Public Beta

Public Threat Intelligence & Firewall Intelligence Platform

AIT Security Center provides real-world cyber threat intelligence, firewall reputation feeds, blocked IP intelligence and AI crawler telemetry powered by AIT NODE SECURITY AI.

View Live Intelligence Download Feeds
Live Threat Metrics AI Crawler Intelligence IP Reputation Lookup Firewall Feeds
Protected IP Coverage 1.2B+
Security Modules 8
Threat Feeds 3
AI Systems Detected 5+
Platform Overview

Real Firewall Data. Real Threat Intelligence.

The platform collects security events from active protection modules, aggregates blocked IP addresses and publishes structured intelligence feeds for security analysis, firewall protection and reputation checks.

🛡️

Threat Intelligence Feed

Public cyber threat intelligence generated from real-world attack activity.

🔥

Firewall Intelligence

Daily, full and trusted network feeds for firewall and security systems.

🤖

AI Crawler Intelligence

Detection of AI systems and search engines accessing public feeds.

🔎

IP Reputation Lookup

Search an IP address across published security modules and block lists.

Live System

AIT Security Center Live Dashboard

The live dashboard below is generated from AIT NODE SECURITY AI data and updates as the firewall feed changes.

Real-world AIT NODE SECURITY AI intelligence feed

AIT Security Center – Public Threat Intelligence Feed

Threat Intelligence Feed data provides real-time cyber threat intelligence, firewall intelligence and blocked IP reputation data collected from attacks detected across our infrastructure.
The AIT Security Center Threat Intelligence Feed includes malicious bot activity, brute-force attacks, vulnerability scanners and continuously updated threat intelligence data.

Last update: 2026-06-21 01:00:01Source: AIT NODE SECURITY AI
Threat Intelligence Coverage1,279,399,546Protected IP Addresses

LIVE THREAT INTELLIGENCE METRICS

Total failed events474 626
Currently banned7 101
Listed IP entries7 101
Security modules8
IP reputation lookup

Check IP Address in AIT Security Center

Search across all active security modules and blocked IP lists to see whether an address appears in the public Threat Intelligence Feed.

Threat Sources Distribution

Attack Source Distribution

Real-world distribution of detected attacks across AIT NODE SECURITY AI protection modules.

Total Attacks474 626
Top ThreatPage Click Protection
Largest Share86.3%
Security Modules8
🏆

Dominant Threat Source

Page Click Protection
409 731 attack events detected
86.3% of all recorded attacks
Root PHP Scanner4 172 events · 0.9%
Bad Bots1 165 events · 0.2%
Page Click Protection409 731 events · 86.3%
No User-Agent Protection20 533 events · 4.3%
XML-RPC Protection7 711 events · 1.6%
WordPress Protection26 900 events · 5.7%
SSH Protection3 220 events · 0.7%
Mail Protection1 194 events · 0.3%

How The Threat Intelligence Feed Works

This Threat Intelligence Feed collects data from active AIT NODE SECURITY AI modules. When an IP address exceeds a security threshold it is automatically added to IPSet and blocked by the firewall. This page explains why an address may appear in the public firewall feed and blocked IP database.

Threat Intelligence Feed and Cyber Security Protection

The AIT Security Center provides a public Threat Intelligence Feed generated from real-world cyber attacks detected by AIT NODE SECURITY AI.

Public Firewall Feed and Blocked IP Database

This firewall feed contains malicious IP addresses, brute force attacks, bot activity and vulnerability scanners.

Trusted Networks White Feed

The Trusted Networks White Feed contains verified and trusted networks.

References: OWASP | MITRE ATT&CK

Blocks IP addresses searching for suspicious PHP files in website root directories, commonly associated with web shells, malware and WordPress exploit scanners.

Failed events4 172
Currently banned194
Listed IPs194

Why Are These IP Addresses Listed?

  1. Requests targeting PHP files that legitimate visitors normally never access.
  2. Large numbers of requests to root PHP files within a short period.
  3. Typical web shell filenames such as shell.php, x.php, fileXX.php and wp-load.php probes.
  4. Often originates from VPS or cloud infrastructure.
  5. After reaching the threshold the IP is added to IPSet and blocked at firewall level.

Data from this security module is automatically included in the public Threat Intelligence Feed.

Blocked IPs

Showing 20 example IPs from 194 listed entries.
+ 174 more IPs hidden from the HTML preview to keep the page fast.

Blocks aggressive bots, scrapers and crawlers that generate unnecessary traffic or behave like automated scanners.

Failed events1 165
Currently banned457
Listed IPs457

Why Are These IP Addresses Listed?

  1. Suspicious or unwanted User-Agent.
  2. Behavior typical of scraping or mass crawling activity.
  3. Unnecessary load on Apache, PHP-FPM, Redis and databases.
  4. May crawl large portions of websites without real user value.
  5. Blocking preserves resources for legitimate visitors.

Data from this security module is automatically included in the public Threat Intelligence Feed.

Blocked IPs

Showing 20 example IPs from 457 listed entries.
+ 437 more IPs hidden from the HTML preview to keep the page fast.

Detects excessive request rates, click floods, crawler storms and resource abuse.

Failed events409 731
Currently banned366
Listed IPs366

Why Are These IP Addresses Listed?

  1. Large numbers of HTTP requests within a short period of time.
  2. Behavior that can exhaust Apache and PHP worker resources.
  3. Commonly observed with aggressive crawlers and automated tools.
  4. Protects WooCommerce and WordPress websites from unnecessary load.
  5. The IP address is blocked before it can create a prolonged load spike.

Data from this security module is automatically included in the public Threat Intelligence Feed.

Blocked IPs

Showing 20 example IPs from 366 listed entries.
+ 346 more IPs hidden from the HTML preview to keep the page fast.

Blocks requests without a User-Agent header. Legitimate browsers almost always send one, while many scanners and scripts do not.

Failed events20 533
Currently banned859
Listed IPs859

Why Are These IP Addresses Listed?

  1. The request does not contain a User-Agent header.
  2. This is often a sign of a curl/wget script, scanner or bot.
  3. Legitimate browsers almost always send a User-Agent header.
  4. These requests are often an early stage of probing or automated reconnaissance.
  5. Blocking reduces background noise and unwanted traffic to websites.

Data from this security module is automatically included in the public Threat Intelligence Feed.

Blocked IPs

Showing 20 example IPs from 859 listed entries.
+ 839 more IPs hidden from the HTML preview to keep the page fast.

Protects WordPress xmlrpc.php from brute-force attempts, abuse and automated attacks.

Failed events7 711
Currently banned1 802
Listed IPs1 802

Why Are These IP Addresses Listed?

  1. Repeated requests targeting xmlrpc.php.
  2. Often used for brute-force attacks and credential stuffing.
  3. Can be used for amplification attacks and resource abuse.
  4. It is not normal for a single external IP to aggressively target XML-RPC.
  5. Blocking protects login systems and PHP-FPM processes.

Data from this security module is automatically included in the public Threat Intelligence Feed.

Blocked IPs

Showing 20 example IPs from 1 802 listed entries.
+ 1 782 more IPs hidden from the HTML preview to keep the page fast.

Blocks suspicious WordPress requests, login attacks, plugin probing and other common attack patterns.

Failed events26 900
Currently banned2 367
Listed IPs2 367

Why Are These IP Addresses Listed?

  1. Suspicious WordPress endpoints or login patterns.
  2. Attempts to probe plugins and themes.
  3. Requests typical of automated WordPress attack kits.
  4. Behavior that does not resemble a legitimate visitor.
  5. Blocking reduces the risk of brute-force attacks and vulnerability scanning.

Data from this security module is automatically included in the public Threat Intelligence Feed.

Blocked IPs

Showing 20 example IPs from 2 367 listed entries.
+ 2 347 more IPs hidden from the HTML preview to keep the page fast.

Blocks IP addresses responsible for failed SSH logins and brute-force attacks.

Failed events3 220
Currently banned1 054
Listed IPs1 054

Why Are These IP Addresses Listed?

  1. Repeated failed SSH login attempts.
  2. Brute-force attempts against system accounts.
  3. Often originates from botnets or cloud VPS infrastructure.
  4. SSH is a critical administrative access point to the server.
  5. Blocking reduces the risk of root or server access compromise.

Data from this security module is automatically included in the public Threat Intelligence Feed.

Blocked IPs

Showing 20 example IPs from 1 054 listed entries.
+ 1 034 more IPs hidden from the HTML preview to keep the page fast.

Blocks abuse against the mail server including SMTP authentication attacks, relay probing and mail abuse.

Failed events1 194
Currently banned2
Listed IPs2

Why Are These IP Addresses Listed?

  1. Failed SMTP authentication attempts.
  2. Attempts at relay probing or mail abuse.
  3. Behavior typical of mail brute-force tools.
  4. Protects the reputation of the mail server.
  5. Blocking protects domains from spam and abuse risks.

Data from this security module is automatically included in the public Threat Intelligence Feed.

Blocked IPs

Showing 2 example IPs from 2 listed entries.

Download Firewall Feeds

Download public AIT NODE SECURITY AI feeds. The Daily Firewall Feed contains active protections, the Full Server Firewall Feed contains published firewall intelligence, and the Trusted Networks White Feed contains verified network ranges.

⬇ Download Daily Firewall Feed⬇ Download Trusted Networks White Feed⬇ Download Full Server Firewall Feed