major law enforcement agencies in some of the biggest global takedown efforts, such as Operation Endgame.

Your data is also contributing to the effectiveness and impact of Spamhaus’ datasets to enhance email and network protection while providing more context-rich data for threat hunting.

Read more about the impact of your contributions here.

What formats is the ThreatFox data available in?

You can access IOCs from ThreatFox through several methods:

Browse the ThreatFox database
Integrate via Browse
Export IOCs as daily MISP events, host files (domains only), Suricata IDS ruleset, RPZs and JSON files
Request specific IOCs from the community
Real time feeds, provided by our partner, Spamhaus
Additionally, malware samples shared through ThreatFox influence Spamhaus datasets

Spamhaus datasets that leverage data from ThreatFox:

Botnet Controller Dataset: A collection of IPv4 addresses hosting active botnet C2 servers, accessible through the Spamhaus Intelligence API, Spamhaus DNS Firewall and the Spamhaus BGP Firewall
Hash Dataset: Includes cryptographic hashes linked to malicious content, used for protecting and/or filtering emails. This dataset is accessible through Spamhaus DNSBLs.

What kind of information should be shared on ThreatFox?

If you want to share your indicators of compromise (IOCs) on ThreatFox, I'm glad to hear that! However, be for you start to push data to ThreatFox, please read the following submission policy carefuly.

Indicators of compromise (IOC) related to malware only: Do only share indicators of compromise (IOCs) on ThreatFox. An IOC is an IP address, domain name, URL, email address or file hash that, if observed in a production environment, would indicate a compromise of your network with malware. Do not share any IOCs related to spam, phishing or other threats on ThreatFox.
Vetting: By default, submissions made to ThreatFox are being reviewed by a human. If you share high quality IOCs on ThreatFox, you may be flagged as a Trusted Reporter. Submissions from such users will directly go into the LIVE database without any further vetting.
Confidence level: Whenever you submit an IOC to ThreatFox, please choose the confidence level carefully. Do only use high confidence levels on IOCs you have manually vetted.
Fresh IOCs: There are gazillions IOCs out there. Please refrain from sharing (obsolete) IOCs that are older than 10 days.

Why is there no data export in STIX/TAXII available?

I've offered a STIX/TAXII export for threat intel from URLhaus for a while. Unfortunately, I've noticed that due to the extensive amount of information STIX/TAXII provides, the export file soon became very, very big (Gigabytes!). I've therefore decided against supporting STIX/TAXII format across all abuse.ch projects. I apologize and hope that one of the other available formats will fit your needs.

Can I use data from ThreatFox commercially?

Yes! You can use any data provided by ThreatFox for commercial and non-commercial purpose - for free. This includes reselling or ingeration into commercial products. However, I kindly ask you to have a quick look at the (very short) Terms of Services (ToS) at the end of this FAQ.

Terms of Services (ToS)

By using the website of ThreatFox or any of it's services / datasets, you agree that:

All datasets offered by ThreatFox can be used for both, commercial and non-commercial purpose for free without any limitations (CC0)
Any data offered by ThreatFox is served as it is on best effort with no warranty
ThreatFox can not be held liable for any false positives or damage caused by the use of the website or the datasets provided
Any submission to ThreatFox will be treated and shared under TLP:CLEAR and under Creative Commons No Rights Reserved (CC0)